SYSTEM ADMINISTRATOR GUIDE     3/1543- CRA 119 1170/1 Uen A    

Advanced Services Fault Management Guide

© Copyright Ericsson AB 2009. All rights reserved.

Disclaimer

No part of this document may be reproduced in any form without the written permission of the copyright owner. The contents of this document are subject to revision without notice due to continued progress in methodology, design and manufacturing. Ericsson shall have no liability for any error or damage of any kind resulting from the use of this document.

Trademark List

SmartEdge is a registered trademark of Telefonaktiebolaget L M Ericsson.
NetOp is a trademark of Telefonaktiebolaget L M Ericsson.

Contents

1Troubleshooting
1.1ASE Card Fails to Initialize
1.2ASP Configuration Error
1.3Traffic Management Policy Missing
1.4Peer for an IPsec Tunnel Cannot Be Reached
1.5Peer Context for an IPsec Tunnel is Not Configured
1.6IPsec Tunnel is Not Bound to a Tunnel Interface
1.7Mismatched Values for IKE Policy Negotiations
1.8Missing IKE or IPsec Policies
1.9Mismatched Phase II Authentication Algorithms
1.10ASE Security Services Not Enabled with NAT Service
1.11ASP Group Congestion
1.12Traffic Dropped or Bypasses ASE When Resource Failure Occurs
1.13Traffic Dropped or Bypasses ASE During Recovery From Hard Reboot

Glossary


1   Troubleshooting

There are a number of reasons that subscribers may not receive expected security services, including a variety of configuration errors. This document describes some of the troubleshooting scenarios.

1.1   ASE Card Fails to Initialize

Problem

After you insert an Advanced Services Engine (ASE) card in the SmartEdge® chassis and provision it by using the ase card slot-id command, error messages similar to the following appear in the console:

Jan 24 13:27:19: %CSM-6-CARD: Initialization failure on card ase in slot 2

Jan 24 13:27:19: %CSM-3-TDM_ERR: no shut slot 1 ASP 2 failed at admin layer! Error#: 12 [csm_card_ase_set_asp_admin_shut]

Jan 24 13:27:19: %CSM-3-CARD_ERR: Change admin state for slot 2 from In Service to In Service failed at admin layer! Error #: 12 [csm_ase_set_admin_state]

The output of the show chassis command indicates that the ASE card did not initialize. The output of the show hardware card slot details command indicates the card state as Card initialization: PHY initialization failure.

Cause

There is a possible hardware problem or transient condition.

Solution

Provision the card again in case the initialization failed due to some transient condition. Issue the following commands:

[local]Redback#configure

[local]Redback (config)#no card ase slot

[local]Redback (config)#commit

[local]Redback (config)#card ase slot

[local]Redback (config-card)#commit

Wait a maximum of five minutes after issuing the card ase slot command. You can monitor progress of the provisioning by using the show chassis command. Initializing is complete when the Initialized Flags value for the ASE card is Yes P1P2UR.

If provisioning again is unsuccessful, reload the card to ensure that the correct firmware is installed. Issue the following command:

[local]Redback#reload card slot

Reloading will take about seven minutes. The reload sequence:

This sequence can result in more than one iteration of the reload command.

If reloading the ASE card is unsuccessful, contact your customer support representative to obtain a Return Merchandise Authorization (RMA) and return the card for replacement.

1.2   ASP Configuration Error

Problem

Subscriber traffic is not treated as expected; the subscriber is connected but does not receive security services for the duration of the session.

For subscribers who log on when the problem exists, the accounting message indicates that the security service could not be applied. For subscribers logged on when the problem occurs, security attributes are cleared but no interim accounting is reported.

Cause

Solution

Associate an ASP to the pool or install the ASP in the chassis.

When the problem is corrected, an accounting reauthorization is sent to provide security services to subscribers.

1.3   Traffic Management Policy Missing

Problem

The subscriber traffic is not treated as expected; the subscriber is connected and receives security services defined by a default Deep Packet Inspection (DPI) traffic management policy, or if no default policy exists, the subscriber does not receive security services.

For subscribers who log on when the problem exists, the accounting message does not include the security service, indicating that the security service could not be applied for the subscriber. For subscribers logged on when the problem occurs, no interim accounting is reported.

Cause

Solution

Change the subscriber configuration to reference an existing DPI traffic management policy or create the DPI traffic management policy assigned to the subscriber.

When the problem is corrected, security services are reapplied automatically, based on subscriber configuration; no accounting reauthorization is sent.

1.4   Peer for an IPsec Tunnel Cannot Be Reached

Problem

The tunnel does not come up. The output of the show tunnel command indicates that the tunnel state is Down or Wait-on-SA, and the destination is down or unreachable, or both. No Internet Key Exchange (IKE) or Internet Protocol Security (IPsec) negotiation messages are logged. The configured peer IP addresses do not respond to ping commands.

Cause

The peer is down or is unreachable.

