vEdge雙向轉發檢測和資料平面連線問題故障排除

下載選項

PDF (684.0 KB)
在多種裝置上使用 Adobe Reader 檢視
ePub (228.1 KB)
在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上的各種應用程式中檢視
Mobi (Kindle) (421.5 KB)
在 Kindle 裝置或多部裝置的 Kindle 應用程式上檢視

已更新: 2022 年 9 月 28 日

文件 ID:214510

無偏見用語

本產品的文件集力求使用無偏見用語。針對本文件集的目的，無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言，或引用第三方產品的語言，因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。

關於此翻譯

思科已使用電腦和人工技術翻譯本文件，讓全世界的使用者能夠以自己的語言理解支援內容。請注意，即使是最佳機器翻譯，也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責，並建議一律查看原始英文文件（提供連結）。

簡介

本文檔介紹控制平面連線後的vEdge資料平面連線問題，但是站點之間沒有資料平面連線。

必要條件

需求

思科建議瞭解解Cisco Software Defined Wide Area Network (SDWAN) 決方案。

`採用元件`

本文件所述內容不限於特定軟體和硬體版本。本文檔重點介紹vEdge平台。

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您的網路運作中，請確保您瞭解任何指令可能造成的影響。

對於Cisco Edge路由器(控制器模式下的Cisco IOS® XE路由器)，請閱讀。

`控制平面資訊`

`檢查控制項本機內容`

要檢查vEdge上 Wide Area Network (WAN) 介面的狀態，請使用命令show control local-properties wan-interface-list。

在此輸出中，您可以看到RFC 4787 Network Address Translation (NAT) Type。

當vEdge位於NAT裝置（防火牆、路由器等）後面時，會使用公有和私有IPv4地址、公有和私有源 User Datagram Protocol (UDP) 埠來構建資料平面隧道。

您還可以找到隧道介面的狀態、顏色和配置的最大控制連線數。

vEdge1# show control local-properties wan-interface-list NAT TYPE: E -- indicates End-point independent mapping A -- indicates Address-port dependent mapping N -- indicates Not learned Requires minimum two vbonds to learn the NAT type PUBLIC PUBLIC PRIVATE PRIVATE PRIVATE MAX RESTRICT/ LAST SPI TIME NAT VM INTERFACE IPv4 PORT IPv4 IPv6 PORT VS/VM COLOR STATE CNTRL CONTROL/ LR/LB CONNECTION REMAINING TYPE CON STUN PRF --------------------------------------------------------------------------------------------------------------------------------------------------------------- ge0/0 203.0.113.225 4501 10.19.145.2 :: 12386 1/1 gold up 2 no/yes/no No/No 7:02:55:13 0:09:02:29 N 5 ge0/1 10.20.67.10 12426 10.20.67.10 :: 12426 0/0 mpls up 2 yes/yes/no No/No 0:00:00:01 0:11:40:16 N 5

有了這些資料，您可以確定關於必須如何構建資料隧道以及形成（從路由器的角度）資料隧道時可以預期使用哪些埠的某些資訊。

`檢查控制連線`

請務必確保未形成資料平面隧道的顏色與重疊中的控制器建立控制連線。

否則，vEdge不會透過 Overlay Management Protocol (OMP)將信 Transport Locator (TLOC) 息傳送到vSmart。

您可以使用 show control connections 命令來驗證其是否正常運行，並查詢 connect 狀態。

vEdge1# show control connections PEER PEER CONTROLLER PEER PEER PEER SITE DOMAIN PEER PRIV PEER PUB GROUP TYPE PROT SYSTEM IP ID ID PRIVATE IP PORT PUBLIC IP PORT LOCAL COLOR STATE UPTIME ID -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- vsmart dtls 10.1.0.3 3 1 203.0.113.13 12446 203.0.113.13 12446 gold up 7:03:18:31 0 vbond dtls - 0 0 203.0.113.12 12346 203.0.113.12 12346 mpls connect 0 vmanage dtls 10.1.0.1 1 0 203.0.113.14 12646 203.0.113.14 12646 gold up 7:03:18:31 0

如果介面（不形成資料隧道）嘗試連線，則透過使用該顏色成功啟動控制連線來解決該問題。

或者，在tunnel interface部分下的選定介面中設定max-control-connections 0 。

vpn 0 interface ge0/1 ip address 10.20.67.10/24 tunnel-interface encapsulation ipsec color mpls restrict max-control-connections 0 no allow-service bgp allow-service dhcp allow-service dns allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf no allow-service stun ! no shutdown !

注意：有時，您可以使用no control-connections 命令來實現相同的目標。但是，該命令不會建立最大數量的控制連線。此命令自15.4版起已棄用，並且不用於較新的軟體。

`重疊管理通訊協定`

`驗證是否已從vEdge通告OMP TLOC`

無法傳送OMP TLOC，因為介面嘗試透過該顏色形成控制連線，而且無法連線到控制器。

檢查顏色（資料通道）是否將該特定顏色的TLOC傳送到vSmarts。

請使用 show omp tlocs advertised 命令檢查傳送到OMP對等體的TLOC。

範例：顏色 mpls 和 gold。沒有針對彩色mpls向vSmart傳送TLOC。

vEdge1# show omp tlocs advertised C -> chosen I -> installed Red -> redistributed Rej -> rejected L -> looped R -> resolved S -> stale Ext -> extranet Stg -> staged Inv -> invalid PUBLIC PRIVATE ADDRESS PSEUDO PUBLIC PRIVATE PUBLIC IPV6 PRIVATE IPV6 BFD FAMILY TLOC IP COLOR ENCAP FROM PEER STATUS KEY PUBLIC IP PORT PRIVATE IP PORT IPV6 PORT IPV6 PORT STATUS ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ipv4 10.1.0.5 gold ipsec 0.0.0.0 C,Red,R 1 203.0.113.225 4501 10.19.145.2 12386 :: 0 :: 0 up 10.1.0.2 mpls ipsec 10.1.0.3 C,I,R 1 10.20.67.20 12386 10.20.67.20 12386 :: 0 :: 0 down 10.1.0.2 blue ipsec 10.1.0.3 C,I,R 1 198.51.100.187 12406 10.19.146.2 12406 :: 0 :: 0 up 10.1.0.30 mpls ipsec 10.1.0.3 C,I,R 1 10.20.67.30 12346 10.20.67.30 12346 :: 0 :: 0 down 10.1.0.30 gold ipsec 10.1.0.3 C,I,R 1 192.0.2.129 12386 192.0.2.129   12386 :: 0 :: 0 up 10.1.0.4 mpls ipsec 10.1.0.3 C,I,R 1 10.20.67.40 12426 10.20.67.40 12426 :: 0 :: 0 down 10.1.0.4 gold ipsec 10.1.0.3 C,I,R 1 203.0.113.226 12386 203.0.113.226 12386 :: 0 :: 0 up

