Troubleshooting - Security(V800R002C01_01)

8/11/2019 Troubleshooting - Security(V800R002C01_01)

1/37

HUAWEI NetEngine5000E Core Router

V800R002C01

Troubleshooting - Security

Issue 01

Date 2011-10-15

HUAWEI TECHNOLOGIES CO., LTD.


2/37

Copyright Huawei Technologies Co., Ltd. 2011. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written

consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the

customer. All or part of the products, services and features described in this document may not be within the

purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representations

of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the

preparation of this document to ensure accuracy of the contents, but all statements, information, and

recommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2011-10-15) Huawei Proprietary and Confidential

Copyright Huawei Technologies Co., Ltd.

i
http://www.huawei.com/


3/37


4/37

Symbol Description

Alerts you to a potentially hazardous situation that could,

if not avoided, result in equipment damage, data loss,

performance deterioration, or unanticipated results.

Provides a tip that may help you solve a problem or save

time.

Provides additional information to emphasize or

supplement important points in the main text.

Command Conventions (Optional)

The command conventions that may be found in this document are defined as follows.

Convention Description

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.

{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all

items can be selected.

[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.

& The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Change History

Updates between document issues are cumulative. Therefore, the latest document issue contains

all updates made in previous issues.

Changes in Issue 01 (2011-10-15)

The initial commercial release.


Troubleshooting - Security About This Document



iii


5/37

Contents

About This Document.....................................................................................................................ii

1 AAA and User Management Troubleshooting........................................................................1

1.1 Users Cannot Get Online....................................................................................................................................2

1.1.1 Common Causes........................................................................................................................................21.1.2 Troubleshooting Procedure........................................................................................................................2

1.1.3 Relevant Alarms and Logs........................................................................................................................5

1.2 User Failsto Authenticate through HWTACACS Server..................................................................................5

1.2.1 Common Causes........................................................................................................................................5

1.2.2 Troubleshooting Flowchart........................................................................................................................5

1.2.3 Troubleshooting Procedure........................................................................................................................6

1.2.4 Relevant Alarms and Logs........................................................................................................................8

1.3 User Failsto do Authorization through HWTACACS Server...........................................................................9

1.3.1 Common Causes........................................................................................................................................9

1.3.2 Troubleshooting Flowchart........................................................................................................................9

1.3.3 Troubleshooting Procedure......................................................................................................................10

1.3.4 Relevant Alarms and Logs......................................................................................................................12

1.4 User Failsto do Accounting through HWTACACS Server.............................................................................13

1.4.1 Common Causes......................................................................................................................................13

1.4.2 Troubleshooting Flowchart......................................................................................................................13



1.5 User Failsto Authenticate through RADIUS Server........................................................................................17

1.5.1 Common Causes......................................................................................................................................17




1.6 User Fails to do Accounting through RADIUS Server....................................................................................21

1.6.1 Common Causes......................................................................................................................................21




2 Local Attack Defense Troubleshooting...................................................................................25


Troubleshooting - Security Contents



iv


6/37

2.1 Management Plane Protection Malfunctions....................................................................................................26

2.1.1 Common Causes......................................................................................................................................26


3 URPF Troubleshooting...............................................................................................................283.1 URPF Check Fails............................................................................................................................................29

3.1.1 Common Causes......................................................................................................................................29





Troubleshooting - Security Contents



v


7/37

1AAA and User ManagementTroubleshooting

About This Chapter

This chapter describes common causes of AAA faults, and provides the corresponding

troubleshooting flowchart, troubleshooting procedure, alarms, and logs.

1.1 Users Cannot Get Online

This section describes the causes of users' failures to get online, and provides detailed

troubleshooting procedures.

1.2 User Fails to Authenticate through HWTACACS Server

This section describes the step-by-step troubleshooting procedure for the fault when the user

fails to authenticate through HWTACACS server.

1.3 User Fails to do Authorization through HWTACACS Server


fails to do authorization through HWTACACS server.

1.4 User Fails to do Accounting through HWTACACS Server


fails to do accounting through HWTACACS server.

