[j-nsp] M10 FEB problems (Eric Van Tol)
Nugroho WH Adisubrata
adisubrata at gmail.com
Mon May 19 16:47:44 EDT 2008
Hi Andrew,
Your log indicate new prefix could not be installed in the feb.
In my experience, there is no other way than restarting feb.
You need to restart them carefully.
Be careful, sometimes the old box didn't work properly, so you cannot remote
it after restarting feb.
Better if you replace with a new one like Eric said.
Regards,
On Mon, May 19, 2008 at 11:00 PM, <juniper-nsp-request at puck.nether.net>
wrote:
> Send juniper-nsp mailing list submissions to
> juniper-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> or, via email, send a message with subject or body 'help' to
> juniper-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
> juniper-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of juniper-nsp digest..."
>
>
> Today's Topics:
>
> 1. (no subject) (M.Mihailidis)
> 2. M10 FEB problems (Andrew Degtiariov)
> 3. Re: asn32: as-path formatting ? (Per Nihlen)
> 4. Re: M10 FEB problems (Eric Van Tol)
> 5. NetScreen-Remote issues (Sven Juergensen (KielNET))
> 6. 10GE xe-0/0/0 traffic anomaly (Witold Koscielniak)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 19 May 2008 12:00:17 +0300
> From: "M.Mihailidis" <mixalism at gmail.com>
> Subject: [j-nsp] (no subject)
> To: "Juniper-Nsp" <juniper-nsp at puck.nether.net>, <nn at compsoc.com>
> Message-ID: <001b01c8b98e$c3d463b0$4b7d2b10$@com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hello I need help with one how do I configure the policy mentioned? I make
> a
> dialup from a pc and this is what I get:
>
>
>
> IKE<xx.xx.xx.xx> Phase 2 msg ID <37ec7e6c>: Negotiations have
> failed.2008-05-19 12:16:18infoIKE<85.72.37.175>
>
>
>
> Phase 2: No policy exists for the proxy ID received: local ID
> (<192.168.0.0>/<255.255.0.0>, <0>, <0>) remote ID
> (<10.251.251.1>/<255.255.255.255>, <0>, <0>)
>
> .2008-05-19 12:16:18infoRejected an IKE packet on adsl1 from
> xx.xx.xx.xx:4500 to 213.16.178.92:4500 with cookies 6012b2b9a2752f79 and
> ce394dc19b786a53
>
> because the peer sent a proxy ID that did not match the one in the SA
> config.2008-05-19 12:16:18infoIKE<85.72.37.175>
>
> Phase 2: No policy exists for the proxy ID received: local ID
> (<192.168.0.0>/<255.255.0.0>, <0>, <0>) remote ID
> (<10.251.251.1>/<255.255.255.255>, <0>, <0>).
>
>
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 19 May 2008 13:01:52 +0300
> From: "Andrew Degtiariov" <andrew.degtiariov at gmail.com>
> Subject: [j-nsp] M10 FEB problems
> To: juniper-nsp at puck.nether.net
> Message-ID:
> <5d1b76f60805190301j74717e7arf0c22e85c38e4113 at mail.gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> Hello.
> I have expected problems with Full view on M10 router.
> Some of directly (L3 I mean) connected customers can't see anything
> except his default gateway (there is IP on this M10)
>
> In logs I see a log of similar entries:
> ...
> May 19 12:54:16 hosto /kernel: RT_PFE: RT msg op 3 (PREFIX CHANGE)
> failed, err 5 (Invalid)
> May 19 12:54:16 hosto feb RT: Failed prefix change IPv4:0 -
> 66.254.124/24, nh 262186, ifidx 0, nhifl 0, flag 0x10, cos 0
> May 19 12:54:16 hosto feb RT: Failed prefix change IPv4:0 -
> 66.254.124/24 (unknown prefix)
> ...
>
> There some of diagnostics:
>
> ad at hostj> show chassis feb
> FEB status:
> Temperature 33 degrees C / 91 degrees F
> CPU utilization 7 percent
> Interrupt utilization 1 percent
> Heap utilization 99 percent
> Buffer utilization 51 percent
> Total CPU DRAM 64 MB
> Internet Processor II Version 1, Foundry IBM, Part number
> 9
> Start time: 2008-05-19 11:50:04 EEST
> Uptime: 11 minutes, 18 seconds
>
> ad at hostj>
>
> .. from vty feb:
> show nhdb zone
> Chip Start Size Rsvd Used/Hi Water/Total Size Name
> ---- ----- ----- ----- -------------------- ---- ----
> 0 20000 01000 00000 0/0/512 8 Multicast RTP
> 0 21000 02400 00000 0/0/9216 1 Multicast Lists
> 0 23400 0d400 00006 183/183/54272 1 Next-Hop Entries
> 0 30800 4f800 0004b 826/826/162816 2 L2 Descriptors
> 0 40400 001ff 00000 8/8/63 8 L2 Programs
> 1 20000 01000 00000 0/0/512 8 Multicast RTP
> 1 21000 02400 00000 0/0/9216 1 Multicast Lists
> 1 23400 0d400 00006 0/0/54272 1 Next-Hop Entries
> 1 30800 4f800 0004b 0/0/162816 2 L2 Descriptors
> 1 40400 001ff 00000 1/1/63 8 L2 Programs
>
> show memory
> ID Base Total(b) Free(b) Used(b) % Name
> -- -------- --------- --------- --------- --- -----------
> 0 755310 51031280 108816 50922464 99 Kernel
> 1 93800000 8388608 4087636 4300972 51 Uncached
>
> Any recommendations to fix this problem?
>
> PS. JUNOS 7.5R2.8
>
> --
> Andrew Degtiariov
> DA-RIPE
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 19 May 2008 11:24:35 +0200
> From: Per Nihlen <per at nordu.net>
> Subject: Re: [j-nsp] asn32: as-path formatting ?
> To: Daniel Roesen <dr at cluenet.de>
> Cc: Juniper-NSP Mailing list <juniper-nsp at puck.nether.net>
> Message-ID: <75176916-CAE1-49BC-BA89-4A494A80E20D at nordu.net>
> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
>
> On May 17, 2008, at 4:10 AM, Daniel Roesen wrote:
>
> > On Fri, May 16, 2008 at 02:32:42PM -0500, Richard A Steenbergen wrote:
> >> As numbers greater than 65535, like they freaking should be.
> >>
> >> :'s don't belong in IP addresses
> >> .'s don't belong in ASNs
> >>
> >> Thank you Juniper.
> >
> > I couldn't agree more. Finally some vendor who didn't drink the
> > "asdot"
> > kool-aid and did the Sensible Thing.
> >
>
> Juniper supports it from 9.2, I'm currently BETA testing it.
>
> per at t320b_re1# set routing-options autonomous-system ?
> Possible completions:
> <as_number> Autonomous system number in plain number or
> 'higher 16bits'.'Lower 16 bits' (asdot notation) format
> asdot-notation Use AS-Dot notation to display true 4 byte AS
> numbers
> loops Maximum number of times this AS can be in an AS
> path
> [edit]
>
> You can type the ASN in what ever format you like in option
> "<as_number>" , the show commands will then still be in "asplain". If
> you choose "asdot-notation" the show commands will show the ASNs in as-
> dot.
>
> So basically you can choose to drink the kool-aid or not. (I
> personally choose not to)
>
> --
> Per Nihlen
> NORDUNet
>
>
> ------------------------------
>
> Message: 4
> Date: Mon, 19 May 2008 06:11:28 -0400
> From: Eric Van Tol <eric at atlantech.net>
> Subject: Re: [j-nsp] M10 FEB problems
> To: "'Andrew Degtiariov'" <andrew.degtiariov at gmail.com>,
> "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Message-ID:
> <2C05E949E19A9146AF7BDF9D44085B863504C72242 at exchange.aoihq.local>
> Content-Type: text/plain; charset="us-ascii"
>
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> > bounces at puck.nether.net] On Behalf Of Andrew Degtiariov
> > Sent: Monday, May 19, 2008 6:02 AM
> > To: juniper-nsp at puck.nether.net
> > Subject: [j-nsp] M10 FEB problems
> >
> > Hello.
> > I have expected problems with Full view on M10 router.
> > Some of directly (L3 I mean) connected customers can't see anything
> > except his default gateway (there is IP on this M10)
> >
> > In logs I see a log of similar entries:
> > ...
> > Any recommendations to fix this problem?
> >
> > PS. JUNOS 7.5R2.8
> >
> > --
> > Andrew Degtiariov
> > DA-RIPE
>
>
> Yes. If you absolutely require full routes on this router, upgrade the
> memory in your cFEB to 128M. Your heap utilization is at 99%, so the cFEB
> is dropping routing updates. If you don't need full routes, apply an import
> filter to the BGP process to prevent so many routes from being installed
> into the FIB.
>
> -evt
>
>
> ------------------------------
>
> Message: 5
> Date: Mon, 19 May 2008 12:37:55 +0200
> From: "Sven Juergensen (KielNET)" <s.juergensen at kielnet.de>
> Subject: [j-nsp] NetScreen-Remote issues
> To: juniper-nsp at puck.nether.net
> Message-ID: <48315883.7090403 at kielnet.de>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi list,
>
> I'm facing recurring issues with the NetScreen-Remote
> under Windows XP SP2. $SOMETHING every now and then
> fubars the installation and a formerly working VPN
> out of the sudden won't budge anymore. Most of the time
> the client installed something and this happens. Some
> older installations of windows also seem to disallow the
> software to work entirely. I went through the resolution
> path outlined in [1] but to no avail.
>
> Several machines were set up completely new and those
> w/o that option were cleansed registry- and filewise.
> On some machines this works, on others it's "sucks to
> be you".
>
> Are there any free or commercial VPN Clients under active
> development anyone can confirm to work with the ScreenOS
> 6.x tree?
>
> Being aware that more than one VPN client on the same
> machine usually results in conflicts, I'm looking for
> something less prone to issues. I miss the client from
> Cisco, which was way more stable and less susceptible
> to conflicts than the Safenet client is.
>
> Any pointers appreciated.
>
> Cheers,
>
> sven03
>
> [1]
>
> http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm
>
> Mit freundlichen Gruessen
>
> i. A. Sven Juergensen
>
> - --
> Fachbereich
> Informationstechnologie
>
> KielNET GmbH
> Gesellschaft fuer Kommunikation
> Preusserstr. 1-9, 24105 Kiel
>
> Telefon : 0431 / 2219-053
> Telefax : 0431 / 2219-005
> E-Mail : s.juergensen at kielnet.de
> Internet: http://www.kielnet.de
>
> Geschaeftsfuehrer Eberhard Schmidt
> HRB 4499 (Amtsgericht Kiel)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.9 (GNU/Linux)
>
> iEYEARECAAYFAkgxWIMACgkQnEU7erAt4TJDEACZAV+Ow46uWpC038mAaKzO7UjL
> wtUAoKDNNpCOt2iSCtJhn3QitVQm42aq
> =UeJy
> -----END PGP SIGNATURE-----
>
>
> ------------------------------
>
> Message: 6
> Date: Mon, 19 May 2008 13:40:57 +0200
> From: Witold Koscielniak <Witold.Koscielniak at firma.interia.pl>
> Subject: [j-nsp] 10GE xe-0/0/0 traffic anomaly
> To: juniper-nsp at puck.nether.net
> Message-ID: <48316749.8090902 at firma.interia.pl>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> I have new m120 connected on stick to the Extreme switch.
>
> 10GE
> m120<-------------->summit<----->
> in=2 x out(??) in=out
>
>
> M120 has only one interface - xe-0/0/0 with many 802.1q subinterfaces.
> So traffic on xe-0/0/0 should be exactly symmetrical (in/out = 1) but it is
> not!!
>
> Mrtg shows that traffic on 10G summit is exactly symmetrical but on
> xe-0/0/0
> is asymmetrical:
>
> admin at Juniper_M120> monitor interface traffic
> Interface Link Input bytes (bps) Output bytes
> (bps)
> xe-0/0/0 Up 61944473131097 (318338324) 30951930138936 (156175948)
>
> Input traffic is approximatly twice geater than output (in/out = 2).
>
> What is happen? Why input traffic is greater than output traffic.
> What doubled input traffic on xe-0/0/0?
>
> Before installing M120 I had:
>
> LACP 2x1GE
> m5<-------------->summit<----->
> <-------------->
> ae0
>
> and everything was ok (in was eq out on ae0)!!!!
>
> Any idea?
>
>
> --
> Witold Ko?cielniak
> Network Administrator
>
>
> ------------------------------
>
> _______________________________________________
> juniper-nsp mailing list
> juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> End of juniper-nsp Digest, Vol 66, Issue 26
> *******************************************
>
More information about the juniper-nsp
mailing list