範例：顏色 mpls 和 gold。會針對兩種顏色傳送TLOC。

vEdge2# show omp tlocs advertised C -> chosen I -> installed Red -> redistributed Rej -> rejected L -> looped R -> resolved S -> stale Ext -> extranet Stg -> staged Inv -> invalid PUBLIC PRIVATE ADDRESS PSEUDO PUBLIC PRIVATE PUBLIC IPV6 PRIVATE IPV6 BFD FAMILY TLOC IP COLOR ENCAP FROM PEER STATUS KEY PUBLIC IP PORT PRIVATE IP PORT IPV6 PORT IPV6 PORT STATUS ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ipv4 10.1.0.5 gold ipsec 10.1.0.3 C,I,R 1 203.0.113.225 4501 10.19.145.2 12386 :: 0 :: 0 up 10.1.0.2 mpls ipsec 0.0.0.0 C,Red,R 1 10.20.67.20 12386 10.20.67.20 12386 :: 0 :: 0 up 10.1.0.2 blue ipsec 0.0.0.0 C,Red,R 1 198.51.100.187 12406 10.19.146.2 12406 :: 0 :: 0 up 10.1.0.30 mpls ipsec 10.1.0.3 C,I,R 1 10.20.67.30 12346 10.20.67.30 12346 :: 0 :: 0 up 10.1.0.30 gold ipsec 10.1.0.3 C,I,R 1 192.0.2.129   12386 192.0.2.129 12386 :: 0 :: 0 up 10.1.0.4 mpls ipsec 10.1.0.3 C,I,R 1 10.20.67.40 12426 10.20.67.40 12426 :: 0 :: 0 up 10.1.0.4 gold ipsec 10.1.0.3 C,I,R 1 203.0.113.226 12386 203.0.113.226 12386 :: 0 :: 0 up

注意：對於任何本地生成的控制平面資訊，「FROM PEER」欄位設定為0.0.0.0。當您尋找本機來源資訊時，請確定根據此值進行比對。

`驗證vSmart接收和通告TLOC`

TLOC現在會通告給vSmart。確認它從正確的對等體接收TLOC並將其通告給其他vEdge。

示例：vSmart接收來自10.1.0.2 vEdge1的TLOC。

vSmart1# show omp tlocs received C -> chosen I -> installed Red -> redistributed Rej -> rejected L -> looped R -> resolved S -> stale Ext -> extranet Stg -> staged Inv -> invalid PUBLIC PRIVATE ADDRESS PSEUDO PUBLIC PRIVATE PUBLIC IPV6 PRIVATE IPV6 BFD FAMILY TLOC IP COLOR ENCAP FROM PEER STATUS KEY PUBLIC IP PORT PRIVATE IP PORT IPV6 PORT IPV6 PORT STATUS ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ipv4 10.1.0.5 gold ipsec 10.1.0.5 C,I,R 1 203.0.113.225 4501 10.19.145.2 12386 :: 0 :: 0 -  10.1.0.2 mpls ipsec 10.1.0.2 C,I,R 1 10.20.67.20 12386 10.20.67.20 12386 :: 0 :: 0 -   10.1.0.2 blue ipsec 10.1.0.2 C,I,R 1 198.51.100.187 12406 10.19.146.2 12406 :: 0 :: 0 -  10.1.0.30 mpls ipsec 10.1.0.30 C,I,R 1 10.20.67.30 12346 10.20.67.30 12346 :: 0 :: 0 - 10.1.0.30 gold ipsec 10.1.0.30 C,I,R 1 192.0.2.129 12386 192.0.2.129 12386 :: 0 :: 0 - 10.1.0.4 mpls ipsec 10.1.0.4 C,I,R 1 10.20.67.40 12426 10.20.67.40 12426 :: 0 :: 0 - 10.1.0.4 gold ipsec 10.1.0.4 C,I,R 1 203.0.113.226 12386 203.0.113.226 12386 :: 0 :: 0 -

如果您未看到TLOC或在此看到任何其他代碼，請檢查以下內容：

vSmart-vIPtela-MEX# show omp tlocs received C -> chosen I -> installed Red -> redistributed Rej -> rejected L -> looped R -> resolved S -> stale Ext -> extranet Stg -> staged Inv -> invalid PUBLIC PRIVATE ADDRESS PSEUDO PUBLIC PRIVATE PUBLIC IPV6 PRIVATE IPV6 BFD FAMILY TLOC IP COLOR ENCAP FROM PEER STATUS KEY PUBLIC IP PORT PRIVATE IP PORT IPV6 PORT IPV6 PORT STATUS ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ipv4 10.1.0.5 gold ipsec 10.1.0.5 C,I,R 1 203.0.113.225 4501 10.19.145.2 12386 :: 0 :: 0 -  10.1.0.2 mpls ipsec 10.1.0.2 C,I,R 1 10.20.67.20 12386 10.20.67.20 12386 :: 0 :: 0 -   10.1.0.2 blue ipsec 10.1.0.2 Rej,R,Inv 1 198.51.100.187 12406 10.19.146.2 12406 :: 0 :: 0 -  10.1.0.30 mpls ipsec 10.1.0.30 C,I,R 1 10.20.67.30 12346 10.20.67.30 12346 :: 0 :: 0 - 10.1.0.30 gold ipsec 10.1.0.30 C,I,R 1 192.0.2.129   12386 192.0.2.129 12386 :: 0 :: 0 - 10.1.0.4 mpls ipsec 10.1.0.4 C,I,R 1 10.20.67.40 12426 10.20.67.40 12426 :: 0 :: 0 - 10.1.0.4 gold ipsec 10.1.0.4 C,I,R 1 203.0.113.226 12386 203.0.113.226 12386 :: 0 :: 0 -