1.5 User Fails to Authenticate through RADIUS Server


fails to authenticate through RADIUS server.

1.6 User Fails to do Accounting through RADIUS Server


fails to do accounting through RADIUS server.


Troubleshooting - Security 1 AAA and User Management Troubleshooting



1


8/37

1.1 Users Cannot Get Online

This section describes the causes of users' failures to get online, and provides detailed

troubleshooting procedures.

1.1.1 Common Causes

If users cannot get online, run the display aaa online-fail-recordcommand in any view to see

the information displayed in the User online fail reasonfield.

To rectify the fault, see the trouble shooting procedure in 1.1.2 Troubleshooting Procedure.

Error Prompt

Server return fail

Username or password wrong

Max users (Pending Requests) Reached

Server no response

User access type not match service type

Domain was blocked

Protocol authorize fail

User was blocked

1.1.2 Troubleshooting Procedure

Collect log messages and contact Huawei technical personnel.

Error PromptCommon Causes Troubleshooting

Procedure

Server return fail

The RADIUS or

HWTACACS serverreturns an authentication

failure message.

For details, see RADIUS or

HWTACACS servertroubleshooting.





2


9/37


10/37

Error PromptCommon Causes Troubleshooting

Procedure

Domain was blocked

The domain is blocked. 1. Run the display domain

command to see whether the

domain to which the user

belongs is in the Block state.

2. If the domain is in the Block

state, contact the device

administrator to change the

state to Active.

3. If the domain is not in the

Block state, contact Huawei

technical personnel.

Protocol authorize fail

Protocol authorization

fails.

For details, see RADIUS or

HWTACACS servertroubleshooting.

User was blocked

The user is blocked. 1. Run the display local-use

command to see whether the

user is in the Block state.

2. If the user is in the Block

state, contact the device

administrator to change the

state to Active.

3. If the user is not in the Block

state, contact Huaweitechnical personnel.

Domain not exist

The domain does not exist. 1. If the user name contains @,

the part before @ is a user

name and the part after @ is

a domain name. If the user

name does not contain @,

the entire string is a user

name. The domain is the

default one, with the

domain name of default.

2. Run the display domaincommand to see whether the

domain to which the user

belongs exists.

3. If the domain does not exist,

contact the device

administrator to add a new

domain.

4. If the domain exists, contact

Huawei technical

personnel.





4


11/37

1.1.3 Relevant Alarms and Logs

Relevant Alarms

None

Relevant Logs

None

1.2 User Fails to Authenticate through HWTACACS Server


fails to authenticate through HWTACACS server.

1.2.1 Common Causes

The user fails to authenticate through HWTACACS server is commonly caused by one of the

following:

l The route is unreachable and the user cannot set up an UDP connection with the server.

l HWTACACS services are not enabled.

l HWTACACS is not configured as authentication-mode under AAA authentication scheme.

l IP address and port configured for HWTACACS authentication server in the NAS is not

correct.

l Shared key mismatch between HWTACACS server and NAS.

1.2.2 Troubleshooting Flowchart





5


12/37

Figure 1-1Troubleshooting flowchart for the fault that the user fails to authenticate through

HWTACACS server

Yes

Yes

Yes

Yes

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Contact Huawei

technical support

personnel for results,

configuration files, log

files, and alarm files of

the devices

No

No

No

No

Whether the

client can successfully

ping the server?

Is HWTACACS

client enabled?

User fails to

Authenticate through

HWTACACS Server

Is IP

address and

port configured for

HWTACACS server

in the NAS?

Configure IP address

and interface for

HWTACACS server

in the NAS

Configure the

authentication-mode

under AAA

authenticationscheme

Enable the

HWTACACS client

Check the ping

operation fails and

rectify the fault

Is the fault

rectified?

Is the fault

rectified?

Is the faultrectified?

Is the fault

rectified?

End

Is

HWTACACS

configured as

authentication-mode under

AAA authenticationscheme?






