DHCP server and radius server allocate two IP for the connected VOIP terminal, including one main IP(xx.127.136.13) and one slave IP(xx.147.136.13). The ARP xx.147.136.13 of the slave IP cannot be learnt on OLT. The customer can configure the static ARP to restore the service via the command Huawei MA5603T(config)#arp xx.147.136.13 xxxx-8f07-d8b3 30 0/1/2 ont 6
Network topology:
Version: OLT MA5600V800R012C00 SPC100 SPH106
Board: H801SCUN + H801X2CS + H805GPBD
Possible causes:
1. OLT configuration problem.
2 .The interactive ARP packets between OLT and VOIPTA are discarded on OLT.
3. ONT discards ARP packets.
4. VOIPTA does not respond ARP reply packet.
Troubleshooting procedure:
1. Check OLT configurations.
<vlanif30>
interface vlanif30
description "### VOIP-01 ###"
ip_address xx.127.136.1 255.255.252.0
ip_address xx.147.136.1 255.255.252.0 sub
dhcp-server 0
arp proxy enable
#
Service flow: service-port 337 vlan 30 gpon 0/1/2 ont 6 gemport 20 multi-service user-vlan 20 tag-transform translate inbound traffic-table index 30 outbound traffic-table index 30
OLT enables anti-ipspoofing function and configures the IP static binding bind ip service-port 337 xx.147.136.13 for the slave IP.
The main IP xx.127.136.13 generates the secure table items via dynamic IP binding.
<post-system>
security anti-ipspoofing enable
MA5603T(config)#display bind service-port 337
-----------------------------------------------
No. IP_address
-----------------------------------------------
0 xx.147.136.13
1 -
2 -
3 -
4 -
5 -
6 -
7 -
-----------------------------------------------
To check Huawei OLT configuration, no exception is found. To search operation log, no configuration is changed recently.
2. Open ARP debugging and observe ARP interaction.
MA5603T(config)#acl 3888
MA5603T(config-acl-adv-3888)#rule 1 permit ip source xx.147.136.13 0
MA5603T(config-acl-adv-3888)#rule 2 permit ip destination xx.147.136.13 0
MA5603T(config-acl-adv-3888)#quit
MA5603T(config)#display acl 3888
MA5603T(config)#diagnose
MA5603T(diagnose)%%debugging arp acl 3888
MA5603T(diagnose)%%debugging arp packet
MA5603T(diagnose)%%debugging arp common
MA5603T(diagnose)%%terminal monitor
MA5603T(diagnose)%%terminal debugging
When the problem occurs, the debugging information collected by customers indicates that OLT sends ARP request and does not receive ARP reply packet.
MA5603T(config)#undo arp xx.147.136.13 30
MA5603T(config)#ping xx.147.136.13
PING xx.147.136.13: 56 data bytes, press CTRL_C to break
*10.3377219092 MA5603T ARP/7/arp_send:Send an ARP Packet, operation : 1, sender_eth_addr : xxxx-efc3-419c,sender_ip_addr : xx.147.136.1,
target_eth_addr : 0000-0000-0000, target_ip_addr : xx.147.136.13
MA5603T(config)#
*10.3377220616 MA5603T ARP/7/arp_send:Send an ARP Packet, operation : 1, sender_eth_addr : xxxx-efc3-419c,sender_ip_addr : xx.147.136.1,
target_eth_addr : 0000-0000-0000, target_ip_addr : xx.147.136.13
3.Service flow of remote packet capturing
MA5603T(diagnose)%%file-server auto-backup board-info primary xx.131.64.2 sftp user
User Name(<=40 chars):sftp-test
User Password(<=40 chars):******
MA5603T(diagnose)%%capture service-port 337 capture-count 10000 capture-time 300
When this problem occurs, the remote packet capturing service flow can be configured to capture ARP reply packet sent by VOIPTA, which indicates that ARP reply packets are reached the service board.
4. ACL remote packet capturing
MA5603T(config)#acl 4888
MA5603T(config-acl-link-4888)#rule 1 permit type 0x806
MA5603T(config-acl-link-4888)#quit
MA5603T(diagnose)%%file-server auto-backup debug primary xx.131.64.2 sftp user
User Name(<=40 chars):sftp-test
User Password(<=40 chars):******
MA5603T(diagnose)%%capture item 1 bidirection link-group 4888 rule 1 port 0/1/2
MA5603T(diagnose)%%capture start -c 10000
MA5603T(diagnose)%%display capture statistic
When this problem occurs, ACL remote packet capturing can be configured to capture the ARP reply packet sent by VOIPTA, which indicates that ARP reply packets reach the main control board CPU.
The ACL remote packet capturing indicates to capture packets inside SFWD module inside the OLT. When ARP packets are sent to the main control board CPU for handling, they will pass the internal modules in turn, namely LSW-->SFWD -->ARP. The debugging and printing information of the ARP module indicates that no ARP reply is received. Results of ACL remote packet capturing indicate that ARP reply packets can be captured at SFWD module entrance, which indicates that the ARP reply packets are discarded in SFWD module. To further analyze internal implementation processing, the SFWD module may discard packets due to security check. To recheck the configuration file, it is discovered that the following two service flows simultaneously bind the failed IP xx.147.136.13, so it leads to IP check confliction and packet discarding, which is the root reason for this problem.
bind ip service-port 43 xx.147.136.13
……
bind ip service-port 337 xx.147.136.13
It is due to configuration error. Two service flows are simultaneously configured at the failed IP xx.147.136.13, which leads to IP check confliction and packet discarding.
To change the binding IP of one service flow as other IP and test it again, ARP learning is successful, so this problem is solved.
MA5603T(config)#undo bind ip service-port 43 xx.147.136.13
MA5603T(config)#bind ip service-port 43 xx.147.136.14
1. Configuration file analysis is very important in problem analysis. Each configuration related to this problem should be carefully analyzed to avoid complication of simple configuration problem.
2. This problem occurs in the information collection command. A command Huawei access product MA5600T(config)#display security ip-bind conflict should be added to collect and query IP binding confliction.
3. This command can collect the information to quickly locate this problem.
E.g. if xx.238.221.2 is bound to the service flow 201 and 202, this problem can be found by querying IP confliction records.
MA5600T(config)#display security ip-bind conflict
-----------------------------------------------------------------------
Time IP FlowID User-Type
-----------------------------------------------------------------------
2014-09-17 22:32:50+09:00 xx.238.221.2 201 static
202 static