Professional Documents
Culture Documents
IPanema Troubleshooting Guide V5
IPanema Troubleshooting Guide V5
Troubleshooting
guideline
th
10 of may 2011
Version 5.0
Troubleshooting guideline IPANEMA
document control
date version no. author change/addition
24 of march
th
1 A.SEITZ creation
2006
20 of oct th
2 A.SEITZ updates
2008
16 of march
th
3 A.SEITZ - debug command (uncomplete)
2009 - new hardwares (5v2, 120ax, 140ax, 1000axT,
1800axT and 1800axSX)
06 of july th
4 A.SEITZ updates (smartpath), Xcomp SRE & ZRE , Xapp,
2010 Cluster
10 of may
th
5 A.SEITZ debug show flow
2011
table of contents
1 INTRODUCTION......................................................................................................................................... 5
1.1 PURPOSE OF THIS DOCUMENT ................................................................................................................... 5
1.2 INTENTED AUDIENCE ............................................................................................................................... 5
2 QUALITY OF SERVICE TROUBLESHOOTING ................................................................................... 6
2.1 DIAGNOSE THE PROBLEM ......................................................................................................................... 6
2.2 SITE TROUBLESHOOTING .......................................................................................................................... 7
2.3 QOS PROFILE TROUBLESHOOTING ........................................................................................................... 8
2.4 SUPERVISION ............................................................................................................................................ 9
2.5 CONFIGURATION .................................................................................................................................... 10
3 IP|BOSS TROUBLESHOOTING.............................................................................................................. 11
3.1 IP|BOSS FILE SYSTEM ............................................................................................................................. 11
3.2 TCP/IP COMMUNICATIONS TO OR FROM IP|ENGINES ............................................................................. 11
4 IP|ENGINES TROUBLESHOOTING ...................................................................................................... 13
4.1 INTERFACE MAPPING .............................................................................................................................. 13
4.2 PROCESS CHAIN INSIDE IPENGINES ......................................................................................................... 14
4.3 PHYSICAL LAYER CONNECTIVITY PROBLEM ........................................................................................... 17
4.4 NETWORK LAYER CONNECTIVITY PROBLEM .......................................................................................... 22
4.5 CONNECTIVITY WITH IPBOSS .................................................................................................................. 27
4.6 SYNCHRONISATION PROBLEM ................................................................................................................ 28
4.7 APPLICATION LAYER CONNECTIVITY PROBLEM ...................................................................................... 30
4.8 IP|TRUE TROUBLESHOOTING .................................................................................................................. 35
4.9 IP|FAST TROUBLESHOOTING................................................................................................................... 49
4.10 IP|XCOMP ZRE TROUBLESHOOTING....................................................................................................... 62
4.11 IP|XCOMP SRE TROUBLESHOOTING ....................................................................................................... 66
4.12 IP|XCOMP REPORTING ............................................................................................................................ 74
4.13 IP|XAPP TROUBLESHOOTING ................................................................................................................... 76
4.14 SMARTPATH TROUBLESHOOTING ........................................................................................................... 83
4.15 REAL TIME GRAPH PROBLEM .................................................................................................................. 87
4.16 OTHER USEFUL TOOLS ............................................................................................................................ 89
4.17 IPENGINES CLUSTER ............................................................................................................................... 93
5 IN WHICH ORDER PROCESSES ARE EXECUTED?......................................................................... 95
5.1 IP|TRUE ONLY ...................................................................................................................................... 95
5.2 IP|TRUE AND IP|FAST.......................................................................................................................... 95
5.3 IP|FAST AND IP|XCOMP...................................................................................................................... 95
5.4 IP|FAST AND IP|XTCP.......................................................................................................................... 95
5.5 IP|FAST AND IP|XCOMP AND IP|XTCP............................................................................................... 95
6 ADVANCED TROUBLESHOOTING ...................................................................................................... 96
6.1 SHELL .................................................................................................................................................. 96
6.2 WHICH CERTIFICATE IS USED BY IP|ENGINE ? ......................................................................................... 96
7 UNSUPPORTED COMMANDS BY ORANGE BUSINESS SERVICES IN IPANEMA CLI ............ 97
7.1 NETFLOWCONFIG ................................................................................................................................... 97
7.2 SSLPASSPHRASE ..................................................................................................................................... 97
8 DEBUG COMMAND ................................................................................................................................. 98
8.1 CHECK IPBOSS CONFIGURATION ............................................................................................................. 99
8.2 “DEBUG FAST”...................................................................................................................................... 100
8.3 “DEBUG XCOMP” .................................................................................................................................. 100
8.4 OPTIONS OF DEBUG COMMAND ............................................................................................................ 101
9 DRAW_HTB COMMAND....................................................................................................................... 104
10 FAQ (EXTRACT FROM IPANEMA SUPPORT SITE).................................................................. 105
1 introduction
1.1 Purpose of this document
This document is designed to help support engineers to troubleshoot IPANEMA system. Two
major sections are detailed, one for IP|Boss and another for IP|engine probes.
Support engineers.
START
Equipped Site?
YES
Performance
NO YES
problem?
3 IP BOSS
REALTIME
Supervision FLOWS
Display
Real time
flows in 2
ways
YES
6
QOS problem? YES
7
NO
NO WAN Problem?
YES
9
11
YES Congestion?
10 8
13
NO
Criticial flow? YES
Check Load of
Check WAN
Client/Server?
14
Is the flow
NO 12
protected?
NO
END
START
Site's PM-
Detailed per
UC report
NO Congestion? YES
Site's PM-
Are there
Time
some
Evolution
complains from
WAN YES users?
Report
During non
Strong
Congestion,
congestion
QOS problem?
YES
YES
YES
Check Ethernet
config Application still
necessary?
Check WAN
Access config in YES
IP|Boss NO
NO
NO
NO
END
START
PM-Time
Evolution
UC
YES TCP? NO
High Average
WAN loss?
Delay?
YES
NO
Critical? NO
LAN loss?
YES
YES
NO
YES
Critical?
Strong
Bursty?
congestion?
YES
NO
Increase
Increase Increase
bandwidth Modify QOS
bandwidth Upgrade Site bandwidth Check WAN
objective with Profile
objective objective
care
NO
Check Client/
Server Load
END
2.4 Supervision
START
IP|Boss IP|Boss
IP|Boss Map
Main IP|engine Trap/Mail
Supervision
Screen status
IP|engine
problem?
YES
IP|Boss
IP|engine
Status
Reachability
NO
problem
YES
NO
CE-router
Check Routing NO Time
reachable?
synchronisatio NO
n problem?
YES
YES
Are time
Check IP|engine is Is IP|engine Overload
NO servers NO
not blocking traffic reachable problem?
synchronized?
Check IP NO
Is IP|engine Check IP|engine's Service non
connectivity
Reboot IP|engine NO run? check type and actual started
between I|engine
lights WAN rate problem?
and TIme servers
YES YES
check IP|reporter
NO
server
Call N+1 support
check Ethernet
Call N+1 support
connectivity
check infovista NO
login
END
2.5 Configuration
START
SA-Site
throughput
Egress/
Ingress
Abnormal
Start discovery
unmeasured
for these sites
traffic?
PM-Detailed
per user
class
PM-Detailed
per
Application
Improve the
Too much
application
TCP?
dictionnary
PM-Time
Evolution
Check the
High rate of
ethernet
loss?
configuration
Sites list
is list
Add missing site
correct?
PM-site
summary
END
3 IP|Boss troubleshooting
3.1 IP|Boss file system
IP|Boss server is multi domain, it means is can manage multiple IPANEMA domains at same
time. Each IPANEMA domain has it own configuration file stored in its own directory. IP|Boss
directory is organized as following:
├───gui
├───server
│ ├───bin IP Boss binaries
│ ├───conf IP Boss configuration files ipboss.conf
│ ├───domains IP Boss domains
│ │ ├───FT-BAM FT-BAM domain’s repository
│ │ │ ├───catalog
│ │ │ ├───conf
│ │ │ ├───config In this directory is stored __active__.ipmconf file.
│ │ │ ├───log
│ │ │ ├───security
│ │ │ ├───temp
│ │ │ │ └───ipanema-dump Here are stored scripts results
│ │ │ └───uninst
│ │ └───FT-BAM2 FT-BAM2 domain’s repository
│ │ ├───catalog
│ │ ├───conf
│ │ ├───config
│ │ ├───log
│ │ ├───security
│ │ ├───temp
│ │ └───uninst
│ ├───graph
│ ├───interface
│ ├───languages
│ │ ├───english
│ │ └───french
│ └───script
├───uninst
└───web_server
ipboss.conf IP|Boss configuration where is stored tcp/ip port used for IP|Boss
In this section are listed all IP connections used inside IPANEMA system:
4 IP|Engines troubleshooting
In all following subsections, troubleshooting requires to be remotely connected to IP|engine via
telnet, ssh, reverse telnet or console.
APPLICATIONS
Line shaper
Eth X Eth Y
LAN WAN
Eth interface are directly connected to hardware and a Line shaper is associated to WAN
interface, it permits to shape traffic at WAN access rate.
Bond interfaces hold HTB (“Hierachical Tree Based”) optimization, also seen as IBA in IP|fast
vocabulary.
Brg:
Brg is the bridge interface which interconnect LAN and WAN, Egress and Ingress interfaces.
APPLICATIONS
Brg0.0
Egr 0 Egr N Ingr 0 Ingr N
Brg0.N
BRG0
LAN WAN
Ingr
Ingr and Egr : those interfaces hold HTB (“Hierachical Tree Based”) optimization, also seen as
IBA in IP|fast vocabulary.
Brg:
Brg is the bridge interface which interconnect LAN and WAN, Egress and Ingress interfaces.
So for each instance (n), a 5-tuple of interfaces is created: LapN, EgrN, Brg0.N, IngrN, WapN.
PROXY
UC
classifier
-liste de
LAN Layer 7 Topology
servicesell XTCP FAST XCOMP
classifier
classification igibles WAN
(capacité
distante)
Session
context Session
Session context updating context
finding
restoring
Cache session
Cache session
Session
Session context updating context
restoring
Xapplication
4.3.1 Brcount
CONFIGURATION TROUBLESHOOTING
NO YES
[ipe]$ brcount
Bridge has 5 (LAN) + 2 (WAN) = 7 MAC addresses
[ipe]$
Typically, there should more MAC address on LAN interface than on WAN interface. If not,
there could be a problem.
4.3.2 Ifconfig
CONFIGURATION TROUBLESHOOTING
NO YES
The following extract, shows an example of ip|engine configured with only a private ip address
(ip address that belong to customer network).
[ipe]$ ifconfig
brg0 Link encap:Ethernet HWaddr FE:FD:4B:0D:50:BF
inet addr:10.0.14.253 Bcast:10.0.14.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:422121 errors:0 dropped:0 overruns:0 frame:0
TX packets:404714 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:39047261 (37.2 MiB) TX bytes:49216429 (46.9 MiB)
[ipe]$
IP|engine’s IP address is configured on brg0 interface. Brg0 is a virtual bridge instantiated in
IP|engine’s Linux OS.