6


13/37

NOTE

After commands are configured to troubleshoot faults, pay attention to the configuration validation mode

to ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the

immediate validation mode.

lIn immediate validation mode, configurations take effect after commands are input and the Enter keyis pressed.

l In two-phase validation mode, after commands are configured, the commitcommand needs to be run

to commit the configurations.

Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correct

the fault, you will have a record of your actions to provide Huawei technical support personnel.

Procedure

Step 1 Check the network connectivity.

Run the pingcommand to check the network connectivity.

l If the ping fails, the network connection cannot be established. To locate and rectify the fault,

see The Ping Operation Fails.

l If the ping succeeds, go to Step 2.

Step 2 Check that the HWTACACS client is enabled.

Run the display hwtacacs current-statuscommand to view the current status of HWTACACS

client.

display hwtacacs current-status

-------------------------------------------------

HWTACACS service status : Disabled

Total templates configured : 0

Total servers configured : 0

-------------------------------------------------

NOTE

If HWTACACS client is enabled, go to Step 3.

The command output shows that the HWTACACS client is not enabled. User can authenticate

through HWTACACS server only after HWTACACS client is enabled in the system. Run the

hwtacacs enablecommand to enable the HWTACACS client.

system-view

[~HUAWEI]hwtacacs enable

[~HUAWEI]commit

Step 3 Check HWTACACS is configured as authentication-mode under AAA authentication scheme.

Run the display authentication-schemecommand to view the configuration of the AAA

authentication-scheme.

[~HUAWEI] display authentication-scheme

---------------------------------------------------------------------------

Vr-id Authentication-scheme-name Authentication-method

---------------------------------------------------------------------------

0 default local

0 auth hwtacacs

---------------------------------------------------------------------------

If authentication-mode under AAA authentication scheme is not configured then go to Step 4,

else go to Step 5.

Step 4 Configure the authentication-mode under AAA authentication scheme.





7


14/37

[~HUAWEI] aaa

[~HUAWEI-aaa] authentication-scheme acct

[~HUAWEI-aaa-authen-auth] authentication-mode hwtacacs

[~HUAWEI-aaa-authen-auth] commit

[~HUAWEI-aaa-authen-auth] quit

[~HUAWEI-aaa] quit

Step 5 Check the IP address and port configured for HWTACACS server in the NAS.

Run the display hwtacacs-server configurationtemplatetemplate-namecommand to view

the IP address and port details.

[~HUAWEI] display hwtacacs-server configuration template huawei

-------------------------------------------------

Template Name : huawei

Template ID : 0

Primary Authentication Server : 192.0.0.6:49

Primary Authorization Server : 192.0.0.6:49

Primary Accounting Server : 192.0.0.6:49

Current Authentication Server : 192.0.0.6:49

Current Authorization Server : 192.0.0.6:49

Current Accounting Server : 192.0.0.6:49

Source IP Address : 0.0.0.0

Shared Key : huawei

Quiet-interval (min) : 1

Response-timeout-Interval (sec): 5

Domain-included : Yes

Secondary Authen Server Count : 0

Secondary Author Server Count : 0

Secondary Account Server Count : 0

-------------------------------------------------

If the IP address and port configured for HWTACACS server in the NAS is not correct then go

to Step 6, else go to Step 8.

Step 6 Configure IP address and interface for HWTACACS server in the NAS.[~HUAWEI] hwtacacs-server template huawei

[~HUAWEI-hwtacacs-huawei] hwtacacs-server authentication 129.7.66.66 1813

[~HUAWEI-hwtacacs-huawei] hwtacacs-server authentication 129.7.66.67 1813 secondary

[~HUAWEI-hwtacacs-huawei] commit

Step 7 Contact Huawei technical support personnel for

l Results of the preceding troubleshooting procedures.

l Configuration files, log files, and alarm files of the devices.

Step 8 End.

----End


Relevant Alarms

None.

Relevant Logs

None.





8


15/37


16/37

Figure 1-2Troubleshooting flowchart for the fault that the user fails to do authorization through

HWTACACS server

End

Yes

Is HWTACACSConfigured as

authorization-mode under AAA

authorization scheme?