確認沒有策略阻止TLOC。

show run policy control-policy - 查詢在vSmart中作為advertised 或 received 拒絕您的TLOC的任何tloc-list。

vSmart1(config-policy)# sh config policy lists tloc-list SITE20  tloc 10.1.0.2 color blue encap ipsec ! ! control-policy SDWAN  sequence 10 match tloc tloc-list SITE20 ! action reject ----> here we are rejecting the TLOC 10.1.0.2,blue,ipsec ! ! default-action accept !
apply-policy
 site-list SITE20
  control-policy SDWAN in -----> the policy is applied to control traffic coming IN the vSmart, it will filter the tlocs before adding it to the OMP table.

注意：如果TLOC為 Rejected 或 Invalid，則不會通告給其他vEdge。

確保策略在從vSmart通告時不會過濾TLOC。您可以看到vSmart上接收了TLOC，但在另一個vEdge上看不到它。

示例1：在C、I、R中具有TLOC的vSmart。

vSmart1# show omp tlocs C -> chosen I -> installed Red -> redistributed Rej -> rejected L -> looped R -> resolved S -> stale Ext -> extranet Stg -> staged Inv -> invalid PUBLIC PRIVATE ADDRESS PSEUDO PUBLIC PRIVATE PUBLIC IPV6 PRIVATE IPV6 BFD FAMILY TLOC IP COLOR ENCAP FROM PEER STATUS KEY PUBLIC IP PORT PRIVATE IP PORT IPV6 PORT IPV6 PORT STATUS ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ipv4 10.1.0.5 mpls ipsec 10.1.0.5 C,I,R 1 10.20.67.10 12406 10.20.67.10 12406 :: 0 :: 0 - 10.1.0.5 gold ipsec 10.1.0.5 C,I,R 1 203.0.113.225 4501 10.19.145.2 12386 :: 0 :: 0 -  10.1.0.2 mpls ipsec 10.1.0.2 C,I,R 1 10.20.67.20 12386 10.20.67.20 12386 :: 0 :: 0 - 10.1.0.2 blue ipsec 10.1.0.2 C,I,R 1 198.51.100.187 12426 10.19.146.2 12426 :: 0 :: 0 -  10.1.0.30 mpls ipsec 10.1.0.30 C,I,R 1 10.20.67.30 12346 10.20.67.30 12346 :: 0 :: 0 - 10.1.0.30 gold ipsec 10.1.0.30 C,I,R 1 192.0.2.129 12386 192.0.2.129  12386 :: 0 :: 0 - 10.1.0.4 mpls ipsec 10.1.0.4 C,I,R 1 10.20.67.40 12426 10.20.67.40 12426 :: 0 :: 0 - 10.1.0.4 gold ipsec 10.1.0.4 C,I,R 1 203.0.113.226 12386 203.0.113.226 12386 :: 0 :: 0 -

示例2：vEdge1無法從vEdge2的藍色中看到TLOC。它只看到MPLS TLOC。

vEdge1# show omp tlocs C -> chosen I -> installed Red -> redistributed Rej -> rejected L -> looped R -> resolved S -> stale Ext -> extranet Stg -> staged Inv -> invalid PUBLIC PRIVATE ADDRESS PSEUDO PUBLIC PRIVATE PUBLIC IPV6 PRIVATE IPV6 BFD FAMILY TLOC IP COLOR ENCAP FROM PEER STATUS KEY PUBLIC IP PORT PRIVATE IP PORT IPV6 PORT IPV6 PORT STATUS ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ipv4 10.1.0.5 mpls ipsec 0.0.0.0 C,Red,R 1 10.20.67.10 12406 10.20.67.10 12406 :: 0 :: 0 up 10.1.0.5 gold ipsec 0.0.0.0 C,Red,R 1 203.0.113.225 4501 10.19.145.2 12386 :: 0 :: 0 up  10.1.0.2 mpls ipsec 10.1.0.3 C,I,R 1 10.20.67.20 12386 10.20.67.20 12386 :: 0 :: 0 up  10.1.0.30 mpls ipsec 10.1.0.3 C,I,R 1 10.20.67.30 12346 10.20.67.30 12346 :: 0 :: 0 up 10.1.0.30 gold ipsec 10.1.0.3 C,I,R 1 192.0.2.129 12386 192.0.2.129 12386 :: 0 :: 0 up 10.1.0.4 mpls ipsec 10.1.0.3 C,I,R 1 10.20.67.40 12426 10.20.67.40 12426 :: 0 :: 0 up 10.1.0.4 gold ipsec 10.1.0.3 C,I,R 1 203.0.113.226 12386 203.0.113.226 12386 :: 0 :: 0 up

當您檢查策略時，可以看到TLOC未出現在vEdge1上的原因。

vSmart1# show running-config policy policy lists tloc-list SITE20  tloc 10.1.0.2 color blue encap ipsec ! site-list SITE10 site-id 10 ! ! control-policy SDWAN sequence 10 match tloc  tloc-list SITE20 ! action reject ! ! default-action accept !
apply-policy
 site-list SITE10
  control-policy SDWAN out
 !
!