Check errors counters ( bold blue characters), if erros counters increase, the problem could
be Ethernet configuration mistake or hardware problem
Check collisions counters in both physical interface Eth0(LAN) and Eth1(WAN)
The next extract, shows an example of ip|engine configured with a private ip address with vlan
and an alias ip address.
[ipe10]$ ifconfig
bond0 Link encap:Ethernet HWaddr 00:E0:81:44:EA:DA
UP BROADCAST RUNNING MASTER MULTICAST MTU:1500 Metric:1
RX packets:6276687 errors:0 dropped:0 overruns:0 frame:0
TX packets:267571 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:428444593 (408.5 MiB) TX bytes:23066102 (21.9 MiB)
[ipe10]$
[ipe10]$
4.3.3 Ethconfig
CONFIGURATION TROUBLESHOOTING
YES YES
ethconfig
Manage ethernet controllers modes
Usage: ethconfig [-h] Print this help and exit
ethconfig -d Display current modes
ethconfig <if> <mode> Change mode for a particular interface
ethconfig all <mode> Change mode for all interfaces
With:
<if>=lan, wan or mgt
<mode>=10HD, 10FD, 100HD, 100FD, 1000FD or auto
Ethconfig is useful to force speed and duplex of LAN, WAN and MGT IP|engine’s interfaces.
This tools can also be used to display current settings.
[ipe]$ ethconfig –d
Copyright (c) Ipanema Technologies 2000-2005
eth[lan] : 100FD
eth[wan] : 100FD
eth[mgt] : AUTO
[ipe]$
Ethconfig –d displays current settings, it doesn’t display the real interface’s status specially
when interfaces are configured in AUTO-NEGOCIATION
Configuration done...
Please reboot to apply these modifications...
[ipe10]
Each time, a speed or duplex change occurs on interface, you must reboot ip|engine.
4.3.4 Eth-diag
CONFIGURATION TROUBLESHOOTING
NO YES
eth-diag
Eth-diag command displays information about interfaces’s controller and interfaces’s status.
[ipe]$ eth-diag
---- Lan Interface ----
Basic registers of MII PHY #1: 3000 782d 02a8 0154 05e1 45e1 0001 0000.
The autonegotiated capability is 01e0.
The autonegotiated media type is 100baseTx-FD.
Basic mode control register 0x3000: Auto-negotiation enabled.
You have link beat, and everything is working OK.
This transceiver is capable of 100baseTx-FD 100baseTx 10baseT-FD 10baseT.
Able to perform Auto-negotiation, negotiation complete.
Your link partner advertised 45e1: Flow-control 100baseTx-FD 100baseTx 10baseT-
FD 10baseT, w/ 802.3X flow control.
---- Wan Interface ----
Basic registers of MII PHY #1: 3000 782d 02a8 0154 05e1 0021 0000 0000.
Basic mode control register 0x3000: Auto-negotiation enabled.
You have link beat, and everything is working OK.
This transceiver is capable of 100baseTx-FD 100baseTx 10baseT-FD 10baseT.
Able to perform Auto-negotiation, negotiation complete.
Your link partner is generating 10baseT link beat (no autonegotiation).
[ipe]$
4.3.5 Failsafe
On all new “AX” ipengines, it is possible to (un)configure failsafe directly through the CLI. With
old ipengine, you had to choose failsafe circuit or not during the installation on site. This old
method is over with new ipengines (5v2, 120ax, 140ax, 1000ax and 1800ax).
On older ipengines (ipe5, 120, 120V2, 140, 1000, 1200 and 1800), you have to choose the
correct couple of LAN/WAN interfaces if you want to enable or disable failsafe. Because it is a
physical configuration you can’t change the failsafe mode remotely.
4.3.6 LanDownToWan
[ipe10]$ customize
Current configuration:
. TrafficFilter : IP
. UseEADI : no
. UseSoftWdg : yes
. UseHardWdg : yes
. ExcludeMode : standard
. LanDownToWan : no
. AcceptICMPRedirect : yes
. IpxTunnelMode : in
. NoPMTUDiscovery : no
. Failsafe Disabled : no
. SkipGRE : no
-------------------
f set filter mode
e set eadi usage
d set softDog usage
w set watchdog usage
m set exclude Mode
l copy Lan status to wan
4.4.1 Ipconfig
CONFIGURATION TROUBLESHOOTING
YES YES
ipconfig
Manage network interfaces
Usage: ipconfig Print this help and exit
ipconfig -d Display current configuration
ipconfig [lan|mgt] [none | -a <IPaddr> [-m <IPmask>]] [-vlan [<Id>|none]] [-
mtu <MTU>]
Set local settings for this ip|engine
ipconfig alias [none | -a <IPaddr> [-m <IPmask>]]
Configure a 2nd address on the same interface
as the main address
ipconfig -g <Gateway> Set IP address of the gateway
ipconfig -h <Hostname> Local name assigned to this engine
ipconfig [no] serial Set the ip|engine in parallel/serial mode
ipconfig [no] dual Set the ip|engine in single/dual parallel mode
ipconfig reset Reset configuration parameters (no IP address
nor mask, serial mode)
Options:
-a <IPaddr> IP address
[ipe]$ ipconfig –d
Copyright (c) Ipanema Technologies 2000-2005
Current Configuration:
IP addr : 10.0.14.253
IP mask : 255.255.255.0
Gateway : 10.0.14.254
Hostname : ipe
Serial mode : yes
[ipe]$
Example with private and alias ip address :
[ipe7]$ ipconfig -d
Current configuration:
[LAN] IPaddr : 10.10.70.240
IPmask : 255.255.255.0
intfMTU : 1500
[alias] IPaddr : 10.0.18.7
IPmask : 255.255.255.255
Gateway : 10.10.70.254
Hostname : ipe7
Serial mode : yes
[ipe7]$
[ipe7]$ ipconfig -d
Current configuration:
[LAN] IPaddr : 10.10.70.240
IPmask : 255.255.255.0
Vlan id : 100
intfMTU : 1500
[alias] IPaddr : 10.0.18.7
IPmask : 255.255.255.255
Gateway : 10.10.70.254
Hostname : ipe7
Serial mode : yes
[ipe7]$
4.4.2 Ping
CONFIGURATION TROUBLESHOOTING
NO YES
ping
usage: ping [-LRdfnqrv] [-c count] [-i wait] [-l preload]
[-p pattern] [-s packetsize] [-t ttl] [-I interface address] host
Useful to test IP connectivity.
4.4.3 Traceroute
CONFIGURATION TROUBLESHOOTING
NO YES
traceroute
Version 1.4a5
Usage: traceroute [-dFInrvx] [-g gateway] [-i iface] [-f first_ttl] [-m max_ttl]
[ -p port] [-q nqueries] [-s src_addr] [-t tos] [-w waittime]
host [packetlen]
Useful to test IP path connectivity.
4.4.4 Arp
CONFIGURATION TROUBLESHOOTING
NO YES
[ipe]$ arp
Address HWtype HWaddress Flags Mask Iface
10.0.14.254 ether 00:04:C0:5D:57:E0 C brg0
[ipe]$
Useful to verify IP connectivity on customer’s LAN.
4.4.5 Route
CONFIGURATION TROUBLESHOOTING
YES YES
[ipe]$ route –e
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.0.14.0 * 255.255.255.0 U 40 0 0 brg0
default 10.0.14.254 0.0.0.0 UG 40 0 0 brg0
[ipe]$
or
[ipe]$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.14.0 * 255.255.255.0 U 0 0 0 brg0
default 10.0.14.254 0.0.0.0 UG 1 0 0 brg0
[ipe]$
Columns Description Without With –e option
option
Destination Subnet or host YES YES
When ip|engine is installed with IP alias mode, it is necessary to configure at least a static route:
4.4.6 Ip
To display ip routes:
[ipe]$ shell
bash-2.01$ ip route list
172.10.30.241 via 10.10.30.254 dev brg0 src 172.10.30.241
10.10.30.0/24 dev brg0 proto kernel scope link src 10.10.30.241
default via 10.10.30.254 dev brg0 metric 1
bash-2.01$
To dump the routing cache:
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
20977270 187777 0 0 0 0
10: lap0: <NOARP,UP> mtu 1500 qdisc pfifo qlen 1000
link/ether
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
61384715 836684 0 0 0 0
11: egr0: <NOARP,UP> mtu 1500 qdisc htb qlen 1000
link/ether
RX: bytes packets errors dropped overrun mcast
0 0 0 0 0 0
TX: bytes packets errors dropped carrier collsns
61384715 836684 0 0 0 0
bash-2.01$
Check if ipengine has correctly received its configuration, check DomaineName, the ip address
of ipboss
[ CONFIGURATION ]
ConfigName =
__active__@a399e2f3228e768bc3a66b22bfbb49fdaf8c3009@9e90509f8e8d3e192d2e29171c074dc
Domain e5d10e36e
name DomainName = BAM
Bridge = brg0
Cap100Mbs[yes] CapGigabit[no] CapFullD[yes]
CapSerial[yes] CapDual[no] CapEadi[no] Ipboss connected to
CapGps[yes] CapExt[yes] CapXcomp[yes] CapXtcp[yes] ip|engine
SerialMode[yes] DualMode[no] EadiMode[no]
Boss IP addr = 10.0.16.19 ExcludeMode = sentry<=>any
Locl IP addr = 10.10.50.241 Inb MAC addr = FE:FD:0B:07:67:11
LAN MAC addr = 00:90:0B:07:67:11 WAN MAC addr = 00:90:0B:07:67:12
DrvNbTickets = 16384 MinToRead = 50 MaxAcqFrames = 256
MaxDefragCtxt= 2048 MaxFragments = 8096
TkgMaxFlows = 64000 ArchMaxFlows = 12000 RTMMaxFlows = 8
RTMPeriod = 10 ArchPeriod = 60 MaxCrPerFlow = 6
TickDownDelay= 50 TickDownPer. = 2 CnxRetryPer. = 4
LossThreshold= 5 TTP_Port = 19999 TTP_MaxLength= 1293
SynchroThresh= 10000 us (+10%:11000 us) SpuriousDelay= 5000
NbThreshDlay = 8
ThreshDlay = 10000 20000 50000 100000 200000 500000 1000000
ITP port2000000
: should be 123
Options = 0x000a SerialMode Softdog
NbTickets = 64000, 63891 free (28725 + 35166 in TKG)
and not 19995
TicketCrcNb = 65536
RxTtpBuffers = 1000 (1000 free) TxTtpBuffers = 1000 (999 free)
UflowAging = 10 ConCnxTcpAging = 30 SentryTTPAging = 600 ConCnxTcpDeadAging
= 300
Port ITP: 123 ITP Mode active, alpha 0.000020, beta 0.000500
ArpCpeInitPeriod = 10 ArpCpePeriod = 60 DeadCpeAgingDelay = 1200
ForceCrc24 thresholds low 10000, high 15000
Engine capacity advertising = yes (on UDP port 19996)
MaxValidSRT = 20000000
RT flows ports : 19990-19993;
Expected DR (0x1E) = CorrRecord SiteRecord TopHostAppli ExtSiteRecord
Known DR (0x1E) = CorrRecord SiteRecord TopHostAppli ExtSiteRecord
Expected CR (0x7F) = LANVol LANQual WANVol WANQual SmartPlan XComp TCP
Known CR (0x7F) = LANVol LANQual WANVol WANQual SmartPlan XComp TCP
[ CRC INFOS ]
[ GLOBAL VARIABLES ]
NbTickets = 64000, 63828 free (22849 + 40979 in TKG)
NbSpurious = 4965 NbAmbiguous = 142272 NbLost = 59763
Here probe is part of a cluster
ArchLostLost = 0 RTMLostLost = 12384
RxTtpBuffers = 1000 (1000 free) TxTtpBuffers = 1000 (999 free)
ip|true? yes ip|fast? yes ip|xcomp? yes ip|disc? no ip|xtcp? no
Sessions = 209 (max 96000) Flow = 18 in 13 variants (max 12000)
Cluster: 2 contexts (max 4096)
TopCtxt Hashing in 4096 buckets: 11 items in 11 buckets, min/avg/maxProbe
1 1 1 is synchronized
TkgFlow Hashing in 8192 buckets: 209 items in 174 buckets, min/avg/max server
on 1 1 2
ClsUFlow Hashing in 8192 buckets: 187 items in 167 buckets, min/avg/max 1 1 2
ArchFlow Hashing in 2048 buckets: 18 items in 18 buckets, min/avg/max 1 1 1
Sync'ed ? yes(30) SyncSrc Server 10.10.50.240
NbSatellites = 0
PositionHold ? no (Oncore GPS receiver) Display alarms (out of
SynchroThresh= 10000 us (+10%:11000 us) SyncKernelOffset= 6 correlation ticket,
SyncSrcOffset= 7 SyncFreq= -12 SyncSrcDelay= 204 interface down,
UseFlowId? yes StopOnIntfDown? yes LanDownToWan? yes overloaded…etc)
Current Alarms = (none)
Previous Alarms = (none)
CPU Load = 8% (Bounds 0..10000)
CPU load
[ VERSION ]
Hardware: Tag = 10AR, Name = 0120-512-CF64-3-X-G1, Rev = XX
Software: Version = 5.0.mi, Date = Oct 8 2008, Time = 16:39:57
Packages: Ipe = 5.0.mi.6, Kernel = 5.0.mi.5, Tools = 5.0.mi.5
Software version and its
packages
First check:
4.6.1 Itpq
CONFIGURATION TROUBLESHOOTING
YES YES
ITPQ command is useful to check Time Synchronization. It displays available ITP servers and
ITP server elected as the time source.
