Uploaded by Mehmet İhsan Sevinç

SANGFOR CCOM v3.0.60 VSTA Mirroed Traffic Troublreshooting Guide EN (2)

advertisement
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
Sangfor CCOM
vSTA Mirrored Traffic Troubleshooting
Guide
Product Version
CCOM 3.0.60
Document Version
01
Released on
Jun. 9, 2022
Version 01 (Mar.24, 2021)
Confidentiality: Public in Company
1
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
Copyright © Sangfor Technologies Inc. 2022. All rights reserved.
Unless otherwise stated or authorized, Sangfor Technologies Inc. (hereinafter referred
to as "Sangfor") and its affiliates reserve all intellectual property rights, including but
not limited to copyrights, trademarks, patents, and trade secrets, and related rights to
text, images, pictures, photographs, audio, videos, charts, colors, and layouts as
presented in or concerning this document and content therein. Without prior written
consent of Sangfor, this document and content therein must not be reproduced,
forwarded, adapted, modified or displayed or distributed by any other means for any
purpose.
Disclaimer
Products, services or features described in this document, whether wholly or in part,
may be not within your purchase scope or usage scope. The products, services or
features you purchase must be subject to the commercial contract and terms as
agreed by you and Sangfor. Unless otherwise provided in the contract, Sangfor
disclaims warranties of any kind, either express or implied, for the content of this
document.
Due to product version upgrades or other reasons, the content of this document will
be updated from time to time. Unless otherwise agreed, this document is used for
reference only, and all statements, information, and recommendations therein do not
constitute any express or implied warranties.
Version 01 (Jul.07, 2021)
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
Technical Support
For technical support, please visit: https://www.sangfor.com/en/aboutus/contact-us/technical-support
Send information about errors or any product related problem to
tech.support@sangfor.com.
Version 01 (Jul.07, 2021)
1
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
About This Document
This document describes the troubleshooting guide for vSTA mirrored traffic of
Sangfor Cyber Command(CCOM).
Intended Audience
This document is intended for:
⚫
Network design engineers
⚫
O&M personnel
Note Icons
English Icon
Description
Indicates an imminently hazardous situation which, if not avoided,
will result in death or serious injury.
Indicates a potentially hazardous situation which, if not avoided,
could result in death or serious injury.
Indicates a hazardous situation, which if not avoided, could result
in minor or moderate injury.
Indicates a hazardous situation, which if not avoided, could result
in settings failing to take effect, equipment damage, or data loss.
NOTICE addresses practices not related to personal injury.
Calls attention to important information, best practices, and tips.
NOTE addresses information not related to personal injury or
equipment damage.
Change Log
Date
Jun. 09, 2022
Change Description
This is the first release of this document.
Version 01 (Jul.07, 2021)
2
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
Contents
Technical Support ................................................................................................................... 1
Change Log .............................................................................................................................. 2
1 Common Issue ..................................................................................................................... 4
2 Use tcpdump to Capture Packet ....................................................................................... 8
Version 01 (Jul.07, 2021)
3
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
1 Common Issue
Issue 1: vSTA is unable to see any inbound traffic in the mirrored interface.
Checklist 1 :
1.
Check the mirrored traffic on the core switch.
2.
The different brand core switch has a different configuration guide. You can
confirm with the core switch vendor, or you may also confirm the mirrored
traffic are correct. The traffic must be bidirectional (inbound and outbound).
In order to verify the mirrored traffic, you may use the Wireshark tool on
your PC by connecting your PC to the mirrored port and open Wireshark to
check the mirrored traffic.
3.
To confirm the bidirectional traffic, you may check the connection on the
Wireshark. For example, normal TCP traffic must have 3 ways handshake,
SYN, SYN-ACK, and ACK. In these 3 packets, we know the SYN and ACK are
outbound packets, and SYN-ACK is inbound packets.
If the traffic you captured on Wireshark is SYN and ACK packet for one
connection only, you are required to check the configuration on the core
switch to ensure whether the bidirectional traffic has been mirrored
correctly or not.
Version 01 (Jul.07, 2021)
4
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
Checklist 2:
Check the hardware platform and the following information first:
1.
Does the ad_appd running?
ps aux |grep ad_appd
2.
Check
the
CPU
model.
Does
it
support
AVX
command?
lscpu | grep avx or you may check the details on the Intel website.
If it has the AVX instruction set, the CPU can support DPDK. If the CPU
does not support the AVX instruction set, it will cause issues for the DPDK
to receive the mirrored traffic. The server CPU used by Vmware can check
the model on the Intel official website. Below is the example of E7-4850 v1
and E7-4850 v2 versions:
Version 01 (Jul.07, 2021)
5
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
Checklist 3:
Ad_appd shows a NUMA error when running the ad_appd with
/usr/sbin/ad_appd -af as shown below:
Reason:
ad_appd huge memory configured for the process doesn’t enough
Try run usr/sbin/ad_appd -af for debugging.
How to change?
Run the command below:
cat /proc/meminfo |grep -i huge
AnonHugePages:
534528 kB
HugePages_Total:
388
HugePages_Free:
149
HugePages_Rsvd:
0
HugePages_Surp:
0
Hugepagesize:
2048 kB
The HugePages_Total need to be bigger than HugePages_Free. You may try to
use 1000, 1500, or 2000 to enlarge the hugepage memory, then command as
Version 01 (Jul.07, 2021)
6
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
below:
echo x > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
x is the example to enlarge 1000 in hugepage memory, you can run it like this:
echo 1000 > /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages
After that, restart the ad_appd by executing systemctl restart ad_appd to
ensure the ad_appd process is running well.
At Last, modify the value and force write the value into the boot-up scripts.
As the image above, edit the /usr/sbin/netconfig/hugemem.sh, change the
line 54 and add the new value in line 55, for example if enlarge 1000 can make
the ad_appd running without issue, you may insert the following line command
into line 54: echo 1000 > /sys/kernel/mm/hugepages/hugepages2048kB/nr_hugepages
For the next reboot, the vSTA will read the configuration and run it.
Version 01 (Jul.07, 2021)
7
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
2 Use tcpdump to Capture Packet
Use tcpdump to check whether the VMware configuration is correct or not.
This is because the VMware is using DPDK and does not support the tcpdump
command.
1.
Stop ad_appd:
systemctl stop ad_appd
ps aux |grep ad_appd
Ensure that all ad_appd processes are stopped.
2. Check the NIC pciid bound by dpdk and the previous driver:
/usr/local/dpdk/usr/local/share/dpdk/usertools/dpdk-devbind.py –status
/usr/local/dpdk/usr/local/share/dpdk/usertools/dpdk-devbind.py --statusdev net
3. Unbind DPDK on the mirror port that needs to be unbound, such as
unbound 0000:01:00.0:
/usr/local/dpdk/usr/local/share/dpdk/usertools/dpdk-devbind.py -u
0000:01:00.0
4. Re-bind the system network card driver, and fill in the bind parameter with
the unused parameter in the figure above:
Version 01 (Jul.07, 2021)
8
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
vsta: /usr/local/dpdk/usr/local/share/dpdk/usertools/dpdk-devbind.py -bind=vmxnet3 0000:01:00.0
5. run ifconfig -a to see the mirror port.
6. After the mirroring port is bound to the system driver, it must be manually
up the network interface by executing ifconfig eth1 up.
7. Reboot the vSTA to use the DPDK driver.
Version 01 (Jul.07, 2021)
9
Sangfor Cyber Command V3.0.60 vSTA Mirrored Traffic Troubleshooting Guide
Version 01 (Jul.07, 2021)
1
Download