`雙向轉發檢測`

`瞭解show bfd sessions命令`

以下是輸出中要尋找的關鍵內容：

vEdge-2# show bfd sessions SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10.1.0.5 10 down blue gold 10.19.146.2 203.0.113.225 4501 ipsec 7 1000 NA 7  10.1.0.30 30 up blue gold 10.19.146.2 192.0.2.129 12386 ipsec 7 1000 0:00:00:22 2 10.1.0.4 40 up blue gold 10.19.146.2 203.0.113.226 12386 ipsec 7 1000 0:00:00:22 1 
10.1.0.4         40       up          mpls             mpls             10.20.67.10                     10.20.67.40                     12426       ipsec  7           1000           0:00:10:11      0

 SYSTEM IP：對等體system-ip
 SOURCE and REMOTE TLOC COLOR：這對於瞭解預期接收和傳送的TLOC非常有用。
 SOURCE IP：它是來 private 源IP。如果您位於NAT之後，則此資訊會顯示在這裡(使用 show control local-properties <wan-interface-list可顯示出來)。
 DST PUBLIC IP：無論隧道是否位於NAT之後，vEdge都會使用它來形成 Data Plane 隧道。(例如：直接連線到Internet的vEdge或 Multi-Protocol Label Switching (MPLS) 鏈路)
 DST PUBLIC PORT vEdge使用的公共NAT埠，用於形成到遠端vEdge的 Data Plane 隧道。
 TRANSITIONS：BFD會話將其狀態從 NA 更改為 UP 的次數，反之亦然。

`命令show tunnel statistics`

show tunnel statistics 可以顯示有關資料平面隧道的資訊。您可以確定是否為vEdge之間的特定IPSEC隧道傳送或接收資料包。

這有助於您瞭解資料包是否到達每一端，並隔離節點之間的連線問題。

在本例中，當多次運行該命令時，您可在tx-pkts 或 rx-pkts中看到增量或不增加。

提示：如果tx-pkts的計數器增加，您就向對等體傳輸資料。如果您的rx-pkts沒有增加，則表示沒有從您的對等體接收資料。在這種情況下，請檢查另一端，並確認tx-pkts是否增加。

 TCP vEdge2# show tunnel statistics 

TUNNEL SOURCE DEST TUNNEL MSS PROTOCOL SOURCE IP DEST IP PORT PORT SYSTEM IP LOCAL COLOR REMOTE COLOR MTU tx-pkts tx-octets rx-pkts rx-octets ADJUST --------------------------------------------------------------------------------------------------------------------------------------------------------------- ipsec 172.16.16.147 10.88.244.181 12386 12406 10.1.0.5 public-internet default 1441 38282 5904968 38276 6440071 1361 ipsec 172.16.16.147 10.152.201.104 12386 63364 10.1.0.0 public-internet default 1441 33421 5158814 33416 5623178 1361 ipsec 172.16.16.147 10.152.204.31 12386 58851 10.1.0.7 public-internet public-internet 1441 12746 1975022 12744 2151926 1361 ipsec 172.24.90.129 10.88.244.181 12426 12406 10.1.0.5 biz-internet default 1441 38293 5906238 38288 6454580 1361 ipsec 172.24.90.129 10.152.201.104 12426 63364 10.1.0.0 biz-internet default 1441 33415 5157914 33404 5621168 1361 ipsec 172.24.90.129 10.152.204.31 12426 58851 10.1.0.7 biz-internet public-internet 1441 12750 1975622 12747 2152446 1361 

TUNNEL                                   SOURCE  DEST                                                  TUNNEL                                          MSS     
PROTOCOL  SOURCE IP      DEST IP         PORT    PORT   SYSTEM IP    LOCAL COLOR      REMOTE COLOR     MTU     tx-pkts  tx-octets  rx-pkts  rx-octets  ADJUST  
---------------------------------------------------------------------------------------------------------------------------------------------------------------
ipsec     172.16.16.147  10.88.244.181   12386   12406  10.1.0.5     public-internet  default          1441    39028    6020779    39022    6566326    1361    
ipsec     172.16.16.147  10.152.201.104  12386   63364  10.1.0.0  public-internet  default          1441    34167    5274625    34162    5749433    1361    
ipsec     172.16.16.147  10.152.204.31   12386   58851  10.1.0.7     public-internet  public-internet  1441    13489    2089069    13487    2276382    1361    
ipsec     172.24.90.129  10.88.244.181   12426   12406  10.1.0.5     biz-internet     default          1441    39039    6022049    39034    6580835    1361    
ipsec     172.24.90.129  10.152.201.104  12426   63364  10.1.0.0  biz-internet     default          1441    34161    5273725    34149    5747259    1361    
ipsec     172.24.90.129  10.152.204.31   12426   58851  10.1.0.7     biz-internet     public-internet  1441    13493    2089669    13490    2276902    1361

另一個有用命令是 show tunnel statistics bfd 可用於檢查特定資料平面隧道內傳送和接收的BFD資料包的數量：

vEdge1# show tunnel statistics bfd BFD BFD BFD BFD BFD BFD PMTU PMTU PMTU PMTU TUNNEL SOURCE DEST ECHO TX ECHO RX BFD ECHO BFD ECHO TX RX TX RX PROTOCOL SOURCE IP DEST IP PORT PORT PKTS PKTS TX OCTETS RX OCTETS PKTS PKTS OCTETS OCTETS --------------------------------------------------------------------------------------------------------------------------- ipsec 192.168.109.4 192.168.109.5 4500 4500 0 0 0 0 0 0 0 0 ipsec 192.168.109.4 192.168.109.5 12346 12366 1112255 1112253 186302716 186302381 487 487 395939 397783 ipsec 192.168.109.4 192.168.109.7 12346 12346 1112254 1112252 186302552 186302210 487 487 395939 397783 ipsec 192.168.109.4 192.168.110.5 12346 12366 1112255 1112253 186302716 186302381 487 487 395939 397783

`存取清單`

在檢視 show bfd sessions 輸出後，訪問清單是必要而有用的步驟。

現在已知專用、公共IP和埠，您可以建立 Access Control List (ACL) 來與SRC_PORT、DST_PORT、SRC_IP、DST_IP匹配。

這有助於驗證已傳送和已接收的BFD消息。

您可以在此處找到ACL設定的範例：

policy access-list checkbfd-out sequence 10 match source-ip 192.168.0.92/32 destination-ip 198.51.100.187/32 source-port 12426 destination-port 12426 ! action accept count bfd-out-to-dc1-from-br1 ! !
 default-action accept
 !
 access-list checkbfd-in sequence 20 match source-ip 198.51.100.187/32 destination-ip 192.168.0.92/32 source-port 12426 destination-port 12426 ! action accept count bfd-in-from-dc1-to-br1 ! ! default-action accept !
vpn 0
 interface ge0/0
 access-list checkbfd-in in
 access-list checkbfd-out out
 !
 !
!