Configure the

authorization-modeunder AAA

authorizationscheme

Is IP address and

port configured

for HWTACACS server in the

NAS?

Configure IP

address and

interface for

HWTACACS server

in the NAS

Is HWTACACS client enabled?

Whether the client can

successfully ping the server?

User fails to


HWTACACS Server

Checkthepingoperation failsand

rectifythefault

Enable the

HWTACACS client

Yes

Yes

Yes

Is the fault

rectified?

No

No

No

No

Yes

Is the fault

rectified?

Is the fault

rectified?

Is the fault

rectified?

Yes

Yes

Yes

Yes

Contact Huawei technical

support personnel for results,

configuration files, log files,

and alarm files of the devices

No

No

No

No






10


17/37

NOTE




l In immediate validation mode, configurations take effect after commands are input and the Enter keyis pressed.

l In two-phasevalidation mode, after commands are configured, the commitcommand needs to be run




Procedure






Step 2 Check that the HWTACACS client service is enabled.


client service.


-------------------------------------------------




-------------------------------------------------

NOTE

If HWTACACS client service is enabled, go to Step 3.

The command output shows that the HWTACACS client service is not enabled. User can

authorize through HWTACACS server only after HWTACACS client service is enabled in the

system. Run the hwtacacs enablecommand to enable the HWTACACS client service.

system-view


[~HUAWEI]commit

Step 3 Check HWTACACS is configured as authorization-mode under AAA authorization scheme.

Run the display authorization-schemecommand to view the configuration of the AAA

authorization-scheme.

[~HUAWEI] display authorization-scheme

---------------------------------------------------------------------------

Vr-id Authorization-scheme-name Authorization-method

---------------------------------------------------------------------------

0 default local

0 author hwtacacs

---------------------------------------------------------------------------

Total 2, 2 printed

If authorization-mode under AAA authorization scheme is not configured then go to Step 4, elsego to Step 5.





11


18/37

Step 4 Configure the authorization-mode under AAA authorization scheme.

[~HUAWEI] aaa

[~HUAWEI-aaa] authorization-scheme author

[~HUAWEI-aaa-author-author] authorization-mode hwtacacs

[~HUAWEI-aaa-author-author] commit

[~HUAWEI-aaa-author-author] quit

[~HUAWEI-aaa] quit





-------------------------------------------------


Template ID : 0




Current Authentication Server : 192.0.0.6:49Current Authorization Server : 192.0.0.6:49



Shared Key : huawei







-------------------------------------------------



Step 6 Configure IP address and interface for HWTACACS server in the NAS.

[~HUAWEI] hwtacacs-server template huawei

[~HUAWEI-hwtacacs-huawei] hwtacacs-server authorization 129.7.66.66 1813

[~HUAWEI-hwtacacs-huawei] hwtacacs-server authorization 129.7.66.67 1813 secondary





Step 8 End.

----End


Relevant Alarms

None.

Relevant Logs

None.





12


19/37


20/37

Figure 1-3Troubleshooting flowchart for the fault that the user fails to do accounting through

HWTACACS server

End

Yes

Is HWTACACSConfigured as

accounting-mode under AAA

accounting scheme?

Configure theaccounting-mode

under AAA

accounting scheme

Is IP address andport Configured for

HWTACACS server in

the NAS?

Configure IP

address and

interface for

HWTACACS server

in the NAS

Is HWTACACS client enabled?

Whether the client can

successfully ping the server?

User fails to


HWTACACS Server

Checkthepingoperation failsand

rectifythefault

Enable the

HWTACACS client

Yes

Yes

Yes

Is the fault rectified?No

No

No

No

Yes

Is the fault rectified?



Yes

Yes

Yes

Yes

Contact Huawei technical

support personnel for results,

configuration files, log files,

and alarm files of the devices

No

No

No

No






14


21/37

NOTE




l In immediate validation mode, configurations take effect after commands are input and the Enter keyis pressed.





Procedure






Step 2 Check that the HWTACACS client service is enabled.


client service.


-------------------------------------------------




-------------------------------------------------

NOTE

If HWTACACS client service is enabled, go to Step 3.

