OA 5740 R3 (alu-apps.740.3.0.0.97.0) stability?

Post Reply
User avatar
tot3nkopf
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 4058
Joined: 02 Feb 2006 10:41
Location: Germany & Romania
Contact:

OA 5740 R3 (alu-apps.740.3.0.0.97.0) stability?

Post by tot3nkopf »

Hello everyone,

Last week I had 2 of my blackest days on technical field. The reason seems to be this equipment. I am not a data engineer however in the last 3 weeks I did my best to learn how to configure the OA. The configuration I did looks to work however if I reboot the router the forwarding engine fails with several reasons. (I encounter these kind of problems during tests but I did not take them serious --> a big mistake).

Code: Select all

!
! NVRAM config last updated at 21:45:06 EEST Fri Apr 29 2011 by admin
!
! Statlog Configuration
!
logging on
logging buffered priority 7
logging buffered size 128
logging console 3
logging system 5
service timestamps log
logging rate-limit 1 10 tag SWE subtag DOS
logging rate-limit 1 10 tag PVSTD subtag PKT
logging rate-limit 1 10 tag SWE subtag SESSION
ip domain-name ifblocal
!
line vty exec-timeout 0 0
!
hostname USG
!
!VRF Configuration
!
! MULTICAST Configuration
!NOE port reservation
ip name-server 62.217.x.x
! PVST  Global configuration
modem enable
!
http enable
https enable
ssh enable
snmp enable
!
!
! Clock Timezone
!
clock timezone europe bucharest
!
! CWMP Configuration
!
!
! CWMP Configuration (End)
!
!
! CWMP interface configuration
!
!
! CWMP interface configuration (End)
!
!
! SNMP Configurations
!
snmp system location xxxx
snmp agent xcommunity xxxx
!
aaa services
!
username xxxx password xxxx
username recovery password xxxxx
username xxxx password xxxx
!
!
!
!
!
interface GigabitEthernet3/0
 description WAN                                
 ip address x.x.151.82/30
 ip address x.x.157.22/30 secondary
 ip address x.x.157.130/29 secondary
 vrrp 1 ip x.x.157.130
 vrrp 1 ip x.x.157.131 secondary
 vrrp 1 ip x.x.157.132 secondary
 vrrp 1 ip x.x.157.133 secondary
 vrrp 1 ip x.x.157.134 secondary
 no shutdown
 top
!
interface GigabitEthernet3/1
 shutdown
 top
!
interface Vlan10
 description LAN-IFB                                
 ip address 10.0.0.250/24
 no shutdown
 top
!
interface Vlan20
 description AP-PUBLIC                                
 ip address 10.0.1.1/24
 no shutdown
 top
!
interface Vlan100
 description VoIP                                
 ip address 10.0.100.1/24
 no shutdown
 top
!
interface switchport0/0
 switchport mode trunk
 switchport hybrid native vlan 10
 switchport trunk allowed vlan 10 
 no shutdown
 top
!
interface switchport0/1
 switchport mode trunk
 switchport hybrid native vlan 20
 switchport trunk allowed vlan 20 
 no shutdown
 top
!
interface switchport0/2
 switchport mode trunk
 switchport hybrid native vlan 100
 switchport trunk allowed vlan 100 
 no shutdown
 top
!
interface switchport0/3
 switchport mode hybrid
 switchport hybrid native vlan 123
 no shutdown
 top
!
interface switchport0/4
 shutdown
 top
!
interface switchport0/5
 shutdown
 top
!
interface switchport0/6