在本例中，此ACL使用兩個序列。序列10匹配從此vEdge傳送到對等體的BFD消息。序列20則相反。

它與源(Private)埠和目標(Public)埠匹配。如果vEdge使用NAT，請確保檢查正確的源埠和目標埠。

若要檢查每個序列計數器的命中，請發出 show policy access-list counters <access-list name>

vEdge1# show policy access-list-counters NAME COUNTER NAME PACKETS BYTES ----------------------------------------------------- checkbfd bfd-out-to-dc1-from-br1 10 2048 bfd-in-from-dc1-to-br1 0 0

`網路地址轉換`

`如何使用工具stun-client檢測NAT對映和過濾器。`

如果您已經完成所有步驟並且您正在執行NAT，則下一步是確定 UDP NAT Traversal (RFC 4787) Map and Filter 行為。

此工具用於在vEdge位於NAT裝置後面時發現本地vEdge外部IP地址。

此命令獲取裝置的埠對映，並選擇性地發現本地裝置和伺服器（公共伺服器：示例google stun伺服器）之間有關NAT的屬性。

註：有關更多詳細資訊，請訪問：Docs Viptela - STUN客戶端

vEdge1# tools stun-client vpn 0 options "--mode full --localaddr 192.168.12.100 12386 --verbosity 2 stun.l.google.com 19302" stunclient --mode full --localaddr 192.168.12.100 stun.l.google.com in VPN 0 Binding test: success
Local address: 192.168.12.100:12386
Mapped address: 203.0.113.225:4501
Behavior test: success
Nat behavior: Address Dependent Mapping
Filtering test: success
Nat filtering: Address and Port Dependent Filtering

在較新版本的軟體中，語法可能會有些不同：

vEdge1# tools stun-client vpn 0 options "--mode full --localaddr 192.168.12.100 --localport 12386 --verbosity 2 stun.l.google.com 19302"

在本示例中，您使用與Google STUN伺服器12386接的UDP源埠執行完整的NAT檢測測試。

此命令的輸出為您提供了NAT行為以及基於RFC 4787的NAT過濾器型別。

注意：使用 tools stun時，請記得在隧道介面中允許STUN服務，否則它將不起作用。請使用 allow-service stun 以允許stun資料通過。

vEdge1# show running-config vpn 0 interface ge0/0 vpn 0 interface ge0/0 ip address 10.19.145.2/30 ! tunnel-interface encapsulation ipsec color gold max-control-connections 1 no allow-service bgp allow-service dhcp allow-service dns no allow-service icmp no allow-service sshd no allow-service netconf no allow-service ntp no allow-service ospf  allow-service stun ! no shutdown ! !

這顯示了STUN術語（全錐NAT）與RFC 4787（UDP的NAT行為）之間的對映。

`CLI中使用的資料平面隧道支援的NAT型別「傳送」`

在大多數情況下，您的公共顏色（如企業Internet或公共Internet）可以直接連線到Internet。

在其他情況下，vEdge WAN介面和實際的Internet服務提供商後方有一個NAT裝置。

透過這種方式，vEdge可以具有私有IP，而其它裝置（路由器、防火牆等）可以是具有面向公有IP地址的裝置。

如果NAT型別不正確，則可能是禁止形成資料平面隧道的最常見原因之一。以下是受支援的NAT型別。

`防火牆`

如果您已檢查NAT及其不在不支援的源和目標型別中，則防火牆可能會阻止用於形成 Data Plane 隧道的埠。

確保為資料平面連線在防火牆中打開以下埠： vEdge to vEdge Data Plane：

UDP12346到13156

對於從vEdge到控制器的控制連線：

UDP12346到13156

TCP 23456到24156

確保打開這些埠，以便成功連線資料平面隧道。

當您檢查用於資料平面隧道的源埠和目標埠時，可以使用 show tunnel statistics 或 show bfd sessions | tab 但不能使用 show bfd sessions。

它不會顯示任何來源連線埠，僅顯示目的地連線埠，如下所示：

vEdge1# show bfd sessions SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 192.168.30.105 50 up biz-internet biz-internet 192.168.109.181 192.168.109.182 12346 ipsec 7 1000 1:21:28:05 10 192.168.30.105 50 up private1 private1 192.168.110.181 192.168.110.182 12346 ipsec 7 1000 1:21:26:13 2 vEdge1# show bfd sessions | tab SRC DST SITE DETECT TX SRC IP DST IP PROTO PORT PORT SYSTEM IP ID LOCAL COLOR COLOR STATE MULTIPLIER INTERVAL UPTIME TRANSITIONS --------------------------------------------------------------------------------------------------------------------------------------------------------------- 192.168.109.181 192.168.109.182 ipsec 12346 12346 192.168.30.105 50 biz-internet biz-internet up 7 1000 1:21:28:05 10 192.168.110.181 192.168.110.182 ipsec 12346 12346 192.168.30.105 50 private1 private1 up 7 1000 1:21:26:13 2

註：有關SD-WAN防火牆埠的詳細資訊，請參閱此處。

`安全性`

如果您注意到ACL計數器增加了入站和出站，請檢查幾個迭代 show system statistics diff and ensure there are no drops.

vEdge1# show policy access-list-counters NAME COUNTER NAME PACKETS BYTES ----------------------------------------------------- checkbfd bfd-out-to-dc1-from-br1 55 9405   bfd-in-from-dc1-to-br1 54 8478

rx_replay_integrity_drops 在此輸出中，會隨著 show system statistics diff command.