The command output shows that the HWTACACS client service is disabled. User can authorize

through HWTACACS server only after HWTACACS client service is enabled in the system.

Run the hwtacacs enablecommand to enable the HWTACACS client service.

system-view


[~HUAWEI]commit

Step 3 Check HWTACACS is configured as accounting-mode under AAA accounting scheme.

Run the display accounting-schemecommand to view the configuration of the AAA

accounting-scheme.

[~HUAWEI] display accounting-scheme

---------------------------------------------------------------------------

Vr-id Accounting-scheme-name Accounting-method

---------------------------------------------------------------------------

0 default none accounting

0 acct hwtacacs accounting

---------------------------------------------------------------------------

Total 2, 2 printed

If accounting-mode under AAA accounting scheme is not configured then go to Step 4, else goto Step 5.





15


22/37

Step 4 Configure the accounting-mode under AAA accounting scheme.

[~HUAWEI] aaa

[~HUAWEI-aaa] accounting-scheme acct

[~HUAWEI-aaa-acount-acct] accounting-mode hwtacacs

[~HUAWEI-aaa-acount-acct] commit

[~HUAWEI-aaa-acount-acct] quit

[~HUAWEI-aaa] quit





-------------------------------------------------


Template ID : 0




Current Authentication Server : 192.0.0.6:49Current Authorization Server : 192.0.0.6:49



Shared Key : huawei







-------------------------------------------------



Step 6 Configure IP address and interface for HWTACACS server in the NAS.

[~HUAWEI] hwtacacs-server template huawei

[~HUAWEI-hwtacacs-huawei] hwtacacs-server accounting 129.7.66.66 1813

[~HUAWEI-hwtacacs-huawei] hwtacacs-server accounting 129.7.66.67 1813 secondary





Step 8 End.

----End


Relevant Alarms

None.

Relevant Logs

None.





16


23/37

1.5 User Fails to Authenticate through RADIUS Server


fails to authenticate through RADIUS server.

1.5.1 Common Causes

The user fails to authenticate through RADIUS server is commonly caused by one of the

following:


l RADIUS services are not enabled.

l RADIUS is not configured as authentication-mode under AAA authentication scheme.

l IP address and port configured for RADIUS authentication server in the NAS is not correct.

l Shared key mismatch between RADIUS server and NAS.






17


24/37

Figure 1-4Troubleshooting flowchart for the fault that the user fails to authenticate through

RADIUS server

Yes

Yes

Yes

Yes

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Contact Huawei

technical support




the devices

No

No

No

No

Whether the


ping the server?

Is RADIUS client

enabled?

User fails to


RADIUS Server

Is RADIUS

configured

as authentication-mode

under AAAauthentication

scheme?

Is IP address

and port configured

for RADIUS server in

the NAS?


and interface for

RADIUS server in

the NAS

Configure the

authentication-mode

under AAA

authentication

scheme

Enable the RADIUS

client

Check the ping

operation fails and

rectify the fault

Is the fault

rectified?

Is the fault

rectified?

Is the fault

rectified?

Is the fault

rectified?

End





18


25/37


NOTE

After commands are configured to troubleshoot faults, pay attention to the configuration validation modeto ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the


l In immediate validation mode, configurations take effect after commands are input and the Enter key

is pressed.





Procedure






Step 2 Check that the RADIUS client is enabled.

Run the display radius current-statuscommand to view the current status of RADIUS client.

display radius current-status

-----------------------------------------------------------------------------

RADIUS-Client : Disabled

Client-Identifier : HUAWEI0

Total-auth-pending-request : 0

Total-acct-pending-request : 0

-----------------------------------------------------------------------------

NOTE

If RADIUS client is enabled, go to Step 3.

The command output shows that the RADIUS client is disabled. User can authenticate through

RADIUS server only after RADIUS client is enabled in the system. Run the radius enable

command to enable the RADIUS client.

system-view

[~HUAWEI]radius enable

[~HUAWEI]commit

Step 3 Check RADIUS is configured as authentication-mode under AAA authentication scheme.