[ipe]$ itpq –p
remote refid st t when poll reach delay offset jitter
==============================================================================
*LOCAL(0) LOCAL(0) 3 l 17 16 377 0.000 0.000 0.000
10.0.13.253 10.0.14.253 5 u 3 16 377 7.591 0.107 0.177
[ipe]$
4.6.2 Itpconfig
4.6.3 Date
CONFIGURATION TROUBLESHOOTING
YES YES
[ipe]$ date
Tue Mar 28 07:26:41 UTC 2006
[ipe]$
CONFIGURATION TROUBLESHOOTING
NO YES
This section is dedicated to ipboss connectivity problem, I mean when ipboss can connect to
ip|engine but when when problem is not due to a network outage.
4.7.1 Netstat
CONFIGURATION TROUBLESHOOTING
NO YES
Use netstat to verify that udp and tcp ports are opened.
[ipe]$ netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 10.0.14.253:https 10.238.39.75:4102 ESTABLISHED 1
tcp 0 126 10.0.14.253:telnet 10.238.39.75:1050 ESTABLISHED
udp 0 0 localhost:32769 *:*
udp 0 0 localhost:32771 *:*
udp 0 0 localhost:32772 *:*
udp 0 0 10.0.14.253:19995 *:* 2
udp 0 0 localhost:19998 *:* 3
udp 0 0 10.0.14.253:19999 *:* 4
udp 0 0 localhost:ntp *:* 5
4.7.2 Ps –a
CONFIGURATION TROUBLESHOOTING
NO YES
[ipe]$ shell
bash-2.01$ ps -a
PID Uid VmSize Stat Command
1 0 492 S init [2]
2 0 SW [keventd]
3 0 RWN [ksoftirqd_CPU0]
4 0 SW [kswapd]
5 0 SW [bdflush]
6 0 TW [kupdated]
284 0 460 S /usr/local/bin/ipm_survey -
f/etc/ipm_survey.co
286 0 536 S ipm_upgrade
289 0 7660 S /usr/local/bin/ip_true
299 0 584 S /sbin/syslogd -m 0
300 0 7660 S /usr/local/bin/ip_true
301 0 7660 S /usr/local/bin/ip_true
302 0 7660 S /usr/local/bin/ip_true
303 0 7660 S /usr/local/bin/ip_true
304 0 7660 S /usr/local/bin/ip_true
306 0 536 S /sbin/klogd
309 0 780 S /usr/sbin/xinetd
313 0 720 S -interp
314 0 1312 S ipm_security
315 0 380 S ipm_script
317 0 1060 S /usr/local/bin/ip_fast
318 0 1060 S /usr/local/bin/ip_fast
319 0 1060 S /usr/local/bin/ip_fast
321 0 596 S /usr/local/bin/ip_xcomp
23650 0 2072 S /usr/local/apache/bin/httpd -DSSL
23651 1000 2448 S /usr/local/apache/bin/httpd -DSSL
23654 1000 2464 S /usr/local/apache/bin/httpd -DSSL
27229 1000 2464 S /usr/local/apache/bin/httpd -DSSL
9230 0 1572 S /usr/local/bin/itpd
9362 0 592 S in.telnetd: 10.238.39.75
9363 0 724 S -interp
9373 1000 1192 S /bin/bash
9374 1000 552 R ps -a
bash-2.01$exit
[ipe]$
CONFIGURATION TROUBLESHOOTING
NO YES
Survey.httpd
Survey.ip_fast
Survey.ip_true
Survey.ip_xcomp
Survey.ipm_script
Survey.ipm_security
Survey.ipm_upgrade
Survey. Tpd
[ipe7]$ shell
bash-2.01$ cat /tmp/survey.*
Launch #1 of httpd at Mon Mar 13 10:02:35 2006
Launch #2 of httpd at Thu Mar 23 10:09:10 2006
Launch #3 of httpd at Thu Mar 23 10:10:00 2006
Launch #4 of httpd at Thu Mar 23 10:10:59 2006
Launch #5 of httpd at Thu Mar 23 10:46:53 2006
Launch #6 of httpd at Thu Mar 23 15:25:38 2006
Launch #7 of httpd at Thu Mar 23 15:25:57 2006
Launch #1 of ip_fast at Mon Mar 13 10:02:24 2006
Launch #1 of ip_true at Mon Mar 13 10:02:10 2006
Launch #1 of ip_xcomp at Mon Mar 13 10:02:30 2006
Launch #1 of ipm_script at Mon Mar 13 10:02:19 2006
Launch #1 of ipm_security at Mon Mar 13 10:02:14 2006
Launch #1 of ipm_upgrade at Mon Mar 13 10:02:10 2006
Launch #1 of itpd at Mon Mar 13 10:02:40 2006
Launch #2 of itpd at Tue Mar 28 07:21:59 2006
bash-2.01$
It is useful to verify when a process was started or restarted. Check also with uptime
command.
4.7.4 Netconfig
CONFIGURATION TROUBLESHOOTING
YES YES
netconfig -h
Manage network services
Usage: netconfig [-h] Print this help and exit
netconfig -d Display current configuration
netconfig [+/-]<service>... Enable (+) or disable (-) one or more
services
netconfig restart Stop all running network services and
restart
enabled services
netconfig reset Enable ssh, disable telnet and ftp
With:
<service>=ssh, telnet, ftp
Netconfig command permits to check if telnet or ssh are enabled. If you want to enable one use
netconfig:
[ipe]$ netconfig –d
service telnet enabled
service ssh enabled
[ipe]$
Since release 4.3.0, ftp service is available on all ip|engine models. FTP could be used to
upgrade ip|agents.
[ipe]$ netconfig –d
current configuration:
service ssh : enabled
service telnet : enabled
service ftp : disable
[ipe]$
Note: after being reconfigured, it is necessary to restart all network services with the command:
Your connection (telnet or ssh or ftp) is reset, but ip|engine is not rebooting.
CONFIGURATION TROUBLESHOOTING
NO YES
To debug status of IP|True, Fast, Xcomp and Xtcp processes, check the red bold characters.
[ GLOBAL VARIABLES ]
NbTickets = 30000, 30000 free (1236 + 28764 in TKG)
NbSpurious = 6 NbAmbiguous = 49191 NbLost = 73
ArchLostLost = 0 RTMLostLost = 0
RxTtpBuffers = 100 (100 free) TxTtpBuffers = 100 (100 free)
ip|true? yes ip|fast? yes ip|xcomp? no ip|disc? no ip|xtcp? no
Sessions = 6 (max 24000) Flow = 0 in 0 variants (max 8192)
TkgFlow Hashing in 4096 buckets: 6 items in 6 buckets, min/avg/max 1 1 1
ClsUFlow Hashing in 4096 buckets: (empty)
ArchFlow Hashing in 2048 buckets: (empty)
Sync'ed ? yes(30) SyncSrc server 10.0.13.253
NbSatellites = 0
PositionHold ? yes (no GPS receiver)
SynchroThresh= 10000 us (+10%:11000 us) SyncKernelOffset= 1416
SyncSrcOffset= 1412 SyncFreq= 45 SyncSrcDelay= 7704
UseFlowId? yes StopOnIntfDown? yes LanDownToWan? No
Current Alarms = (none)
Previous Alarms = (none)
CPU Load= 1.22 (Bounds: 0.00 .. 10000.00)
[ipe]$
4.7.6 Certificates
Certificates could be cause of problem between Ip|engines and IP|Boss. To check that every
IP|engines use the same certificate, use in System Provisioning profile, Tools button then
Security Status tab.
Select all IP|engines and click status. Wait for result to be displayed and check certificates are
the same.
4.7.7 Uptime
CONFIGURATION TROUBLESHOOTING
NO YES
With uptime command, it is possible to check load of an ip|engine. If load is greater than 2,
then ssh connection are refused.
[ipe]$ uptime
08:57:45 up 14 days, 22:55, load average: 0.00, 0.00, 0.00
[ipe]$
4.7.8 Snmpconfig
CONFIGURATION TROUBLESHOOTING
YES YES
Snmpconfig is used to enable MIB2 agent on ip|engine and to configure a community string.
[ipe]$ snmpconfig –d
SNMP Configuration:
status = enabled
state = running
community = publicstring
[ipe]$
4.8.1 Ipconfig -d
CONFIGURATION TROUBLESHOOTING
YES YES
[ipe]$ ipconfig –d
Copyright (c) Ipanema Technologies 2000-2005
Current Configuration:
IP addr : 10.0.14.253
IP mask : 255.255.255.0
Gateway : 10.0.14.254
Hostname : ipe
Serial mode : yes
[ipe]$
4.8.2 Arp
CONFIGURATION TROUBLESHOOTING
NO YES
With arp command, it is possible to check that gateway MAC address is correct.