vEdge1#show system statistics diff 

 rx_pkts : 5741427 
 ip_fwd : 5952166 
 ip_fwd_arp : 3 
 ip_fwd_to_egress : 2965437 
 ip_fwd_null_mcast_group : 26 
 ip_fwd_null_nhop : 86846 
 ip_fwd_to_cpu : 1413393 
 ip_fwd_from_cpu_non_local : 15 
 ip_fwd_rx_ipsec : 1586149 
 ip_fwd_mcast_pkts : 26 
 rx_bcast : 23957 
 rx_mcast : 304 
 rx_mcast_link_local : 240 
 rx_implicit_acl_drops : 12832 
 rx_ipsec_decap : 21 
 rx_spi_ipsec_drops : 16 
 rx_replay_integrity_drops : 1586035 
 port_disabled_rx : 2 
 rx_invalid_qtags : 212700 
 rx_non_ip_drops : 1038073 
 pko_wred_drops : 3 
 bfd_tx_record_changed : 23 
 rx_arp_non_local_drops : 19893 
 rx_arp_reqs : 294 
 rx_arp_replies : 34330 
 arp_add_fail : 263 
 tx_pkts : 4565384 
 tx_mcast : 34406 
 port_disabled_tx : 3 
 tx_ipsec_pkts : 1553753 
 tx_ipsec_encap : 1553753 
 tx_pre_ipsec_pkts : 1553753 
 tx_pre_ipsec_encap : 1553753 
 tx_arp_replies : 377 
 tx_arp_reqs : 34337 
 tx_arp_req_fail : 2 
 bfd_tx_pkts : 1553675 
 bfd_rx_pkts : 21 
 bfd_tx_octets : 264373160 
 bfd_rx_octets : 3600 
 bfd_pmtu_tx_pkts : 78 
 bfd_pmtu_tx_octets : 53052 
 rx_icmp_echo_requests : 48 
 rx_icmp_network_unreach : 75465 
 rx_icmp_other_types : 47 
 tx_icmp_echo_requests : 49655 
 tx_icmp_echo_replies : 48 
 tx_icmp_network_unreach : 86849 
 tx_icmp_other_types : 7 
vEdge1# show system statistics diff

 rx_pkts : 151 
 ip_fwd : 157 
 ip_fwd_to_egress : 75 
 ip_fwd_null_nhop : 3 
 ip_fwd_to_cpu : 43 
 ip_fwd_rx_ipsec : 41 
 rx_bcast : 1 
 rx_replay_integrity_drops : 41 
 rx_invalid_qtags : 7 
 rx_non_ip_drops : 21 
 rx_arp_non_local_drops : 2 
 tx_pkts : 114 
 tx_ipsec_pkts : 40 
 tx_ipsec_encap : 40 
 tx_pre_ipsec_pkts : 40 
 tx_pre_ipsec_encap : 40 
 tx_arp_reqs : 1 
 bfd_tx_pkts : 40 
 bfd_tx_octets : 6800 
 tx_icmp_echo_requests : 1 
vEdge1# show system statistics diff

 rx_pkts : 126 
 ip_fwd : 125 
 ip_fwd_to_egress : 58 
 ip_fwd_null_nhop : 3 
 ip_fwd_to_cpu : 33 
 ip_fwd_rx_ipsec : 36 
 rx_bcast : 1 
 rx_implicit_acl_drops : 1 
 rx_replay_integrity_drops : 35 
 rx_invalid_qtags : 6 
 rx_non_ip_drops : 22 
 rx_arp_replies : 1 
 tx_pkts : 97 
 tx_mcast : 1 
 tx_ipsec_pkts : 31 
 tx_ipsec_encap : 31 
 tx_pre_ipsec_pkts : 31 
 tx_pre_ipsec_encap : 31 
 bfd_tx_pkts : 32 
 bfd_tx_octets : 5442 
 rx_icmp_network_unreach : 3 
 tx_icmp_echo_requests : 1 
 tx_icmp_network_unreach : 3 
vEdge1# show system statistics diff

 rx_pkts : 82 
 ip_fwd : 89 
 ip_fwd_to_egress : 45 
 ip_fwd_null_nhop : 3 
 ip_fwd_to_cpu : 24 
 ip_fwd_rx_ipsec : 22 
 rx_bcast : 1 
 rx_implicit_acl_drops : 1 
 rx_replay_integrity_drops : 24 
 rx_invalid_qtags : 2 
 rx_non_ip_drops : 14 
 rx_arp_replies : 1 
 tx_pkts : 62 
 tx_mcast : 1 
 tx_ipsec_pkts : 24 
 tx_ipsec_encap : 24 
 tx_pre_ipsec_pkts : 24 
 tx_pre_ipsec_encap : 24 
 tx_arp_reqs : 1 
 bfd_tx_pkts : 23 
 bfd_tx_octets : 3908 
 rx_icmp_network_unreach : 3 
 tx_icmp_echo_requests : 1 
 tx_icmp_network_unreach : 3 
vEdge1# show system statistics diff

 rx_pkts : 80 
 ip_fwd : 84 
 ip_fwd_to_egress : 39 
 ip_fwd_to_cpu : 20 
 ip_fwd_rx_ipsec : 24 
 rx_replay_integrity_drops : 22 
 rx_invalid_qtags : 3 
 rx_non_ip_drops : 12 
 tx_pkts : 66 
 tx_ipsec_pkts : 21 
 tx_ipsec_encap : 21 
 tx_pre_ipsec_pkts : 21 
 tx_pre_ipsec_encap : 21 
 bfd_tx_pkts : 21 
 bfd_tx_octets : 3571

首先，在vEdge上執行request security ipsec-rekey 操作。然後，請檢視show system statistics diff 的幾遍迭代，看是否仍能看到rx_replay_integrity_drops。

如果是，請檢查您的安全性設定。

vEdge1# show running-config security  security
 ipsec
 authentication-type sha1-hmac ah-sha1-hmac
 !
!