 shutdown
 top
!
interface switchport0/7
 switchport mode hybrid
 switchport hybrid native vlan 10
 no shutdown
 top
!
interface Tunnel1
 ip address 172.16.0.2/24
 tunnel source 192.168.0.220
 tunnel destination 192.168.0.80
 mode gre
 tunnel df-bit clear
 no shutdown
 top
!
!
ip route 0.0.0.0/0 GigabitEthernet 3/0 x.x.151.81 
ip route 10.0.200.0/24 Tunnel 1 
!
match-list Internet
1 ip any any
match-list vlan10xxxx
1 ip prefix 10.0.0.0/24 prefix 10.0.200.0/24
match-list WAN-IN-Carthame
1 tcp any host x.x.157.130 service eq 443
2 tcp any host x.x.157.130 service eq 8180
3 tcp any host x.x.157.130 service eq 8443
4 tcp any host x.x.157.130 service eq 3389
match-list WAN-IN-CarthameWEB
1 tcp any host x.x.157.131 service eq 80
2 tcp any host x.x.157.131 service eq 3389
match-list WAN-IN-S01
1 tcp any host x.x.157.132 service eq 3389
match-list WAN-IN-S02
1 tcp any host x.x.151.82 service eq 3389
match-list PetreIN
1 tcp any host x.x.151.82 service eq 50007
match-list Carthame-SNAT
1 ip host 10.0.0.2 any
match-list CarthameWEB-SNAT
1 ip host 10.0.0.4 any
match-list AP-Public-SNAT
1 ip prefix 10.0.1.0/24 any
match-list WAN-IN-Mail
1 tcp interface GigabitEthernet 3/0 host x.x.151.82 service eq 22
2 tcp interface GigabitEthernet 3/0 host x.x.151.82 service eq 25
3 tcp interface GigabitEthernet 3/0 host x.x.151.82 service eq 995
match-list S01-SNAT
1 ip host 10.0.0.1 any
match-list forbid25
1 tcp any any service eq 25
match-list allow25
1 tcp host 10.0.0.6 any service eq 25
match-list forbidvlan
1 ip prefix 10.0.0.0/24 prefix 10.0.1.0/24
2 ip prefix 10.0.100.0/24 prefix 10.0.1.0/24
!
! 
! Filter Policy configuration 
! 
ip filter Port25 
   1 match any allow25 permit log 
   2 match any forbid25 deny log 
   default permit 
top
!
interface GigabitEthernet3/0 
  ip filter out Port25 
top
!
ip filter vlan10-100deny 
   1 match any forbidvlan deny log 
   default permit 
top
!
interface Vlan20 
  ip filter out vlan10-100deny 
top
!
!
! 
! NAT Policy configuration 
!
ip nat WAN-IN
   110 match any WAN-IN-S02 destination-nat host 10.0.0.5 
   140 match any PetreIN destination-nat host 10.0.0.86 
   150 match any WAN-IN-Carthame destination-nat host 10.0.0.2 
   160 match any WAN-IN-CarthameWEB destination-nat host 10.0.0.4 
   170 match any WAN-IN-Mail destination-nat host 10.0.0.6 
   190 match any WAN-IN-S01 destination-nat host 10.0.0.1 
top
!
interface GigabitEthernet3/0
  ip nat in WAN-IN
top
!
ip nat Internet
   40 match any Carthame-SNAT source-nat host x.x.157.130 
   50 match any CarthameWEB-SNAT source-nat host x.x.157.131 
   60 match any AP-Public-SNAT source-nat host x.x.157.22 
   70 match any S01-SNAT source-nat host x.x.157.132 
   210 match any Internet source-nat host x.x.151.82 
top
!
interface GigabitEthernet3/0
  ip nat out Internet
top
!
!
! 
! Dos attack configuration 
!
!
!
! System doesn't have IDS License 
! IDS configuration may not be effective 
!
!Snort configuration 
firewall 
  intrusion snort 
top 
!
! 
! Firewall configuration 
!
!
! IPSEC License installed 
!
! IPSEC Policy configuration
!