[ipe]$ arp
Address HWtype HWaddress Flags Mask Iface
10.0.14.254 ether 00:04:C0:5D:57:E0 C brg0
[ipe]$
CONFIGURATION TROUBLESHOOTING
NO YES
[ TICKETGEN ]
Processed Frames: 95105970 NoMoreTkUp: 0
Upstream: 54825004 Downstream : 38836485
Ignored : 468157 OutOfDomain: 35863707
Frames/Ioctl LAN: Min=1, Max=255, Avg=1, Total=39528158
Frames/Ioctl WAN: Min=1, Max=256, Avg=1, Total=55573904
Cluster: 2 contexts (max 4096)
TopCtxt Hashing in 4096 buckets: 11 items in 11 buckets, min/avg/max 1 1 1
TkgFlow Hashing in 8192 buckets: 201 items in 175 buckets, min/avg/max 1 1 2
Throughput: (Bits and Packets per sec, averaged and checked every 30 sec)
Limits : Ingress 24.000 Mb/s Egress 24.000 Mb/s Packets 0
Last23s: Ingress 821.184 Kb/s Egress 410.360 Kb/s Packets 2641
LastAvg: Ingress 1.048 Mb/s Egress 385.896 Kb/s Packets 2470
MaxUsed: Ingress 7.994 Mb/s Egress 615.192 Kb/s Packets 4131
CONFIGURATION TROUBLESHOOTING
NO YES
With debug dump engine command, we can display counters of received tickets per
destinations.
CONFIGURATION TROUBLESHOOTING
NO YES
Displays current correlators with downstream tickets and total upstream tickets.
Synthax used is :
Displays every flows measured by ip|true engine and provides topology information such as:
upstream (go toward IPVPN), downstream (come from IPVPN), multicast, redirected, transit.
CONFIGURATION TROUBLESHOOTING
NO YES
Table 4.8-1
Source IP + Number of
source port packets
[ipe]$ shell
ipe:~# debug show flow -d | grep -A 3 FTP
> TCP, 10.10.50.201:51990 - 10.10.0.2:5248, appli 10(FTP): Upstream_Cluster, 44400
pkts CORREL(9), age 0, life 394
EngineUp/Down: ipe52:1/ipe0a:1, priv 38(ftp), server, tcpFlags SYN+ACK, iba
10.10.0.241, flowId 43227, Xcomp, XTCP, tkCount 40
TopoSrc/Dst: NETP10.50/NET0 UserSrc/Dst: 10.10.50.0/*Other*
ipe:~#
Classification tags
Displays a list of all realtime flows measured by a user on ipboss GUI. Each ip|engine is limited
to 4 simultaneous flows.
Used slot unused slot
debug show rtm
[status]
running = yes
overload = no
rule = 0|||0|1|||0|0|0|1||||0|100
Rule used for discovery
[Rule]
Local network filter: none
Remote network filter: none
Application filter: none
61 Discovery session contexts created
Showing 100 contexts (maxtop is 100)
[Outgoing]
10.10.50.251|10.10.110.5|11-36~HTTP (http)|106/154358/1|55/2313/1|refcnt=2
10.10.50.251|10.10.110.6|11-36~HTTP (http)|106/154358/1|55/2313/1|refcnt=2
10.10.50.251|10.10.110.8|11-36~HTTP (http)|106/154358/1|55/2313/1|refcnt=2
10.10.50.251|10.10.110.7|11-36~HTTP (http)|106/154358/1|55/2313/1|refcnt=2
10.10.50.251|10.10.110.11|11-36~HTTP (http)|106/154358/1|55/2313/1|refcnt=2
10.10.50.251|10.10.110.10|11-36~HTTP (http)|106/154358/1|55/2313/1|refcnt=2
[Incoming]
10.10.50.250|10.10.110.3|92-103~G729 (rtp/rtcp)|216/12364/1|216/12364/1|refcnt=2
10.10.50.250|10.10.110.119|92-103~G729 (rtp/rtcp)|219/12350/1|219/12350/1|refcnt=2
10.10.50.250|10.10.110.168|92-103~G729 (rtp/rtcp)|211/12252/1|210/12192/1|refcnt=2
10.10.50.250|10.10.110.104|92-103~G729 (rtp/rtcp)|208/11800/1|208/11800/1|refcnt=2
10.10.50.250|10.10.110.140|92-103~G729 (rtp/rtcp)|178/9810/1|179/9870/1|refcnt=2
10.10.50.250|10.10.110.204|92-103~G729 (rtp/rtcp)|170/9224/1|171/9284/1|refcnt=2
Local traffic : traffic passing through ip|engine but which stays local to LAN
Ingress traffic: traffic going from local ipengine managed LAN subnet to remote subnet
Egress traffic: traffic going from remote subnet to local ipengine managed LAN subnet
Transit traffic: traffic going from a not locally managed subnet to a not locally managed
subnet, but passing through ip|engines.
debug show drv
[ Local traffic ]
CurrentAlarms= (none)
Traffic : 0
DefragError : 0
FragDatagrams : 0
Numb.Fragments : 0
[ Ingress traffic ]
CurrentAlarms= (none)
Traffic : 57481993
DefragError : 0
FragDatagrams : 0
Numb.Fragments : 0
[ Egress traffic ]
CurrentAlarms= (none)
Traffic : 40891069
DefragError : 0
FragDatagrams : 0
Numb.Fragments : 0
[ Transit traffic ]
CurrentAlarms= (none)
Traffic : 0
DefragError : 0
FragDatagrams : 0
Numb.Fragments : 0
Displays usefull information about current traffic. Displayed traffic rate are measured on LAN
interface. The value should be the same than the reported one in SA-site-throughput.
Displays all ip|engines created in ip|engine provisionning into ipboss configuration. We have
following information for each probe:
Public/private ip address
Capabilities FAST / XCOMP / DCOMP…Etc
TkDown is the number of correlation tickets received from remote ip|engine
Spur is the number of correlation tickets received but not attempted
Ambig is the number packets which have the same signature
Lost is the number of lost packet, no correlation ticket received
Remark: signature size depends of WAN access bandwidth, it is between 4 and 8 bytes.
[ 6 IP_ENGINES ]
Local engine:
ipe52 (10.0.18.52,10.10.50.241): LOCL FAST XCOMP DCOMP
Other engines:
ipe51 (10.0.18.51,10.10.50.240): FAST XCOMP DCOMP
TkDown= 0 Spur= 0 Ambig= 0 Lost= 0
ipe8 (10.0.18.8,10.10.82.240): FAST XCOMP DCOMP
TkDown= 0 Spur= 0 Ambig= 0 Lost= 0
ipe11 (10.0.18.11,10.10.110.240): FAST XCOMP DCOMP TSWAN
TkDown= 53396215 Spur= 5108 Ambig= 142371 Lost= 59763
Out of domain (240.0.0.0): TOOD FOOD VIRT
TkDown= 0 Spur= 0 Ambig= 0 Lost= 0
*FastEgrInDomain* (255.255.255.255): FEID VIRT
TkDown= 0 Spur= 0 Ambig= 0 Lost= 0
Displays:
[ 6 TOPOLOGY SUBNETS ]
NET120 (10.10.120.0/24) Out of domain
NET110 (10.10.110.0/24) ipe11
NET90 (10.10.90.0/24) Out of domain
NET82 (10.10.82.0/24) ipe8
NET50 (10.10.50.0/24) ipe52 - ipe51 MINE
Out of domain (0.0.0.0/0) Out of domain
[ 7 REPORTING SUBNETS ]
10.10.105.0 (10.10.105.0/24)
10.10.104.0 (10.10.104.0/24)
10.10.103.0 (10.10.103.0/24)
10.10.102.0 (10.10.102.0/24)
10.10.101.0 (10.10.101.0/24)
10.10.100.0 (10.10.100.0/24)
*Other* (0.0.0.0/255)
………………….
G729 (92): rtp/rtcp Codec=[audio/G729]
G711a (93): rtp/rtcp Codec=[audio/PCMA]
G711u (94): rtp/rtcp Codec=[audio/PCMU]
G723 (95): rtp/rtcp Codec=[audio/G723]
RTP/RTCP (62): rtp/rtcp
4.8.15 Debug show uc
debug show uc
[ USER CLASSES ]
G729(23): BwObj=2125 Crit=Top
Appli=G729
HTTP(24): BwObj=5000 Crit=Hig XCOMP XTCP
Appli=HTTP
other(0): BwObj=3750 Crit=Med XTCP
4.8.16 Abc
[ FILTERS ]
521: SAP (base.*:application_id = 107)
522: PCAnywhere (base.*:application_id = 214)
523: SOCKS ((base.*:application_id = 116) or (base.*:application_id = 117))
524: SOAP (base.*:application_id = 115)
525: RDP (base.*:application_id = 90)
526: Q931 (base.*:application_id = 86)
527: DICT (base.*:application_id = 21)
528: IRC (base.*:application_id = 53)
529: Directconnect (base.*:application_id = 22)
530: X11 (base.*:application_id = 135)
531: RFB (base.*:application_id = 91)
532: POSTGRES (base.*:application_id = 84)
………………………………………………….
……………………………………………………..
580: HTTP-INDX (^.http.*:uri ~ /indx*)
581: HTTP-INX (^.http.*:uri ~ /inx*)
582: HTTP-IX (^.http.*:uri ~ /ix*)
583: HTTP-X (^.http.*:uri ~ /1x*)
584: HTTP-XA (^.http.*:uri ~ /2x*a)
585: HTTP-XAA (^.http.*:uri ~ /3x*aa)
586: HTTP-XAAA (^.http.*:uri ~ /4x*aaa)
587: HTTP-XAAAA (^.http.*:server ~ "*5x*aaaa")
588: HTTP-XAAAAA (^.http.*:uri ~ /6x*aaaaa)
589: HTTP-XAAAAAa (^.http.*:uri ~ /7x*aaaaaA)
590: HTTP-XAAAAAaa (^.http.*:uri ~ /8x*aaaaaAa)
591: HTTP-XAAAAAaaa (^.http.*:uri ~ /9x*aaaaaAaa)
592: HTTP-XAAAAAaaaa (^.http.*:uri ~ /10x*aaaaaAaaa)
593: HTTP-XAAAAAaaaaa (^.http.*:uri ~ /11x*aaaaaAaaaa)
594: HTTP-XAAAAAaaaaaa (^.http.*:uri ~ /12x*aaaaaAaaaaa)
595: HTTP-XAAAAAaaaaaaa (^.http.*:uri ~ /13x*aaaaaAaaaaaa)
596: HTTP-XAAAAAaaaaaaaa (^.http.*:server ~ "*14x*aaaaaAaaaaaaa")
597: HTTP-XAAAAAaaaaaaaaa (^.http.*:uri ~ /15x*aaaaaAaaaaaaaa)
[ipe6]$ shell
ipe6:~$ abc_plugin show all
base is enabled
unknown is enabled
malformed is enabled
incomplete is enabled
fragmented is enabled
8021q is enabled
aim is enabled
apollo is enabled
arp is enabled
atalk is enabled
bgp is enabled
bittorrent is enabled
cdp is enabled
cotp is enabled
cups is enabled
dcerpc is enabled
dec is enabled
dhcp is enabled
dict is enabled
directconnect is enabled
To enable a plugin:
To disable a plugin:
4.9.1 Prerequisite
debug show uc
[ USER CLASSES ]
G729(23): BwObj=2125 Crit=Top
Appli=G729
HTTP(24): BwObj=5000 Crit=Hig XCOMP XTCP
Appli=HTTP
other(0): BwObj=3750 Crit=Med XTCP
INGRESS /
EGRESS
IBA 0
IBAICOSQOSP 0.1.1
ICOS 0.1
IBAICOSQOSP 0.1.2
ICOS 0.2
IBAICOSQOSP 0.2.1
IBAICOSQOSP 0.2.2
User Class
ICOS 0.11
IBAICOSQOSP 0.11.1
IBAICOSQOSP 0.12.1
IBAICOSQOSP 1.1.2
ICOS 1.11
IBAICOSQOSP 1.11.1
IBAICOSQOSP 1.11.2
ICOS 1.12
IBAICOSQOSP 1.12.1
IBAICOSQOSP 1.12.2
There are always 12 ICOS even if they are not instantiated every time. 12 because there are 4 level of
criticity and 3 kind of traffic so 4 x 3 = 12.