`DSCP標籤流量的ISP問題`

預設情況下，從vEdge路由器到控制器的所有控制和管理流量透過DTLS或TLS連線進行傳輸，並使用DSCP值CS6（48個十進位制）進行標籤。

對於資料位置隧道流量，vEdge路由器使用IPsec或GRE封裝相互傳送資料流量。

為了進行資料平面故障檢測和效能測量，路由器會定期相互傳送BFD資料包。

這些BFD資料包還使用DSCP值CS6（48個十進位制）進行標籤。

從ISP的角度來看，此類流量也被視為具有DSCP值CS6的UDP流量，因為vEdge路由器和SD-WAN控制器會預設複製標籤到外部IP報頭的DSCP。

以下是tcpdump在傳輸ISP路由器上運行時的外觀：

14:27:15.993766 IP (tos 0xc0, ttl 64, id 44063, offset 0, flags [DF], proto UDP (17), length 168) 192.168.109.5.12366 > 192.168.20.2.12346: [udp sum ok] UDP, length 140 14:27:16.014900 IP (tos 0xc0, ttl 63, id 587, offset 0, flags [DF], proto UDP (17), length 139) 192.168.20.2.12346 > 192.168.109.5.12366: [udp sum ok] UDP, length 111 14:27:16.534117 IP (tos 0xc0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 157) 192.168.109.5.12366 > 192.168.110.6.12346: [no cksum] UDP, length 129 14:27:16.534289 IP (tos 0xc0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 150) 192.168.110.6.12346 > 192.168.109.5.12366: [no cksum] UDP, length 122

如圖所示，所有資料包都使用TOS位元組0xc0（也稱為DS欄位）進行標籤(即十進製為192，二進製為110 000 00。

前6個高位對應於十進位制的DSCP位值48或CS6)。

輸出中的前2個資料包對應於控制平面隧道，剩下的2個資料包對應於資料平面隧道流量。

根據封包長度和TOS標籤，它可以高把握地斷定是BFD封包（RX和TX方向）。這些資料包也使用CS6進行標籤。

有時，某些服務提供商（尤其是MPLS L3 VPN/MPLS L2 VPN服務提供商）維護不同的SLA，並且可以根據DSCP標籤以不同方式處理不同類別的流量。

例如，如果您有高級服務，可以對DSCP EF和CS6語音和信令流量進行優先排序。

由於幾乎總是會管制優先順序流量，即使未超過上行鏈路的總頻寬，因此可以看到這種型別的流量資料包丟失，因此BFD會話也可能出現擺動。

在某些情況下，如果服務提供商路由器上的專用優先順序隊列被耗盡，您不會看到正常資料流的任何丟棄(例如，當您從vEdge路由器運行簡單ping時)。

這是因為此類流量標示為預設DSCP值0，如此處所示（TOS位元組）：

15:49:22.268044 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 142) 192.168.110.5.12366 > 192.168.109.7.12346: [no cksum] UDP, length 114 15:49:22.272919 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 142) 192.168.110.5.12366 > 192.168.109.7.12346: [no cksum] UDP, length 114 15:49:22.277660 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 142) 192.168.110.5.12366 > 192.168.109.7.12346: [no cksum] UDP, length 114 15:49:22.314821 IP (tos 0x0, ttl 62, id 0, offset 0, flags [DF], proto UDP (17), length 142) 192.168.110.5.12366 > 192.168.109.7.12346: [no cksum] UDP, length 114

但同時，您的BFD會話抖動：

show bfd history DST PUBLIC DST PUBLIC RX TX SYSTEM IP SITE ID COLOR STATE IP PORT ENCAP TIME PKTS PKTS DEL --------------------------------------------------------------------------------------------------------------------------------------- 192.168.30.4 13 public-internet up 192.168.109.4 12346 ipsec 2019-05-01T03:54:23+0200 127 135 0 192.168.30.4 13 public-internet up 192.168.109.4 12346 ipsec 2019-05-01T03:54:23+0200 127 135 0 192.168.30.4 13 public-internet down 192.168.109.4 12346 ipsec 2019-05-01T03:55:28+0200 140 159 0 192.168.30.4 13 public-internet down 192.168.109.4 12346 ipsec 2019-05-01T03:55:28+0200 140 159 0 192.168.30.4 13 public-internet up 192.168.109.4 12346 ipsec 2019-05-01T03:55:40+0200 361 388 0 192.168.30.4 13 public-internet up 192.168.109.4 12346 ipsec 2019-05-01T03:55:40+0200 361 388 0 192.168.30.4 13 public-internet down 192.168.109.4 12346 ipsec 2019-05-01T03:57:38+0200 368 421 0 192.168.30.4 13 public-internet down 192.168.109.4 12346 ipsec 2019-05-01T03:57:38+0200 368 421 0 192.168.30.4 13 public-internet up 192.168.109.4 12346 ipsec 2019-05-01T03:58:05+0200 415 470 0 192.168.30.6 13 public-internet up 192.168.109.4 12346 ipsec 2019-05-01T03:58:05+0200 415 470 0 192.168.30.6 13 public-internet down 192.168.109.4 12346 ipsec 2019-05-01T03:58:25+0200 464063 464412 0

此處，nping可用於排除故障：

vedge2# tools nping vpn 0 options "--tos 0x0c --icmp --icmp-type echo --delay 200ms -c 100 -q" 192.168.109.7 Nping in VPN 0 Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2019-05-07 15:58 CEST Max rtt: 200.305ms | Min rtt: 0.024ms | Avg rtt: 151.524ms Raw packets sent: 100 (2.800KB) | Rcvd: 99 (4.554KB) | Lost: 1 (1.00%) Nping done: 1 IP address pinged in 19.83 seconds

`調試BFD`

如果需要更深入的調查，請在vEdge路由器上運行BFD調試。

轉發流量管理器(FTM)負責vEdge路由器上的BFD操作，因此您需要 debug ftm bfd。

所有調試輸出都儲存在 /var/log/tmplog/vdebug 檔案中，如果您希望控制檯上出現這些消息(類似於Cisco IOS行terminal monitor 為)，則可以使用monitor start /var/log/tmplog/vdebug。