Run the display authentication-schemecommand to view the configuration of the AAA

authentication-scheme.

[~HUAWEI] display authentication-scheme

---------------------------------------------------------------------------

Vr-id Authentication-scheme-name Authentication-method

---------------------------------------------------------------------------

0 default local

0 radtest radius---------------------------------------------------------------------------





19


26/37

If authentication-mode under AAA authentication scheme is not configured then go to Step 4,

else go to Step 5.

Step 4 Configure the authentication-mode under AAA authentication scheme.

[~HUAWEI] aaa

[~HUAWEI-aaa] authentication-scheme acct

[~HUAWEI-aaa-authen-auth] authentication-mode radius

[~HUAWEI-aaa-authen-auth] commit

[~HUAWEI-aaa-authen-auth] quit

[~HUAWEI-aaa] quit

Step 5 Check the IP address and port configured for RADIUS server in the NAS.

Run the display radius-server configurationtemplatetemplate-namecommand to view the

IP address and port details.

[~HUAWEI] display radius-server configuration template huawei

-----------------------------------------------------------------------------

Server-template-name : huawei

Protocol-version : standardShared-secret-key : huawei

Timeout-interval(in second) : 5

Primary-authentication-server : 192.0.0.2-1812

Primary-accounting-server : 192.0.0.2-1813

Retransmission : 3

Domain-included : NO

Mode : Pri-secondary

Probe-interval(in minute) : 5

Test-username : huawei

-----------------------------------------------------------------------------

If the IP address and port configured for RADIUS server in the NAS is not correct then go to

Step 6, else go to Step 8.

Step 6 Configure IP address and interface for RADIUS server in the NAS.[~HUAWEI] radius-server template huawei

[~HUAWEI-radius-huawei] radius-server authentication 129.7.66.66 1813

[~HUAWEI-radius-huawei] radius-server authentication 129.7.66.67 1813 secondary

[~HUAWEI-radius-huawei] commit




Step 8 End.

----End


Relevant Alarms

None.

Relevant Logs

None.





20


27/37

1.6 User Fails to do Accounting through RADIUS Server


fails to do accounting through RADIUS server.

1.6.1 Common Causes

The user fails to do accounting through RADIUS server is commonly caused by one of the

following:


l RADIUS services are not enabled.

l RADIUS is not configured as accounting-mode under AAA accounting scheme.

l IP address and port configured for RADIUS accounting server in the NAS is not correct.

l Shared key mismatch between RADIUS server and NAS.






21


28/37

Figure 1-5Troubleshooting flowchart for the fault that the user fails to do accounting through

RADIUS server

Yes

Yes

Yes

Yes

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Contact Huawei

technical support




the devices

No

No

No

No

Whether the


ping the server?

Is RADIUS

client enabled?

User fails to

authenticate through

RADIUS Server

Is RADIUS

configured as

accounting-modeunder AAA accounting

scheme?

Is IP address

and port configured

for RADIUS server

in the NAS


and interface for

RADIUS server in

the NAS

Configure the

accounting-mode

under AAAaccounting scheme

Enable the RADIUS

client

Check the ping

operation fails and

rectify the fault

Is the fault

rectified?

Is the fault

rectified?

Is the faultrectified?

Is the fault

rectified?

End





22


29/37


NOTE

After commands are configured to troubleshoot faults, pay attention to the configuration validation modeto ensure that the configurations take effect. Unless otherwise specified, this manual defaults to the



is pressed.





Procedure






Step 2 Check that the RADIUS client is enabled.

Run the display radius current-statuscommand to view the current status of RADIUS client.

display radius current-status

RADIUS-Client : Disabled

Client-Identifier : HUAWEI0

Total-auth-pending-request : 0

Total-acct-pending-request : 0

NOTE

If RADIUS client is enabled, go to Step 3.

The command output shows that the RADIUS client is disabled. User can authenticate through

RADIUS server only after RADIUS client is enabled in the system. Run the radius enable

command to enable the RADIUS client.

system-view

[~HUAWEI]radius enable

[~HUAWEI]commit

Step 3 Check RADIUS is configured as accounting-mode under AAA accounting scheme.