Here we have filter ingress SMTP traffic for all directions (iba).
The direction
Iba 10.48.89.231 refers to a remote ipengine
Ibagroup 0x080d6fd0 refers to the direction in the TC tree of the ipengine you are connected on.
IcosGroup 0x08132018 refers to the Criticity x Traffic type in the TC tree of the ipengine you are connected on.
It is possible to find the same values in the debug fast show ingress or debug fast show egress command to improve troubleshooting.
This command displays the current TC tree instantiated in the ipengine you logged on.
IBA are the directions and ICOS refer to criticity x traffic type. IBA and ICOS are nodes but IBAICOSQOSP are the leafs of TC tree.
If you use the Hexa code of previous command debug show uflow inside this command, you’ll find the direction and the UC matched.
4.9.6 Tc
To display the shaper rate for a direction you can use previous class number of the IBA:
bash-2.01$ tc -s class show dev `getintf ing` parent 64: | grep -A 2 "htb 64:740"
class htb 64:740 root rate 200000Kbit ceil 200000Kbit burst 257561b cburst 257561b
Sent 185362203 bytes 293455 pkts (dropped 0, overlimits 0)
lended: 0 borrowed: 0 giants: 0
bash-2.01$
Here you can observe that direction is shaped at 200’000Kbit, 185’362’203 bytes in 293’455 pkts have matched this directions and no drop occur.
To display the shaper rate for a ICOS inside a direction you can use previous class number of the ICOS:
bash-2.01$ tc -s class show dev `getintf ing` parent 64: | grep -A 2 "htb 64:743"
class htb 64:743 parent 64:741 leaf 2ce: prio 0 rate 3000Kbit ceil 6921Kbit burst 5439b cburst 10457b
Sent 1980211 bytes 32758 pkts (dropped 0, overlimits 0)
lended: 32759 borrowed: 0 giants: 0
bash-2.01$
Here you can see that parent is 64:741 and is not 64:740, because 64:741 is the ICOS (criticity X traffic type).
You can observe that the shaper regulate traffic at 3’000kbit and have never drop any packet.
Execute the same command with 64:741, you should have parent 64:740.
bash-2.01$ tc -s class show dev `getintf ing` parent 64: | grep -A 2 "htb 64:741"
class htb 64:741 parent 64:740 rate 8298Kbit ceil 8298Kbit burst 12218b cburst 12218b
Sent 141424101 bytes 225840 pkts (dropped 0, overlimits 0)
lended: 1713 borrowed: 0 giants: 0
bash-2.01$
Displays physical and virtual ip|engines, their ip addresses and their capabilities.
[6 REPORTING SUBNETS]
10.10.105.0 10.10.105.0/24,
10.10.104.0 10.10.104.0/24,
10.10.103.0 10.10.103.0/24,
10.10.102.0 10.10.102.0/24,
10.10.101.0 10.10.101.0/24,
10.10.100.0 10.10.100.0/24,
4.9.9 Debug fast show wan
ibWWH 327.21Kbs ibWTU 584.00 bs ibWTUave 604.00 bs (margin= 4.1 %) ibWTUave = iba average of
TRACK 19 [20 ] SMOTH 0 [150] BREATHE 0 [10 ]
ingIBA 10 (SO-EU-ES-BARC402-BAM), ABmin 48.00Kbs ABmax 3.00Mbs
What They Use
ibWWH 2.28Mbs ibWTU 5.24Kbs ibWTUave 5.52Kbs (margin= 4.5 %) Average of Consumed
TRACK 10 [20 ] SMOTH 0 [150] BREATHE 0 [10 ] bandwidth for the specified IBA
ingIBA 11 (GE-BK-CN-SHAN002-BAM), ABmin 48.00Kbs ABmax 2.00Mbs (direction)
ibWWH 271.81Kbs ibWTU 424.00 bs ibWTUave 1.90Kbs (margin= 8.8 %)
TRACK 18 [20 ] SMOTH 0 [150] BREATHE 0 [10 ]
4.9.11 Debug fast show ibadyn
[ipe52]$ shell
bash-2.01$ debug fast show ingress | more
[NAP 1 INGRESS IBA ICOS]
--------------------------------------------------------------------------------
IBA 0 (Out of domain), active, Ingress Uncontrolled, (dynIbaId 1, class 64:40)
RBP=600.00Kbs/64.00Kbs/600.00Kbs, MinBw=0.00 bs MaxBw=7.60Mbs
ABmin=48.00Kbs ABmax=7.60Mbs, WWHmin=46.59Kbs WWHmax=7.37Mbs, cfactor=1.00
GROUP 0x081951a8
PRIO:1 remote:240.0.0.0
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ICOS 0.1 (class 64:41), RBP=660.00Kbs/600.00Kbs/60.00Mbs, Prio=7, Qos2Cos=40
GROUP 0x08181770, QosProfile=Mail, Crit=Med, Type=Other
IBAICOSQOSP 0.1.1 (class 64:42), RBP=660.00Kbs/660.00Kbs/660.00Kbs, Prio=1
PRIO:7 appli: SMTP
GROUP 0x081818e8, QosProfile=default, Crit=Med, Type=Other
IBAICOSQOSP 0.1.2 (class 64:43), RBP=660.00Kbs/660.00Kbs/660.00Kbs, Prio=1
PRIO:14 (default)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ICOS 0.3 (class 64:44), RBP=4.55Mbs/4.55Mbs/455.68Mbs, Prio=7, Qos2Cos=40
GROUP 0x081817f0, QosProfile=FileTransfert, Crit=Low, Type=Other
PRIO:9 appli: FTP
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ICOS 0.4 (class 64:45), RBP=7.60Mbs/7.60Mbs/760.00Mbs, Prio=2, Qos2Cos=184
GROUP 0x081815f0, QosProfile=G711, Crit=Top, Type=RTime
IBAICOSQOSP 0.4.1 (class 64:46), RBP=120.00Kbs/120.00Kbs/7.60Mbs, Prio=1
It displays ingress and egress IBA id (IBA = direction) according to configuration file (“__active__.ipmconf”) in section [INGRESS IBA] and [EGRESS
IBA].
It displays association between IBA/ICOS/QOSP for ingress and egress, refer to section [INGRESS IBAICOSQOSP] and [EGRESS IBAICOSQOSP].
Then, it displays on which IBA the ipengine detects activity (packets that match IBA) below lines “#groupes de detection d’activite”.
[INGRESS IBA]
#columns = ibaId|name|mainPublicIp|mainPrivateIp
item = 0|Out of domain|240.0.0.0|240.0.0.0
item = 1|virt203.255|240.0.3.255|240.0.3.255
item = 2|virt203.254|240.0.3.254|240.0.3.254
………………….
[EGRESS IBA]
#columns = ibaId|name|mainPublicIp|mainPrivateIp
item = 0|Out of domain|240.0.0.0|240.0.0.0
item = 1|*EgrInDomain*|255.255.255.255|255.255.255.255
item = 2|virt203.255|240.0.3.255|240.0.3.255
…………………….
[INGRESS IBAICOSQOSP]
#columns = ibaId|icosId|crit|qosp|group|class
item = 0|1|Med|Mail|0x08206920|ing_64:42
item = 0|1|Med|default|0x08206a98|ing_64:43
item = 0|3|Low|FileTransfert|0x082069a0|ing_64:44
item = 0|4|Top|G711|0x082067a0|ing_64:46
item = 0|4|Top|G729|0x08206820|ing_64:47
item = 0|4|Top|streaming|0x08206a20|ing_64:48
item = 0|10|Hig|PERF|0x082068a0|ing_64:49
#groupes de detection d'activite
item = 0|-1|-1|-1|0x081231a0|ing_64:10
item = 1|-1|-1|-1|0x080f0fe8|ing_64:20
item = 2|-1|-1|-1|0x080f10a0|ing_64:30
………………………..
[EGRESS IBAICOSQOSP]
#columns = ibaId|icosId|crit|qosp|group|class
item = 0|1|Med|Mail|0x08207318|egr_64:42
item = 0|1|Med|default|0x08207490|egr_64:43
item = 0|3|Low|FileTransfert|0x08207398|egr_64:44
item = 0|4|Top|G711|0x08207198|egr_64:46
item = 0|4|Top|G729|0x08207218|egr_64:47
item = 0|4|Top|streaming|0x08207418|egr_64:48
item = 0|10|Hig|PERF|0x08207298|egr_64:49
item = 1|1|Med|Mail|0x08207d10|egr_64:82
item = 1|1|Med|default|0x08207e88|egr_64:83
item = 1|3|Low|FileTransfert|0x08207d90|egr_64:84
item = 1|4|Top|G711|0x08207b90|egr_64:86
item = 1|4|Top|G729|0x08207c10|egr_64:87
item = 1|4|Top|streaming|0x08207e10|egr_64:88
item = 1|10|Hig|PERF|0x08207c90|egr_64:89
#groupes de detection d'activite
item = 0|-1|-1|-1|0x081abe68|egr_64:10
item = 1|-1|-1|-1|0x0817df50|egr_64:20
item = 2|-1|-1|-1|0x0817e148|egr_64:30
…………………………………
[ICOS]
#columns = icosId|icosName
item = 0|other_high
item = 1|other_low
item = 2|other_med
item = 3|other_none
item = 4|realtime_high
item = 5|realtime_low
item = 6|realtime_med
item = 7|realtime_none
item = 8|transac_high
item = 9|transac_low
item = 10|transac_med
item = 11|transac_none
This command is useful when you troubleshoot ip|fast because you can easily find a IBA with a hexa code.
