OA 5740 R3 (alu-apps.740.3.0.0.97.0) stability?
Posted: 01 May 2011 15:31
Hello everyone,
Last week I had 2 of my blackest days on technical field. The reason seems to be this equipment. I am not a data engineer however in the last 3 weeks I did my best to learn how to configure the OA. The configuration I did looks to work however if I reboot the router the forwarding engine fails with several reasons. (I encounter these kind of problems during tests but I did not take them serious --> a big mistake).
At this point (initial configuration) all the things work w/o visible issues.
The reason for using vrrp is that we cannot add in other way (as secondary address for example) that range of external IP's (or at least we didn't figure a way to do it).
Errors on reboot:
When trying to ping any interface ip---> Fail to connect to forwarding engine. Nothing works anymore (the interfaces are no longer up 
).
In this point I have to detach all policies from Giga interface, reboot, reatach one by one the policies.....
Is this a configuration problem? A bug? Both?
Any help on this guys?
(Murray, Benny?)
Any help is appreciated. Other comments regarding overall experience with OA5510, 5740 also appreciated.
Last week I had 2 of my blackest days on technical field. The reason seems to be this equipment. I am not a data engineer however in the last 3 weeks I did my best to learn how to configure the OA. The configuration I did looks to work however if I reboot the router the forwarding engine fails with several reasons. (I encounter these kind of problems during tests but I did not take them serious --> a big mistake).
Code: Select all
!
! NVRAM config last updated at 21:45:06 EEST Fri Apr 29 2011 by admin
!
! Statlog Configuration
!
logging on
logging buffered priority 7
logging buffered size 128
logging console 3
logging system 5
service timestamps log
logging rate-limit 1 10 tag SWE subtag DOS
logging rate-limit 1 10 tag PVSTD subtag PKT
logging rate-limit 1 10 tag SWE subtag SESSION
ip domain-name ifblocal
!
line vty exec-timeout 0 0
!
hostname USG
!
!VRF Configuration
!
! MULTICAST Configuration
!NOE port reservation
ip name-server 62.217.x.x
! PVST Global configuration
modem enable
!
http enable
https enable
ssh enable
snmp enable
!
!
! Clock Timezone
!
clock timezone europe bucharest
!
! CWMP Configuration
!
!
! CWMP Configuration (End)
!
!
! CWMP interface configuration
!
!
! CWMP interface configuration (End)
!
!
! SNMP Configurations
!
snmp system location xxxx
snmp agent xcommunity xxxx
!
aaa services
!
username xxxx password xxxx
username recovery password xxxxx
username xxxx password xxxx
!
!
!
!
!
interface GigabitEthernet3/0
description WAN
ip address x.x.151.82/30
ip address x.x.157.22/30 secondary
ip address x.x.157.130/29 secondary
vrrp 1 ip x.x.157.130
vrrp 1 ip x.x.157.131 secondary
vrrp 1 ip x.x.157.132 secondary
vrrp 1 ip x.x.157.133 secondary
vrrp 1 ip x.x.157.134 secondary
no shutdown
top
!
interface GigabitEthernet3/1
shutdown
top
!
interface Vlan10
description LAN-IFB
ip address 10.0.0.250/24
no shutdown
top
!
interface Vlan20
description AP-PUBLIC
ip address 10.0.1.1/24
no shutdown
top
!
interface Vlan100
description VoIP
ip address 10.0.100.1/24
no shutdown
top
!
interface switchport0/0
switchport mode trunk
switchport hybrid native vlan 10
switchport trunk allowed vlan 10
no shutdown
top
!
interface switchport0/1
switchport mode trunk
switchport hybrid native vlan 20
switchport trunk allowed vlan 20
no shutdown
top
!
interface switchport0/2
switchport mode trunk
switchport hybrid native vlan 100
switchport trunk allowed vlan 100
no shutdown
top
!
interface switchport0/3
switchport mode hybrid
switchport hybrid native vlan 123
no shutdown
top
!
interface switchport0/4
shutdown
top
!
interface switchport0/5
shutdown
top
!
interface switchport0/6
shutdown
top
!
interface switchport0/7
switchport mode hybrid
switchport hybrid native vlan 10
no shutdown
top
!
interface Tunnel1
ip address 172.16.0.2/24
tunnel source 192.168.0.220
tunnel destination 192.168.0.80
mode gre
tunnel df-bit clear
no shutdown
top
!
!
ip route 0.0.0.0/0 GigabitEthernet 3/0 x.x.151.81
ip route 10.0.200.0/24 Tunnel 1
!
match-list Internet
1 ip any any
match-list vlan10xxxx
1 ip prefix 10.0.0.0/24 prefix 10.0.200.0/24
match-list WAN-IN-Carthame
1 tcp any host x.x.157.130 service eq 443
2 tcp any host x.x.157.130 service eq 8180
3 tcp any host x.x.157.130 service eq 8443
4 tcp any host x.x.157.130 service eq 3389
match-list WAN-IN-CarthameWEB
1 tcp any host x.x.157.131 service eq 80
2 tcp any host x.x.157.131 service eq 3389
match-list WAN-IN-S01
1 tcp any host x.x.157.132 service eq 3389
match-list WAN-IN-S02
1 tcp any host x.x.151.82 service eq 3389
match-list PetreIN
1 tcp any host x.x.151.82 service eq 50007
match-list Carthame-SNAT
1 ip host 10.0.0.2 any
match-list CarthameWEB-SNAT
1 ip host 10.0.0.4 any
match-list AP-Public-SNAT
1 ip prefix 10.0.1.0/24 any
match-list WAN-IN-Mail
1 tcp interface GigabitEthernet 3/0 host x.x.151.82 service eq 22
2 tcp interface GigabitEthernet 3/0 host x.x.151.82 service eq 25
3 tcp interface GigabitEthernet 3/0 host x.x.151.82 service eq 995
match-list S01-SNAT
1 ip host 10.0.0.1 any
match-list forbid25
1 tcp any any service eq 25
match-list allow25
1 tcp host 10.0.0.6 any service eq 25
match-list forbidvlan
1 ip prefix 10.0.0.0/24 prefix 10.0.1.0/24
2 ip prefix 10.0.100.0/24 prefix 10.0.1.0/24
!