Run the display accounting-schemecommand to view the configuration of the AAA

accounting-scheme.

[~HUAWEI] display accounting-scheme

---------------------------------------------------------------------------

Vr-id Accounting-scheme-name Accounting-method

---------------------------------------------------------------------------

0 default none accounting

0 acct hwtacacs accounting

0 radacct radius accounting

---------------------------------------------------------------------------Total 3, 3 printed





23


30/37

If accounting-mode under AAA accounting scheme is not configured then go to Step 4, else go

to Step 5.

Step 4 Configure the AAA accounting-mode under AAA accounting scheme.

[~HUAWEI] aaa

[~HUAWEI-aaa] accounting-scheme acct

[~HUAWEI-aaa-accounting-acct] accounting-mode radius

[~HUAWEI-aaa-accounting-acct] commit

[~HUAWEI-aaa-accounting-acct] quit

[~HUAWEI-aaa] quit

Step 5 Check the IP address and port configured for RADIUS server in the NAS.

Run the display radius-server configurationtemplatetemplate-namecommand to view the

IP address and port details.

[~HUAWEI] display radius-server configuration template huawei

-----------------------------------------------------------------------------

Server-template-name : huawei

Protocol-version : standardShared-secret-key : huawei

Timeout-interval(in second) : 5

Primary-authentication-server : 192.0.0.2-1812

Primary-accounting-server : 192.0.0.2-1813

Retransmission : 3

Domain-included : NO

Mode : Pri-secondary

Probe-interval(in minute) : 5

Test-username : huawei

-----------------------------------------------------------------------------

If the IP address and port configured for RADIUS server in the NAS is not correct then go to

Step 6, else go to Step 8.

Step 6 Configure IP address and interface for RADIUS server in the NAS.[~HUAWEI] radius-server template huawei

[~HUAWEI-radius-huawei] radius-server accounting 129.7.66.66 1813

[~HUAWEI-radius-huawei] radius-server accounting 129.7.66.67 1813 secondary

[~HUAWEI-radius-huawei] commit




Step 8 End.

----End


Relevant Alarms

None.

Relevant Logs

None.





24


31/37

2Local Attack Defense TroubleshootingAbout This Chapter

2.1 Management Plane Protection Malfunctions


Troubleshooting - Security 2 Local Attack Defense Troubleshooting



25


32/37

2.1 Management Plane Protection Malfunctions

2.1.1 Common Causes

This fault is commonly caused by an incorrect protection policy for the management plane.


NOTE





is pressed.





Procedure

Step 1 Check that no protocol packets are discarded.

Run the display cpu-defendma-defend statistics[ slotslot-id] command to view the statistics

about the management plane and check whether packets of certain protocols are discarded.

l If some packets are discarded, go to Step 2.

l If no protocol packets are discarded, the security module of the device functions properly.

In this situation, contact Huawei technical support personnel.

Step 2 Check that the interface-level policy for management plane protection is applied on themanagement interface.

Run the display thiscommand in the management interface view to check whether the interface-

level policy for management plane protection is applied on the management interface.

l If the interface-level policy is applied, run the display ma-defendinterface-policyinterface-

policy-idcommand according to the ID of the interface-level policy to check whether the

protocolcommand is configured with deny, which causes the failure in sending protocol

packets to the CPU.

If denyis configured, packets cannot be sent to the CPU. If it is required to send packets

to the CPU, run the protocol{ bgp| ftp| ldp| ospf| rip| rsvp| snmp| ssh| telnet|

tftp| isis| pimsm} { permit| deny} command in the view of interface-level management

plane protection to change denyto permit.

If permitis configured, but the protocol packets still cannot be sent to the CPU, contact

Huawei technical personnel.

l If the interface-level policy for management plane protection is not applied on the

management interface, perform Step 2 to check whether the slot-level policy for managementplane protection is applied.





26


33/37

Step 3 Check that the slot-level policy for management plane protection is applied on the LPU wherethe management interface resides.