Example:
[ 2 CLS MICRO-FLOWS ]
Current flows, > Ingress, < Egress, age in msec:
< UDP, 10.10.110.242:123 - 10.10.100.241:123, appli 39(NTP), iba 255.255.255.255, id 251625, Flow 0x81bf6c4, IbaGroup 0x080fb288,
IcosGroup 0x08200328, age 11740
< UDP, 10.10.90.242:123 - 10.10.100.241:123, appli 39(NTP), iba 255.255.255.255, id 251633, Flow 0x81bf6c4, IbaGroup 0x080fb288,
IcosGroup 0x08200328, age 860
ipe:~# debug fast show monitor | grep 080fb288
item = 1|-1|-1|-1|0x080fb288|egr_64:20
4.10.1.1 Generalities
o ZRE: Zero delay Redundancy Elimination is available on all ipengines except old ipe10
or ipe14.
o Packet per packet compression, uses UD¨P tunnel, compress TCP and UDP traffic
o It introduce zero delay, it compress packet per packet, so it doesn’t wait to fill a buffer
before doing compression
4.10.1.2 Micro-tunnels
A compression tunnel is established between two IP|engines. The colour of each IP packet is
replicated in the UDP packet used to carry the compressed payload. Compression tunnel rules
are:
UDP sessions
between ip|e for
compression purpose
4.10.1.3 Restrictions
4.10.2 Xcompconfig
CONFIGURATION TROUBLESHOOTING
YES YES
[ipe]$ xcompconfig -d
Current configuration:
LAN Gateway : none
[ipe]$
To add a lan gateway:
Sometimes, customers have cascaded IP subnets behind a Layer 3 equipment (like a router of
Layer 3 switch):
In default configuration, ipengine has no default gateway and every decompressed traffic which
destination ip address is not in the same subnet than ipengine subnet is sent back to the CE
router:
It works but generate more traffic to redirect by CE router and to switch (ignore) by ipengine.
[ XCOMP HOSTS ]
host 10.69.202.47 ttl 0
host 10.67.172.9 ttl 1
host 10.48.237.135 ttl 1
host 10.147.65.135 ttl 1
host 10.69.144.79 ttl 2
host 10.48.215.190 ttl 3
host 145.247.217.132 ttl 6
host 10.68.16.31 ttl 6
host 10.69.148.232 ttl 9
host 192.168.1.193 ttl 9
host 10.74.153.220 ttl 11
host 10.147.64.172 ttl 11
host 10.48.88.12 ttl 12
host 10.58.147.187 ttl 15
host 10.147.80.167 ttl 16
host 10.69.17.39 ttl 17
host 10.48.73.232 ttl 19
host 10.58.16.74 ttl 20
host 10.147.65.30 ttl 21
host 10.58.213.66 ttl 21
…………
4.10.4 Debug xcomp show config
- Current decZiba = 1
VRF1-SITE1-A (172.10.10.241,10.10.10.241):
- Dcomp = true comZiba = none
Tunnel to VRF1-SITE2-
- Xcomp = true decZiba = none A status
VRF1-SITE2-A (172.10.20.241,10.10.20.241):
- Dcomp = true comZiba = up
tunState = valid tunRetry = 0 tunAbort = 0
tryState = yes tryRetry = 0 alg/cap/msk = 7/1/0x0
cntState = connected cntRetry = 0 cntBreak = 0
tunMTU = 1500
- Xcomp = true decZiba = up
cntState = connected cntRetry = 0 cntBreak = 0
A tunnel status is composed of 2 way: Dcomp stands for decompression, Xcomp stands for
compression.
VRF1-SITE2-A (172.10.20.241,10.10.20.241):
- Dcomp = true comZiba = up
tunState = valid tunRetry = 0 tunAbort = 0
tryState = yes tryRetry = 0 alg/cap/msk = 7/1/0x0
cntState = connected cntRetry = 0 cntBreak = 0
tunMTU = 1500
- Xcomp = true decZiba = up
cntState = connected cntRetry = 0 cntBreak = 0
we can observe:
With debug show flow –x, it is possible to display details about compression:
In the previous example, compression is very bad and negative because we generate more
traffic on WAN side.
Typically when we have more traffic on WAN side than on LAN side, it is probably due to
uncompressible traffic sent inside full length MTU packet. The ipengine will try to compress it,
then will have to encapsulate compressed packet inside a UDP tunnel. Finally
compressed/encapsulated packet is greater than MTU, so we have to fragment packet.
4.11.1.1 Generalities
Standard Redundancy Elimination (SRE) is available with ipengines AX series only running at
least v6.0.
It compresses TCP streams only and is transparent to Layer 2 (@MAC), Layer 3 (@IP) and Layer
4 (TCP port).
Every TCP connection compressed with SRE mechanism is splitted in 3 parts by 2 TCP
proxies:
Poxification must be done on the first packet (SYN packet), classification process has not
enough time to complete correctly. Usually it needs few data packets to classify correctly (for
example, when you identify an application with an URL).
4.11.1.3 Dictionaries
• only 1 compression dictionary (if the same data is compressed to several directions, it
is stored once only)
4.11.1.4 Transparency
Layer 2 transparency :
Conservation des @MAC
Conservation des VLAN
Layer 3/4 transparency :
Conservation des @IP
Conservation des n° de port TCP
Embedded proxy do not multiplex tcp connection :
1 TCP connection between client and compressor = 1 TCP connection between compressors
Window scaling
Optimization of TCP buffers
4.11.1.5 Proxy exceptions
Not all TCP connections can be proxified, there are some exceptions :
• Port 443: mainly used for HTTPS connections which are not compressible
• etc
4.11.1.6 Recommendations
This mechanism can introduce some delay, so it not recommended to use it with delay
sensitive traffic.
4.11.1.7 Restrictions
• Even if SRE mechanism is Layer 4 transparent, it uses the TCP option number 26, so if
you have firewall, it must permit TCP option 26 else proxification won’t work correctly.
o This can be explained because TCP proxification is done on the first TCP
packet = SYN and because we receive only one packet we can’t use Layer 7
engine to differentiate 2 URL traffic.
• SRE compression doesn’t work on half-connections
• IP fragmentation:
o Ip fragmentation / reassembly is not supported by the proxy
o MSS can be locally supported by ipagent to prevent fragmentation
4.11.3.1 Ipagent
If you have the feeling SRE doesn’t work, verify if service is correctly enabled
Compress option must be checked at User Class level, then click on “Advanced” tab.
When you create a new User Class, default configuration of the advanced tab depend of QoS
profile selected:
With debug show flow –x, it is possible to display details about compression:
When Ratio > 1 and Rate < 0% , compression is useful. Else it means than compression
generate more traffic on WAN side than it received on the LAN side, however most part of time
you can’t prevent this phenomenon, typically when ipengine compresses upstream
acknownledgement like in the following example:
• Sometime, it occurs when traffic is coming from or going to an ipengine cluster, as long as the
ipengine cluster is not resolved by the remote ipengine, then the traffic is not proxified and
can’t be compressed with SRE. And in this case, ZRE can compress traffic instead of SRE.
4.11.6.2 Out of domain traffic
Create 2 new topology subnets: 0.0.0.0/1 and 128.0.0.0/1both topology subnets are
equivalent to 0.0.0.0/0. Then you have to associate both new subnets to an ipengine.
SRE and ZRE compression statistics are merged into the same reports.
4.12.1 Reporting
On the following example, compressor sends more traffic on the WAN side, than it receives on
the LAN side. Maybe, It can be explained because ipengines tries to compress small packet
like acknowledgement, here we can notice that compress traffic is very small compared to
decompress traffic, so it is probably ack packet.
Remember that a CIFS connection is really long, I mean each time you open a shared (ex: a
folder) resources on a network, the connection is established and is kept opened untill you
decide to remove the network mount.
For example, a employee begins its works at 9:00AM, and is going to finish at 6:00PM, if this
user has network drives on its workstation :
A TCP connection is opened at 9:00AM and is closed at 6:00PM, so the same connection is
kept opened all day long, even if there is no traffic during the lunch time and if computer is still
running.
CIFS optimization works at protocol level and need to proxify TCP connection on 1 ipengine,
only ipengine installed on the LAN of the workstation will proxify the connection.
Remark: Xapp feature must be enable before the CIFS connection is established, else TCP
connection won’t be proxified by CIFS proxy.
The CAX engine is the CIFS optimization process. It can optimize only dialect “NT LM 0.12”
with is mainly used in today Windows workstation.
It is based on use of TCP proxy embedded in ipengine and also used for SRE compression.
It will try to optimize every TCP connection running on port 139 (NetBIOS) or 445 (SMB).
Port 139 is used by the old implementation of File sharing using NetBIOS
CIFS optimization runs before every other optimization or measurement processes inside
ipengine, it means:
o Ip|true can only see the packets actually sent over the WAN by the CAX engine, packets
generated locally can’t be seen by ip|true
o Ip|fast will regulate only CIFS optimized traffic, it means CIFS client may experience a
higher bandwidth than the one enforced by ip|fast.
o By default CAX engine uses 60Kbytes CIFS block instead of 4Kbytes (16Kbytes) used by
Windows NT/XP (Windows 2000)
In order to accelerated CIFS traffic, the Ipanema domain must be well configured.
4.13.2.1 Ipagent
It is not mandatory to have a specific User Class with SMB protocol. Once you have enabled
Xapp on an ipengine and enabled global the Xapp service, each SMB/Netbios sessions passing
through the ipengine will be accelerated.
However, you can create a specific User Class for file sharing to apply QoS objective to this
traffic.
CIFS throughput measured displayed in ipboss realtime graph is measured by ip|true process,
it means sometimes it won’t displayed the exact throughput like the one experience by CIFS
user.
4.13.3 Reporting
Throughput displayed here is measured at the CAX engine, it is not measured by ip|true and so
reflect the bandwidth experienced by end user.
[CIFS Version ]
CAX Version: 1.20
140T:~#
Version 1.20 is embedded in ipagent 6.1.4
[CIFS Status ]
Configured? yes Enabled? yes Running? yes
140T:~#
4.13.6 Debug cifs show conns
• It displays every CIFS connections currently optimized and which ipengine is currently optimizing
the connection.
• If some CIFS connection are not accelerated, they are listed below. Typically, when the maximum
of CIFS optimized connections is reached
• Refused connections are connections which can’t be optimized. Typically when CIFS is sealed or
when dialect is not supported by CIFS engine.
[CIFS Conns ]
Maintaining 1 connections (max is 200)
Accelerated Connections:
0001: Accelerated: 10.10.20.210:1125 -> 10.10.60.210:445 (sentry 10.10.60.241
UC 30 AC 42) lanRTT 18 wanRTT 50 GMT 20100705 16:04:56
Number of Accelerated Connections: 1
Non-Accelerated Connections:
Number of Non-Accelerated Connections: 0
140T:~#
4.13.7 Debug cifs show conns –d
Display the same information than “debug cifs show conns” but with more details.