crypto ike key xxx peer 192.168.0.80
crypto ike dpd interval 300 timeout 1500
crypto ipsec transform-set myset esp-md5-3des
crypto map xxxx ipsec-ike default
	peer 192.168.0.80
	match vlan10xxxx
	transform-set default
	pfs group2
! Applied to : GigabitEthernet3/0 
interface GigabitEthernet3/0
	crypto map xxxx
top

crypto ipsec profile pv
	pfs group5
	lifetime seconds 28800
	lifetime kilobytes 28800
! Applied to: 
interface Tunnel1
	ipsec-profile pv
top


! No client object Defined
! No client profile Defined!

!
!QoS Configuration
!
!
!
!DDNS configurations
!
!
!

top

top
!
! 
! IP-Policy configuration 
! 
ip-policy PBR-IFB 
    10 match any S01-SNAT next-hop x.x.157.129 
    20 match any Carthame-SNAT next-hop x.x.157.129 
    30 match any CarthameWEB-SNAT next-hop x.x.157.129 
    40 match any AP-Public-SNAT next-hop x.x.157.21 
exit 
! 
interface GigabitEthernet3/0 
    ip-policy PBR-IFB 
exit 
! 
!
!Customized-Services 
!
!
!
!
!
!
!
top
!
!
!
!
! DHCP Server Configuration
!
service dhcp enable
!
ip dhcp pool p20
network 10.0.1.0 255.255.255.0
range 10.0.1.100 10.0.1.200
!
 option routers 10.0.1.1 
 option dns-server x.x.193.1 primary 
top
!
!
!
! DHCP CLIENT Configuration
!
!
ip dhcp client default_client
vendor-class-identifier FDC broadband-forum.org
parameter-req-list vendor-specific 
top
!
interface GigabitEthernet3/0
dhcp client default_client
top
!
!
!

top

top
!

!
!OAM Configuration
!
oam
top
!
!
!
!NHRP configurations
!
top
!
!
! DHCP Relay configuration
!
!
end
At this point (initial configuration) all the things work w/o visible issues.
The reason for using vrrp is that we cannot add in other way (as secondary address for example) that range of external IP's (or at least we didn't figure a way to do it).


Errors on reboot:

Code: Select all

sername :2011 Apr 29 20:50:08: %SWE-3-ARPD: VRF ADD Notification with vrfid 0
2011 Apr 29 20:50:10: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
2011 Apr 29 20:50:10: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:11: %CE-2-LOG: Setting gre for_us node 32 default to 7
2011 Apr 29 20:50:11: %SWE-2-GRE: For us node 32 default 7
2011 Apr 29 20:50:11: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:12: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
2011 Apr 29 20:50:20: %CE-2-LOG: Setting gre for_us node 32 default to 7
2011 Apr 29 20:50:20: %SWE-2-GRE: For us node 32 default 7
2011 Apr 29 20:50:20: %SWE-3-ARPD: VRF ADD Notification with vrfid 0
2011 Apr 29 20:50:24: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
2011 Apr 29 20:50:24: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:26: %NAT-2-LOG: IP Address/Ports used in DNAT matchlist is overlapping with SNAT. Corresponding SNAT sessions will be deleted.
2011 Apr 29 20:50:27: %NAT-3-NAT-FS: IP Address/Ports used in SNAT policy is overlapping with DNAT addresses/ports. Please use different IP/Ports in either of the policies.
When trying to ping any interface ip---> Fail to connect to forwarding engine. Nothing works anymore (the interfaces are no longer up :shock: ).

In this point I have to detach all policies from Giga interface, reboot, reatach one by one the policies.....
Is this a configuration problem? A bug? Both?

Any help on this guys?
(Murray, Benny?)

Any help is appreciated. Other comments regarding overall experience with OA5510, 5740 also appreciated.
User avatar
tot3nkopf
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 4058
Joined: 02 Feb 2006 10:41
Location: Germany & Romania
Contact:

Re: OA 5740 R3 (alu-apps.740.3.0.0.97.0) stability?

Post by tot3nkopf »

:) I forgot about this post. late but here is the result:
-this was a configuration problem -->we misconfigured a VRRP (there was no point in configuring such thing in our case) -->this led to engine crush

-support was very bad: I have opened an eSR-->no response for 2 days, then they asked for tech file, which I have provided; in the mean time I have solved a port overlapp problem for nat and snat-->updated the status on eSR that that problem is solved but system still crashes-->guess what the reply was after10 days-->that they saw a problem with overlapping ports for snat and dnat on my config (so they responded with the update I have previously made :shock: :shock: :shock: )--->nothing about VRRP config ; solved the proble and left the eSR raised just as I was curious-->after few more days they asked if they can close the eSR as the issue was already replied :shock:

So gents --> not the best support
However the equipment does it's job w/o issues since it's installation and looks like a good solution if you play enough with it (I think that an educated networking person will have no problem with it --> very Cisco like)
Post Reply

Return to “OmniAccess 5740/5780”