Solution

Check the physical connectivity to ensure the port or interface is in the Up state. Check the network with a ping test to the remote endpoint.

1.5   Peer Context for an IPsec Tunnel is Not Configured

Problem

The tunnel does not come up. The output of the show tunnel command indicates that the tunnel state is Down, the value for context-for-local-ip is local, and the destination is down on the management interface. No IKE or IPsec negotiation messages are logged, as shown in the following example:

[local]Redback#sh tunnel ipsec


::::: Tunnel : ipsec_tunnel1  
   Key       : -       
   Remote IP : 29.0.0.2    Local IP    : 39.0.0.1
   Tnl Type  : IPsec     
   State     : Down        Bound to    : 
   Circuit ID: 5           Internal Hdl: 255/28:1023:63/0/1/5
[local]Redback#

Cause

The peer interface context is not specified. As a result, messages are routed to the local context instead of the peer. Confirm this by using the show configuration tunnel command. The peer-end-point attribute must have three settings: local (an IP address), remote (an IP address), and a context (name)

Solution

Configure the context setting for the peer-end-point attribute.

1.6   IPsec Tunnel is Not Bound to a Tunnel Interface

Problem

The tunnel does not come up. The output of the show tunnel command indicates that the tunnel state is Down and the value for the interface to which the tunnel must be bound is missing. No IKE or IPsec negotiation messages are logged.

Cause

The interface to which the tunnel must be bound is not configured. Confirm this by using the show configuration tunnel command. The bind interface setting between the tunnel interface and the peer context is missing.

Solution

Configure the binding of the tunnel interface to the peer context.

1.7   Mismatched Values for IKE Policy Negotiations

Problem

The tunnel does not come up. The output of the show tunnel command indicates that the tunnel state is Wait-on-SA. The IKE negotiation logs contain Mismatching Exchange Type messages.

Cause

The IKE policy specified by one peer is in MAIN mode, and on the other peer is in AGGRESSIVE mode.

Solution

Configure the policies so that they both contain matching values for the key exchange mode.

1.8   Missing IKE or IPsec Policies

Problem

The tunnel does not come up. The output of the show tunnel command indicates that the tunnel state is Wait-on-SA. The IKE negotiation logs contain messages indicating that no policy is configured for the peer.

Cause

An IKE policy for Phase 1 negotiation, or an IPsec policy for Phase II negotiation is missing in the configuration for one of the peers.

Solution

Configure the necessary policies.

1.9   Mismatched Phase II Authentication Algorithms

Problem

The tunnel does not come up. The output of the show tunnel command indicates that the tunnel state is Wait-on-SA. The IKE negotiation logs contain Mismatching Authentication algorithm messages.

Cause

The authentication algorithm specified on one peer does not match the algorithm specified on the other peer.

Solution

Configure IPsec policies on both peers to have matching authentication algorithms.

1.10   ASE Security Services Not Enabled with NAT Service

Problem

ASE security services are not enabled or are removed from a subscriber when Network Address Translation (NAT) service and ASE security services are applied together for a subscriber.

Cause

NAT and ASE security services are mutually exclusive and cannot be applied together for a subscriber.

1.11   ASP Group Congestion

Problem

Security attributes are cleared and security services are permanently bypassed for the duration of the subscriber session. Accounting information indicates that security services could not be applied for the subscriber.

Cause

ASPs in an ASP group are operating at peak capacity when a security-enabled subscriber belonging to that ASP group logs on.

Solution

Reauthorize the subscriber to restore security services.

1.12   Traffic Dropped or Bypasses ASE When Resource Failure Occurs

Problem

The security service drops traffic or bypasses the ASE, depending on the security service application. You can configure whether application traffic is dropped or bypasses the ASP when a resource failure occurs; IPsec traffic is always dropped when a resource failure occurs.

Cause

No physical ASP is associated with an ASP group due to one of the following conditions:

Solution

The problem persists until the ASPs recover or the operator replaces the failed card or otherwise manually restores the ASP to an operational state.

1.13   Traffic Dropped or Bypasses ASE During Recovery From Hard Reboot

Problem

All ASPs that are configured but not physically present in the chassis are considered to have permanently failed or all ASPs that are configured and physically present in the chassis are considered to be in a transient runtime failure condition after a chassis reboot. Subscribers who log on before the ASE cards are fully operational may be mapped to ASPs that are not yet operational. In this case, the security service application drops the traffic or bypasses the ASE.

Note:  
You can configure a longer time-out duration for the transient runtime failure state on chassis reboot to allow the ASPs more time to become operational.

Cause

If ASE cards were added to the chassis with incorrect or missing saved binary images, when the node restarts after a hard reboot of a SmartEdge router, the order in which the ASE cards restart is not deterministic.


Glossary

ASE
Advanced Services Engine
 
ASP
Advanced Services Processor
 
DPI
Deep Packet Inspection
 
IKE
Internet Key Exchange
 
IPsec
Internet Protocol Security
 
NAT
Network Address Translation
 
RMA
Return Merchandise Authorization