[CIFS Conns ]
Maintaining 1 connections (max is 200)
Accelerated Connections:
0001: Accelerated: 10.10.20.210:1125 -> 10.10.60.210:445 (sentry 10.10.60.241
UC 30 AC 42) lanRTT 18 wanRTT 38 GMT 20100705 16:04:56
LAN Bytes sent: 127579963061
LAN Bytes recv: 360981635
WAN Bytes sent: 208896374
WAN Bytes recv: 127415955371
-- Number of CIFS requests from client total: 5106363 prev.hour: 325087
curr.hour: 217365 last.five: 22715curr.five: 28627
-- Number of CIFS responses from server total: 2800768 prev.hour: 178743
curr.hour: 119651 last.five: 12235curr.five: 16064
-- Number of CIFS bytes from client total: 360983725 prev.hour: 22980293
curr.hour: 15479407 last.five: 1507717curr.five: 2158293
-- Number of CIFS bytes from server total: 712296638 prev.hour:
1691687921 curr.hour: 1022618600 last.five: 656115351curr.five: 583240818
Number of Accelerated Connections: 1
Non-Accelerated Connections:
Number of Non-Accelerated Connections: 0
140T:~#
For each CIFS connection the following detail is displayed:
[CIFS Statistics]
** CAX Statistics:
-- Max number of concurrent connections total: 1 prev.hour: 0
curr.hour: 0 last.five: 0 curr.five: 0
-- Number of accepted connections total: 1 prev.hour: 0 curr.hour:
0 last.five: 0 curr.five: 0
-- Number of refused connections total: 0 prev.hour: 0 curr.hour:
0 last.five: 0 curr.five: 0
-- Number of connections refused because CIFS connection was signed/sealed
total: 0 prev.hour: 0 curr.hour: 0 last.five: 0 curr.five: 0
-- Number of connections refused because lack of resources total: 0
prev.hour: 0 curr.hour: 0 last.five: 0 curr.five: 0
-- Number of connections refused because unsupported CIFS dialect total: 0
prev.hour: 0 curr.hour: 0 last.five: 0curr.five: 0
-- Number of CIFS requests from client total: 5144111 prev.hour: 325051
curr.hour: 264151 last.five: 25976curr.five: 22622
-- Number of CIFS responses from server total: 2821168 prev.hour: 178745
curr.hour: 144823 last.five: 14433curr.five: 12380
-- Number of CIFS bytes from client total: 363579461 prev.hour: 22978025
curr.hour: 18644705 last.five: 1804459curr.five: 1642630
-- Number of CIFS bytes from server total: 1731268622 prev.hour:
1691852147 curr.hour: 187338965 last.five: 672869461curr.five: 525986112
** end CAX statistics
This command can be used to display CIFS connections proxified like TCP connection proxified
for SRE purpose.
Sticky_choice :
• Yes : path decision is done on the first packet and all following packets will use the
same path.
Slave return:
• Yes: half-connection (SYN+ACK) will always use the same path than the half-
connection (SYN)
Sens_policy:
• Prefered: Business traffic Business NAP, Routine traffic Routine NAP, except if
NAP is down or if bandwidth/QoS criteria are not met
• Strict: Business traffic Business NAP, Routine traffic Routine NAP, if a NAP is
down then ipengine doesn’t take any decision (TOS mask xxxx00xx)
• Protected: Business traffic Business NAP, Routine traffic Routine NAP, but
Business traffic can fallback to Routine NAP
• Ordered: Business traffic Business NAP, Routine traffic Routine NAP, but Routine
traffic can fallback to Business NAP. The WAN access must offer at least the same
trust level than required in the UC
• Backup: Business traffic Business NAP, Routine traffic Routine NAP, fallback
possible if connectivity is down.
[ OBPS CONFIGURATION ]
Options:
sticky_choice=no slave_return=no sens_policy=backup
Parameters:
sizingCoef=100 normConst=3 fitThreshold=0
qosTimer=300 qosAgeout=10800
eddPeriod=60 eddTimer=120 eddObjective=1.0
goodQosWeight=1 badQosWeight=1
Edd/Qos Weights:
Bckgrnd={8/2} RealTim={2/8} Transac={5/5}
ipe140axT:~#
• Background: 80% bandwidth / 20% QOS criteria (loss, delay, jitter, rtt)
• Transactional : 50% bandwidth / 50% QOS criteria (loss, delay, jitter, rtt)
• Real Time : 20% bandwidth / 80% QOS criteria (loss, delay, jitter, rtt)
[ OBPS NAPS ]
Number of NAPS: 2
NAP 1 (20MBPS-SMART-B): trust_level=Business default
NAP 2 (20MBPS-SMART-R): trust_level=Routine
[ OBPS NAPS ]
Number of NAPS: 2
NAP 1 (10MBPS): trust_level=Business default
NAP 2 (2MBPS): trust_level=Business
When everything goes well: Naps are UP, there is no error or broken path
[ OBPS CONNECTIVITY ]
ipe140axT:~#
When a problem is detected on a NAP, it is always according a destination
[ OBPS CONNECTIVITY ]
Remote VRF1-SITE2-A (10.10.20.241) from LocalNAP 1: OK 2: BROKEN
ipe140axT:~#
Here we can observe destination “VRF1-SIET2-A” is only reachable through NAP1 because
NAP2 is broken.
4.14.5 Reporting
Each time, smartpath is enabled on an ipengine, corresponding site folder is split in N+1 folder
(N: number of WAN accesses declared in ipengine provisionning):
In default configuration, NAP0 is not displayed but it can be interesting to report statistics
corresponding to NAP0. To proceed, you need to create a metaview on ipboss:
Like many other parameters, Wan Access Id (refering to NAP) are now available in Metaview
definition.
CONFIGURATION TROUBLESHOOTING
NO YES
The debug dump config command displays configuration information, here in bold blue are the
TCP dynamic ports used.
[ CRC INFOS ]
Using PaquetID ? no Using TCP/UDP Ports ? no Using TCP seq/ack ? yes
[ipe]$
This TCP port range must be identical to the one configured on IP|Boss domain’s configuration
file.
CONFIGURATION TROUBLESHOOTING
NO YES
This debug dump rtm displays each TCP port used for Real time monitoring.
CONFIGURATION TROUBLESHOOTING
NO YES
The netstat –tna command displays every active/listening connections. Process responsible for
realtime graphs must be listening on tcp port 19994.
When the ip|engine password is lost, the only way to recover password is connect it via the
console port.
It is possible to connect it via a reverse telnet (through a CISCO router) or directly with a PC
connected with a console cable.
Becarefull, if you want to capture packets and save them into a file, you need to
to store capture
file into /tmp directory else ip|engine
ip|engine could crash.
crash.
Primitves description
host IPHOST Displays IP packets where host IPHOST is source or destination
dst host IPHOST Displays IP packets where host IPHOST is destination
src host IPHOST Displays IP packets where host IPHOST is source
ether host ETHERHOST Displays IP packets where MAC address host ETHERHOST is source or destination
ether dst ETHERHOST Displays IP packets where MAC address host ETHERHOST is destination
ether src ETHERHOST Displays IP packets where MAC address host ETHERHOST is source
port TCPUDPPORT Displays IP packets where tcp or udp port is equal to TCPUDPORT
src port TCPUDPPORT Displays IP packets where tcp or udp source port is equal to TCPUDPORT
dst port TCPUDPPORT Displays IP packets where tcp or udp destination port is equal to TCPUDPORT
less LENGTH Displays IP packets if length is less than LENGTH
Usefull templates:
Listen on brg0 interface, filter on host 10.10.110.250 and write packets into a file ftp.cap
tcpdump -i brg0 ip host 10.10.110.250 -w /home/ipanema/ftp.cap
/home/ipanema/ftp.cap
To stop, you must to CRTL-C
Listen on brg0 interface, filter on port 443. Command exits after 102400 bytes
tcpdump -i brg0 port 443 -C 102400
Listen on brg0 interface and display vlan tag, limit on port 443 and display only first hundred
packets
tcpdump -i brg0 vlan –e and port 443 -c 100
Available options
options description
-s <size> capture only <size> bytes for each packet
-s 0 capture the whole packet
-S display TCP sequence number
-i <intf> listen on <intf> interface
-e display MAC addresses
-c <num> display only <num> packets and finishes
-w /tmp/<file> write capture into a file . Warning: write only on /tmp directory.
Advanced filters
filter description
‘ip[1]=0xb8’ filter ip packet with DSCP = 101110xx
‘tcp[tcpflags] = tcp-syn’ filter only SYN packets
‘tcp[tcpflags] & tcp-syn = tcp-syn’ filter SYN packets (SYN or SYN-ACK..)
'tcp[tcpflags] & (tcp-syn|tcp-ack) == (tcp-syn|tcp-ack)' filter only SYN-ACK packets
ether proto 0x0806 filter ARP packets
'ip[6] & 0x20 = 0x20' or 'ip[7] != 0x00' filter fragments
keywords
icmp-echoreply icmp-tstampreply
icmp-unreach icmp-ireq
icmp-sourcequench icmp-ireqreply
icmp-redirect icmp-maskreq
icmp-echo icmp-maskreply
icmp-routeradvert tcp-fin
icmp-routersolicit tcp-syn
icmp-timxceed tcp-rst
icmp-paramprob tcp-push
icmp-tstamp tcp-ack
tcp-urg
Tcpdump command is rich of many options. Some useful are liste above, but many other are
available. To go furthermore, visit : http://www.tcpdump.org/
Can be used to reboot ip|engine. Takes no argument but ask for confirmation.
[ipe]$ reboot
please confirm: really reboot now [y/n] ? y
rebooting...
goodbye.
ask
Warning: if you entered shell before rebooting, the command doesn’t a sk you a confirmation.
[ipe]$ shell
bash-2.01$ reboot
WARNING: could not determine runlevel - doing soft reboot
(it's better to use shutdown instead of reboot from the command line)
bash-2.01$
4.16.4 Version
[ipe10]$ version
*** Hardware Version ***
Tag : 10I0
Name : 1800T-4GB-CF512-3-X-G1
Rev. : 01
*** Software Version ***
Global : 5.0.3
Kern : 5.0.3.6
Ipe : 5.0.3.6
Tool : 5.0.3.0
[ipe10]$
Hardware Tag, Name and Rev help Ipanema to know which device you have.
Software is split in 3 components: Kern (linux kernel), Ipe (Ipanema software), Tool (Ipanema
Toolbox).
4.16.5 Upgrade
Since version 4.3.7, ip|engine can be manually upgraded. With earlier release, an ipboss was
necessary to upgrade ip|engines.
upgrade
Usage: upgrade [-h]
upgrade status
upgrade cancel
upgrade -s <server> -d <directory> [-l <login> -p <password>]
[-c none|alias] [-v]
Options:
-c none Connect the server with the private address (default)
-c alias Connect the server with the public address (if configured)
-v Active the verbose mode
To upgrade manually an ip|engine, a FTP server with appropriate ip|agent images is necessary.
FTP server can be a ip|engine.
Optionnaly if user and password is not ipanema/ipanema specify credentials with –l <login> -p
<password>
upgrade status
upgrade cancel
4.16.6 Getintf
getintf
Display device name of logical interfaces
Usage: getintf [-h] Print this help and exit
getintf <intf> Print device name of a logical interface
getintf all Print device names of all logical interfaces
With:
<intf>=lan, wan, mgt, egress, ingress, brg
BRG is brg0
[ipe10]$
4.16.7 Customize
Customize command permits to configure other feature than LanDownToWan and failsafe (for
ipengine 5v2, 120ax, 140ax, 1000ax and 1800ax), but must be reserved for Orange Business
Services experts support or Ipanema support only.