!
! Filter Policy configuration
!
ip filter Port25
1 match any allow25 permit log
2 match any forbid25 deny log
default permit
top
!
interface GigabitEthernet3/0
ip filter out Port25
top
!
ip filter vlan10-100deny
1 match any forbidvlan deny log
default permit
top
!
interface Vlan20
ip filter out vlan10-100deny
top
!
!
!
! NAT Policy configuration
!
ip nat WAN-IN
110 match any WAN-IN-S02 destination-nat host 10.0.0.5
140 match any PetreIN destination-nat host 10.0.0.86
150 match any WAN-IN-Carthame destination-nat host 10.0.0.2
160 match any WAN-IN-CarthameWEB destination-nat host 10.0.0.4
170 match any WAN-IN-Mail destination-nat host 10.0.0.6
190 match any WAN-IN-S01 destination-nat host 10.0.0.1
top
!
interface GigabitEthernet3/0
ip nat in WAN-IN
top
!
ip nat Internet
40 match any Carthame-SNAT source-nat host x.x.157.130
50 match any CarthameWEB-SNAT source-nat host x.x.157.131
60 match any AP-Public-SNAT source-nat host x.x.157.22
70 match any S01-SNAT source-nat host x.x.157.132
210 match any Internet source-nat host x.x.151.82
top
!
interface GigabitEthernet3/0
ip nat out Internet
top
!
!
!
! Dos attack configuration
!
!
!
! System doesn't have IDS License
! IDS configuration may not be effective
!
!Snort configuration
firewall
intrusion snort
top
!
!
! Firewall configuration
!
!
! IPSEC License installed
!
! IPSEC Policy configuration
!
crypto ike key xxx peer 192.168.0.80
crypto ike dpd interval 300 timeout 1500
crypto ipsec transform-set myset esp-md5-3des
crypto map xxxx ipsec-ike default
peer 192.168.0.80
match vlan10xxxx
transform-set default
pfs group2
! Applied to : GigabitEthernet3/0
interface GigabitEthernet3/0
crypto map xxxx
top
crypto ipsec profile pv
pfs group5
lifetime seconds 28800
lifetime kilobytes 28800
! Applied to:
interface Tunnel1
ipsec-profile pv
top
! No client object Defined
! No client profile Defined!
!
!QoS Configuration
!
!
!
!DDNS configurations
!
!
!
top
top
!
!
! IP-Policy configuration
!
ip-policy PBR-IFB
10 match any S01-SNAT next-hop x.x.157.129
20 match any Carthame-SNAT next-hop x.x.157.129
30 match any CarthameWEB-SNAT next-hop x.x.157.129
40 match any AP-Public-SNAT next-hop x.x.157.21
exit
!
interface GigabitEthernet3/0
ip-policy PBR-IFB
exit
!
!
!Customized-Services
!
!
!
!
!
!
!
top
!
!
!
!
! DHCP Server Configuration
!
service dhcp enable
!
ip dhcp pool p20
network 10.0.1.0 255.255.255.0
range 10.0.1.100 10.0.1.200
!
option routers 10.0.1.1
option dns-server x.x.193.1 primary
top
!
!
!
! DHCP CLIENT Configuration
!
!
ip dhcp client default_client
vendor-class-identifier FDC broadband-forum.org
parameter-req-list vendor-specific
top
!
interface GigabitEthernet3/0
dhcp client default_client
top
!
!
!
top
top
!
!
!OAM Configuration
!
oam
top
!
!
!
!NHRP configurations
!
top
!
!
! DHCP Relay configuration
!
!
end
The reason for using vrrp is that we cannot add in other way (as secondary address for example) that range of external IP's (or at least we didn't figure a way to do it).
Errors on reboot:
Code: Select all
sername :2011 Apr 29 20:50:08: %SWE-3-ARPD: VRF ADD Notification with vrfid 0
2011 Apr 29 20:50:10: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
2011 Apr 29 20:50:10: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:11: %CE-2-LOG: Setting gre for_us node 32 default to 7
2011 Apr 29 20:50:11: %SWE-2-GRE: For us node 32 default 7
2011 Apr 29 20:50:11: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:12: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
2011 Apr 29 20:50:20: %CE-2-LOG: Setting gre for_us node 32 default to 7
2011 Apr 29 20:50:20: %SWE-2-GRE: For us node 32 default 7
2011 Apr 29 20:50:20: %SWE-3-ARPD: VRF ADD Notification with vrfid 0
2011 Apr 29 20:50:24: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
2011 Apr 29 20:50:24: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:26: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:27: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
In this point I have to detach all policies from Giga interface, reboot, reatach one by one the policies.....
Is this a configuration problem? A bug? Both?
Any help on this guys?
(Murray, Benny?)
Any help is appreciated. Other comments regarding overall experience with OA5510, 5740 also appreciated.
I forgot about this post. late but here is the result: