Edge1> get logical-router interface 8638183a- 7126 - 4401 -b8cb-175bfce4664e stats Wed Jan 24 2024 UTC 07 : 09 : 38.729 interface : 8638183a- 7126 - 4401 -b8cb-175bfce4664e ifuid : 298 VRF : 5dfb911e-7c35-4c8d-b42c-12323ade5fdb name : tier0- interface - 90 - 90 - 90 - 2 IP/Mask : 90.90 . 90.2 / 24 ; 2010 :: 250 :56ff:fea6:cb7c/ 64 (A); 2010 :: 1 / 64 (A);fe80:: 250 :56ff:fea6:cb7c/ 64 (A) MAC : 00 : 50 : 56 :a6:cb:7c VLAN : 8 LS port : 7ea2eb90-b82b-4f74- 9349 -ac9b2244af9f urpf-mode : STRICT_MODE admin : up op_state : up MTU : 1500 statistics RX-Packets : 275749 RX-Bytes : 23938078 RX-Drops : 4996 Blocked : 0 DST-Unsupported: 4515 Firewall : 0 Malformed : 0 No-Receiver : 0 No-Route : 0 RPF-Check : 81 Protocol-Unsupported: 396 IPv6 : 4 Port-Unsupported: 0 TTL-Exceeded: 0 Kni : 0 Rate-Limit : 0 IPsec : 0 IPsec-NoSA : 0 IPsec-NoVTI : 0 TX-Packets : 203743 TX-Bytes : 17505975 TX-Drops : 0 Blocked : 0 Firewall : 0 Frag-Needed : 0 No-neighbor : 0 No-Memory : 0 No-Linked-Port: 0 Rate-Limit : 0 IPsec : 0 IPsec-NoSA : 0 IPsec-NoVTI : 0 IPsec-Policy-Error: 0 IPsec-Policy-Block: 0 IP Ressemble Fragments-OK: 0 Fragemnts-Error: 0 Fragments-Timeout: 0 IP Fragment Fragments-OK: 0 Fragments-Error: 0 |
Stats (Rx) | Description | Action | |
---|---|---|---|
Blocked | Packet dropped due to interface being blocked/admin-down due to SR of the edge node is in standby state |
Some packets dropped due to blocked state is expected during failover/fallback case. if this counter continue to increase, the following command should be used to check admin and internal_operation:
| |
DST-Unsupported | Packet dropped due to unsupported destination like mcast (but mcast is not enabled), loopback or reserved address |
Start capture command can be used to find out the unsupported destination address and where is the traffic coming from (source address)
| |
Firewall | Packet dropped due to firewall | Check if there is drop rule or state mismatch traffic
| |
Malformed | Packet dropped due to malformed fields, ip checksum or L4 checksum could be the reason of malformed traffic | Check the sender checksum offload configuration | |
No-Receiver | Packet dropped due to destination being a lrouter with no receiver i.e. proto not supported by it or no linked tunnel exists | Check configuration of lrouter port, if its GRE port, then it should be linked to GRE tunnel port.
| |
No-Route | Packet dropped due to routing failure or invalid egress port |
Check L3 forwarding table for dst IP
| |
RPF-Check | Packet dropped due to no reverse path to destination |
Check RPF configuration (urpf-mode) and L3 forwarding table for SRC IP
| |
Protocol-Unsupported | Packet dropped due to known protocol like ARP, ICMP, DHCP but cannot be decoded completely | No action unless there is traffic connection issue, such as no arp, no icmp reply and etc. | |
TTL-Exceeded | Packet dropped due to TTL exceeding | There is a L3 loop, check forwarding information of the complete setup | |
Kni | Packet dropped due to lrouter port's companion KNI port failed to send | Check cpu utilization of linux process such as L7 LB, this is due to linux side not able to dequeue the pkt fast enough.
| |
Rate-Limit | Packet dropped due to ingress traffic rate higher than configured QOS (traffic contract) |
Check if ingress traffic to the lrouter is much higher than the QOS config.
| |
IPsec | Packet dropped during IPsec input processing |
Aggregated Rx drop counter for IPsec related drop, further check IPsec tunnel stats for particular drop reason using following command "get ipsecvpn tunnel stats <IPsec tunnel/VTI UUID>"
| |
IPsec-NoSA | Packet dropped due to missing IPsec inbound or ingress security association SA |
Check Outbound and Inbound SAs installed by running below commands "get ipsecvpn sad" or "get ipsecvpn sad summary"
| |
IPsec-NoVTI | Packet dropped due to IPsec input missing or admin-down VTI interface |
VTI interface present on T0/T1 SR with mode as "vti" and we can find it by running "get logical-router <T0/T1 SR UUID> interfaces"
|
Stats(Tx) | Description | Action | |
---|---|---|---|
Blocked | Packet dropped due to interface being blocked/admin-down due to SR of the edge node is in standby state | See Rx | |
Firewall | Packet dropped due to firewall | See Rx | |
Frag-Needed | Packet dropped due to the need of fragmentation | DF bit is set but packet len is greater than than the MTU, check MTU configuration | |
No-neighbor | Packet dropped due to ARP failure | The neighbor IP has not reply the arp request, check the neighbor VM or router | |
No-Memory | Packet dropped due to shortage of memory | Potential mbuf/memory leaking
| |
No-Linked-Port | Packet dropped due to failure in forwarding due to no linked peer lport |
Check lrouter port configuration, it should have linked lswitch port like
| |
Rate-Limit | Packet dropped due to egress traffic rate higher than configured QOS (traffic contract) |
Check if egress traffic to the lrouter is much higher than the QOS config.
| |
IPsec | Packet dropped during IPsec output processing |
Aggregated Tx drop counter for IPsec related drop, further check IPsec tunnel stats for particular drop reason using following command "get ipsecvpn tunnel stats <IPsec tunnel/VTI UUID>"
| |
IPsec-NoSA | Packet dropped due to missing IPsec outbound or egress security association (SA) |
Check Outbound and Inbound SAs installed by running below commands "get ipsecvpn sad" or "get ipsecvpn sad summary"
| |
IPsec-NoVTI | Packet dropped due to IPsec input missing or down VTI interface |
VTI interface present on T0/T1 SR with mode as "vti" and we can find it by running "get logical-router <T0/T1 SR UUID> interfaces"
| |
IPsec-Policy-Error | Packet dropped due to missing rule for IPsec processing. SPD look-up failed. |
Check below command output there should not be any entry with tag "ipsec"
| |
IPsec-Policy-Block | Packet dropped due to IPsec rule with DROP as action |
Check below command output for tag "DROP"
|