When multiple ipengines control the same ip topology subnet(s), we call this set of ipengines a
cluster. Usually, we install cluster on central office where we need redundancy.
A good understanding of how works a cluster can help to understand and troubleshoot
ipengine behavior.
Each time, an ipengine detect that a flow is send to a remote cluster, it will try to resolve the
cluster, it means the probe will exchange packet with all ipengines of the cluster to know which
device in the cluster is seing the traffic. Once the cluster is resolved, then end-to-end
optimisation begins. Cluster resolution can take up to 2x40 sec (1min20sec) with 2 ipengines in
the cluster.
When a flow passing through an ipengine cluster begins, on the remote site, the command
“debug show cluster” displays the subnet is owned by several ipengines
[ CLUSTERING-FLOWS ]
*** SRC VRF1-NET2 (10.10.20.0/24) MINE
DST VRF1-NET6 (10.10.60.0/24) owned by <several> (C)
declared by VRF1-SITE6-B(10.10.60.242):28 VRF1-SITE6-A(10.10.60.241):68
RemoteResult= yes RefCount= 95
*** SRC VRF1-NET6 (10.10.60.0/24) owned by <several> (C)
declared by VRF1-SITE6-B(10.10.60.242):28 VRF1-SITE6-A(10.10.60.241):69
DST VRF1-NET2 (10.10.20.0/24) MINE
RemoteResult= yes RefCount= 92
140T:~#
During resolution laps, some traffic can be classified like OutOfDomain
[ CLUSTERING-FLOWS ]
*** SRC VRF1-NET2 (10.10.20.0/24) MINE
DST VRF1-NET6 (10.10.60.0/24) owned by VRF1-SITE6-A(10.10.60.241) (C)
RemoteResult= yes RefCount= 97
*** SRC VRF1-NET6 (10.10.60.0/24) owned by VRF1-SITE6-A(10.10.60.241) (C)
DST VRF1-NET2 (10.10.20.0/24) MINE
RemoteResult= yes RefCount= 92
140T:~#
IP|XCOMP gives the possibility to IP|FAST, to burst at the WWH x Compression factor.
IP|XCOMP gives the possibility to IP|FAST, to burst at the WWH x Compression factor.
6 Advanced troubleshooting
This section must be used only when necessary because we’ll use command that grant access
to the whole file system.
6.1 SHELL
After being logged on an ip|engine, several commands are available to configure and basically
troubleshoot ip|engine. To have access to more linux command, it is necessary to use the
hidden command “shell
shell”.
shell
[ipe]$ shell
bash-2.01$
A script developed by Ipanema is stored in ip|engine filesystem to get the certificate name.
/tmp/cgi-bin/ipm_cgi_get_certificate_name
bash-2.01$ /tmp/cgi-bin/ipm_cgi_get_certificate_name
Content-type: text/plain
certificatenamebash-2.01$
Name of certificate used by ip|engine is printed just in front of the bash prompt. (in red on the
preceding screen-shot)
7.2 Sslpassphrase
8 Debug command
Debug command is not documented and can be modified without notifications from by
IPANEMA.
Debug command can be run in context mode (you can enter successively into sub-menu) or
directly from prompt.
Ipboss configuration is stored in ip|engine. It is possible to draw ipboss configuration with the
following commands.
[ipe]$ shell
bash-2.01$ debug_more xcomp show state
[CURRENT STATE]
Compress: yes
Decompress: yes
Internal status: XMG (ready/ok) XCO (ready/ok) DCO (ready/ok)
bash-2.01$
8.3.2 “debug_more xcomp show config”
xcomp global configuration : optim, default gateway, lan gateway, capacities xcomp, displays
current zibas
Hashed IP engines:
- 151: IPE2
- 210: IPE2
bash-2.01$
Xcomp
Show|more|dump
State Show current state
Config Show current configuration
Sleep
Loop
Help
Exit
Quit
*RCG: Remote Coordinator Group
9 Draw_htb command
Draw_htb command is useful to display TC class based tree when ip|fast is running.
[ipe]$ shell
bash-2.01$ draw_htb -d ing -qrfA
parsed 46 lines, rejected 49 lines
1:0
+-- 1:1 1e+06Kbit - 1e+06Kbit (u32: match 00000000/00000000 at 16)
| +-- 64:0
| +-- 64:1 1e+06Kbit - 1e+06Kbit (iba: remote 10.0.16.105 rnap any matched 519 )
| +-- 64:40 (iba: remote 240.0.0.0 rnap 1 matched 0 )
| +-- 64:44 155000Kbit - 155000Kbit (icos: appli FTP matched 0 )
| +-- 64:45
| | +-- 64:46 120Kbit - 155000Kbit (icos: appli (G711a|G711u) matched 0 )
| | +-- 64:47 30Kbit - 155000Kbit (icos: appli G729 matched 0 )
| | +-- 64:48 300Kbit - 155000Kbit (icos: appli (RTP/RTCP|RTSP) matched 0 )
| +-- 64:41
| | +-- 64:42 1000Kbit - 155000Kbit (icos: appli SMTP matched 0 )
| | +-- 64:43 600Kbit - 155000Kbit (icos: default matched 0 )
| +-- 64:49 155000Kbit - 155000Kbit (icos: appli HTTP matched 0 )
+-- 1:2 1000Mbit - 1000Mbit (u32: match 0a001069/ffffffff at 12)
bash-2.01$
When an ip|engine sends a packet, it waits for a ticket record. This ticket record is sent by the
destination ip|engine. It contains the information to calculate the delay, jitter and loss.
The volume of uncorrelated traffic is availble in the SA reports : SA - site throughput (for a
physical site), SA - site summary ingress (for the domain).
The traffic correlation allows the ip|engine to calculate the quality index of a flow. The correlation
is the process that is used to calculate delay, jitter and losses. The volume is always measured
whether the traffic is correlated or not. Correlation has no impact on optimisation.
In the real-time window, filter the flows which accuracy is low. these flows correspond to
non correlated traffic.
Which topology subnet do they match? Do you see the flows when you run a discovery on
the destination ip|engine?
If you do not see the flow, the topology subnet association is wrong. If you want to current
the real destination site, you must look for sites with transit flow.
Run a discovery on a site with transit traffic and tick the check box "out of local config". If
you find your flow, you have found the real site where the flows is going to.
Report "fi - availability overview" shows the CPU usage of the ip|engines.
A high CPU usage can be explained by many reasons. Note that compression needs an
important CPU share, specially when the ip|engine works close to the limits for its bandwidth
and/or number of tunnels. Locally rerouted traffic can impact ip|engine performances, so we
recommend checking in SA-SiteThroughput that this kind of traffic does not reach the 10% of
bandwidth usage. In this same report we can see the totallity of flows that cross an ip|engine,
however in the rest of reports we will see only REPORTED flows.
The fact of not declaring a subnet in ip|bossTopology Subnets will make the flows from/towards
that subnet to be seen as OutOfDomain.
LAN_A is physically added to the network but has not been declared in TOPOLOGY SUBNETS.
Traffic flows are sent in both ways between ipeA and ipeB
Flow A -> B
- ipeA will identify this flow as coming from OOD and going to LAN_B, then the flow will
be seen as TRANSIT and not reported.
IpeB will identify this flow as coming from OOD and going to its LAN_B, then the flow
will be reported
Flow B -> A
ipeB will identify this flow as coming from LAN_B and going to OOD, then the flow will
be reported
- ipeA will identify this flow as coming from LAN_B and going to OOD, then the flow will
be seen as TRANSIT and not reported
10.3.2 Optimization
Flow A-> B
- ipeA will optimise this flow LOCALLY, which means that it will only check congestion in
its own WAN access. If there is congestion in site_B, ipeA will not optimise the traffic to
avoid it and sessions will be limited to their MAX instead of their OBJ
-ipeB will class this flow in its Egress_IBA OutOfDomain and will perform the optimisation
LOCALLY.
Flow B-> A
ipeB will class this flow in its Egress_IBA OutOfDomain and will perform the optimisation
LOCALLY.
ipeA will optimise this flow LOCALLY
10.3.3 Coloring
Flow A-> B
ipeA will not apply coloring in the traffic
Flow B-> A
ipeB will apply coloring
10.3.4 Compression
Compression will not be enabled, as ipeA sees the flows as TRANSIT and ipeB sees the
flows as going to OOD.
10.3.5 Summary
REPORTING COLORING:
- ipeA: no reporting Only applied in the flow B-
- ipeB: report as OOD >A
OPTIMISATION: COMPRESSION
- locally performed in each ipe Not performed
The user notices one of the ip|engines in a 'down:not configured' state, and finds the message
'myself not found in config' in ip|boss logs.
This message reveals a problem in the IP configuration of the ip|engine. The user should check
whether the IP configuration in ip|boss and in the ip|engine are the same.
In most of the cases, the problem is related to a wrong configuration of MGT interface. If the
MGT is not intended to be used disable it using the command 'ipconfig mgt none'.
All flows crossing an ip|engine in a GRE tunnel will be reported as GRE traffic, and will be
treated according to ip parameters of the tunnel.
See in the following drawing an example. Note that the ip|engine will report this flow with the
following data:
However the user could configure the ip|engine to ignore IP and GRE headers and treat the
https header. In that case the flow will be reported as:
To enable this functionality in your ip|engine use the command 'customize +GRE'. Afterwards,
reboot the ip|engine or launch the script 'restart iptrue'. Note this functionality is only available
for versions newer than 4.3.4.2
When performing a DISCOVERY and filtering to see just Out Of Domain flows, the user could
notice some flows which are sent to an existing Topology Subnet.
During the time the source ip|engine looks for the destination ip|engine in its configuration, the
packets will be classified as Out Of Domain. This can take around 5 seconds, and the impact is
just some packets being incorrectly classified.
In case of a Cluster architecture, it takes one additional polling period to perform cluster
resolution. If after that time the flow is still tagged as OutOfDomain we recommend to perform
the following tests:
Can the 2 ip|engines communicate together? Use command: 'debug dump engine'
What is the state of the cluster for this flow? Use commands: 'debug dump flow -d' and
'debug dump cluster'
Check that source/destination Topology Subnets are correctly defined
10.7 What is unknown traffic in Quality Evolution SLM Report?
In SLM-Site Synthesis and SLM-Application Synthesis graph Quality Evolution shows quality
calculated for all User Classes measured.
The quality is classified in three levels: good, average and bad. However a fourth value is
available in this graph: unknown.
This tag identifies all flows which could not be measured for different reasons. Remind that
metrics used to calculate quality are:
In order to provide quality metrics on a flow (delay, jitter,loss information), both source and
destination ip|engines must have the same clock. To achieve this we use Network Time
Protocol to synchronize to a time server (which can be an ip|engine synchronized by a router).
For a domain, we can have up to 8 NTP servers which respond to the time request of the other
ip|engines. The client ip|engine will select the best source for it: with less jitter.
If the ip|sync server is not anymore synchronized, it will not answer to time requests from the
other ip|engines. For the server and clients, check the Offset column in ip|engine status
window. The value should be lower than 10ms to be considered as synchronized.
If an ip|sync client has still GPS as source, that means either the quality of network is too low for
the ITP traffic either the ip|engine can’t dialog on the port UDP/123.