Run the display thiscommand in the slot view to check whether the slot-level policy for

management plane protection is applied on the management interface.

l If the slot-level policy is applied, run the display ma-defendslot-policyslot-policy-id

command according to the ID of the slot-level policy to check whether check whether the

protocolcommand is configured with deny, which causes the failure in sending protocol

packets to the CPU.



tftp| isis| pimsm} permitcommand in the view of slot-level management plane

protection to change denyto permit.



l If the slot-level policy for management plane protection is not applied on the managementinterface, perform Step 2 to check whether the global policy for management plane protection

is applied.

Step 4 Check that the global policy for management plane protection is applied on the managementinterface.

Run the display ma-defendglobal-policycommand to check whether the global policy for

management plane protection is applied on the management interface.

l If the global policy for management plane protection is applied, run the display ma-

defendglobal-policycommand to check whether the protocolcommand is configured with

deny, which causes the failure in sending protocol packets to the CPU.



tftp| isis| pimsm} permitcommand in the view of global management plane protection

to change denyto permit.



l If the global policy for management plane protection is not applied, it indicates that

management plane protection is not configured. In this situation, management packets are

still intercepted. It indicates that the system is faulty. To rectify the fault, contact Huawei

technical personnel.

After the preceding operations, if management packets still cannot be sent to the CPU, contactHuawei technical personnel.

----End





27


34/37

3URPF TroubleshootingAbout This Chapter

3.1 URPF Check Fails

This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting

procedure for the fault that the URPF-enabled device does not discard packets as expected.


Troubleshooting - Security 3 URPF Troubleshooting



28


35/37

3.1 URPF Check Fails

This section describes the troubleshooting flowchart and provides a step-by-step troubleshooting

procedure for the fault that the URPF-enabled device does not discard packets as expected.

3.1.1 Common Causes

This fault is commonly caused by one of the following:

l There are source addresses of the packets that should be discarded in the routing entries.

l There are default routes in the routing table.

l The matching rules configured on the device are incorrect.


A URPF-enabled device receives certain packets that should be discarded by itself, but the

statistics show that no packets are discarded by URPF. In this case, follow the troubleshooting

procedure shown in Figure 3-1to isolate the problem.

The troubleshooting roadmap is as follows:

l Check whether there are default routes and routes with the sources addresses of the packets

that should be discarded in the routing table.

l Check whether the matching rules are correct.

Figure 3-1Troubleshooting flowchart for URPF

Delete the route

entry.

EndSeek technical

support

Fault rectified?

Fault rectified?Configure correct

rules.

Device configured with URPF loose

check does not discard packets.

No

Route with the

source address of the packet

that should be discarded in the

routing table?

Incorrect matching rules

configured?

No

No

Yes

Yes

Yes

Yes

No

No





29


36/37


NOTE

Saving the results of each troubleshooting step is recommended. If your troubleshooting fails to correctthe fault, you will have a record of your actions to provide Huawei technical support personnel.

NOTE





is pressed.





Procedure

Step 1 Check that there are no default routes and routes with the source addresses of the packets thatshould be discarded in the routing table.

Run the display ip routing-tablecommand in the user view to check the Destination/Mask field

in the routing table.

l If the routing table contains routes with the source addresses of packets that should be

discarded, configure certain rules and import the rules into the filter to deny the packets sent

along these routes. For detailed configuration, see "Routing Policy Configuration" in theHUAWEI NetEngine5000E Core Router Configuration Guide - IP Routing.

l If the routing table does not contain such routes, go to Step 2.

Step 2 Check that the configured matching rules are correct.

Run the display traffic classifierclassifier-namecommand in the user view to check the Rule

(s) field.

l If packets are incorrectly filtered based on the configured rules, correct the rules.

l If packets are correctly filtered based on the configured rules, go to Step 4.

Step 3 Collect the following information and contact Huawei technical support personnel.

l Results of the preceding troubleshooting procedures

l Configuration files, log files, and alarm files of the devices

----End


Relevant Alarms

None





30


37/37

Relevant Logs

None



Documents

Troubleshooting - Security(V800R002C01_01)