若要停止記錄，您可以使用 monitor stop /var/log/tmplog/vdebug

以下是輸出查詢由於超時而關閉的BFD會話的方式(IP地址為192.168.110.6的遠端TLOC無法再訪問)：

log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_state[1008]: BFD-session TNL 192.168.110.5:12366->192.168.110.6:12346,l-tloc(32771)->r-tloc(32772),TLOC 192.168.30.5:biz-internet->192.168.30.6:public-internet IPSEC: BFD Session STATE update, New_State :- DOWN, Reason :- LOCAL_TIMEOUT_DETECT Observed latency :- 7924, bfd_record_index :- 8, Hello timer :- 1000, Detect Multiplier :- 7 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_proc_tunnel_public_tloc_msg[252]: tun_rec_index 13 tloc_index 32772 public tloc 0.0.0.0/0 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_increment_wanif_bfd_flap[2427]: BFD-session TNL 192.168.110.5:12366->192.168.110.6:12346, : Increment the WAN interface counters by 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_state[1119]: BFD-session TNL 192.168.110.5:12366->192.168.110.6:12346,l-tloc(32771)->r-tloc(32772),TLOC 192.168.30.5:biz-internet->192.168.30.6:public-internet IPSEC BFD session history update, old state 3 new state 1 current flap count 1 prev_index 1 current 2 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1140]: Attempting to add TLOC : from_ttm 0 origin remote tloc-index 32772 pub 192.168.110.6:12346 pub v6 :::0 system_ip 192.168.30.6 color 5 spi 333 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_set_del_marker_internal[852]: (32771:32772) proto 50 src 192.168.110.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_set_del_marker_internal[852]: (32770:32772) proto 50 src 192.168.109.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_create[238]: Attempting BFD session creation. Remote-tloc: tloc-index 32772, system-ip 192.168.30.6, color 5 encap 2from local WAN Interface ge0_0 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_clear_delete_marker[828]: (32771:32772) proto 50 src 192.168.110.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_create[238]: Attempting BFD session creation. Remote-tloc: tloc-index 32772, system-ip 192.168.30.6, color 5 encap 2from local WAN Interface ge0_1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_clear_delete_marker[828]: (32770:32772) proto 50 src 192.168.109.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_sa[1207]: BFD-session TNL 192.168.110.5:12366->192.168.110.6:12346,l-tloc(32771)->r-tloc(32772),TLOC 192.168.30.5:biz-internet->192.168.30.6:public-internet IPSEC: session sa index changed from 484 to 484 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1653]: BFD (32771:32772) src 192.168.110.5:12366 dst 192.168.110.6:12346 record index 8 ref-count 1 sa-idx 484 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_sa[1207]: BFD-session TNL 192.168.109.5:12366->192.168.110.6:12346,l-tloc(32770)->r-tloc(32772),TLOC 192.168.30.5:public-internet->192.168.30.6:public-internet IPSEC: session sa index changed from 485 to 485 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1653]: BFD (32770:32772) src 192.168.109.5:12366 dst 192.168.110.6:12346 record index 9 ref-count 1 sa-idx 485 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_state[1008]: BFD-session TNL 192.168.109.5:12366->192.168.110.6:12346,l-tloc(32770)->r-tloc(32772),TLOC 192.168.30.5:public-internet->192.168.30.6:public-internet IPSEC: BFD Session STATE update, New_State :- DOWN, Reason :- LOCAL_TIMEOUT_DETECT Observed latency :- 7924, bfd_record_index :- 9, Hello timer :- 1000, Detect Multiplier :- 7 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_proc_tunnel_public_tloc_msg[252]: tun_rec_index 14 tloc_index 32772 public tloc 0.0.0.0/0 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_increment_wanif_bfd_flap[2427]: BFD-session TNL 192.168.109.5:12366->192.168.110.6:12346, : Increment the WAN interface counters by 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_state[1119]: BFD-session TNL 192.168.109.5:12366->192.168.110.6:12346,l-tloc(32770)->r-tloc(32772),TLOC 192.168.30.5:public-internet->192.168.30.6:public-internet IPSEC BFD session history update, old state 3 new state 1 current flap count 1 prev_index 1 current 2 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1140]: Attempting to add TLOC : from_ttm 0 origin remote tloc-index 32772 pub 192.168.110.6:12346 pub v6 :::0 system_ip 192.168.30.6 color 5 spi 333 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_set_del_marker_internal[852]: (32771:32772) proto 50 src 192.168.110.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_set_del_marker_internal[852]: (32770:32772) proto 50 src 192.168.109.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_create[238]: Attempting BFD session creation. Remote-tloc: tloc-index 32772, system-ip 192.168.30.6, color 5 encap 2from local WAN Interface ge0_0 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_clear_delete_marker[828]: (32771:32772) proto 50 src 192.168.110.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_create[238]: Attempting BFD session creation. Remote-tloc: tloc-index 32772, system-ip 192.168.30.6, color 5 encap 2from local WAN Interface ge0_1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_clear_delete_marker[828]: (32770:32772) proto 50 src 192.168.109.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_sa[1207]: BFD-session TNL 192.168.110.5:12366->192.168.110.6:12346,l-tloc(32771)->r-tloc(32772),TLOC 192.168.30.5:biz-internet->192.168.30.6:public-internet IPSEC: session sa index changed from 484 to 484 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1653]: BFD (32771:32772) src 192.168.110.5:12366 dst 192.168.110.6:12346 record index 8 ref-count 1 sa-idx 484 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_sa[1207]: BFD-session TNL 192.168.109.5:12366->192.168.110.6:12346,l-tloc(32770)->r-tloc(32772),TLOC 192.168.30.5:public-internet->192.168.30.6:public-internet IPSEC: session sa index changed from 485 to 485 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1653]: BFD (32770:32772) src 192.168.109.5:12366 dst 192.168.110.6:12346 record index 9 ref-count 1 sa-idx 485 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_send_bfd_msg[499]: Sending BFD notification Down notification to TLOC id 32772 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1140]: Attempting to add TLOC : from_ttm 1 origin remote tloc-index 32772 pub 192.168.110.6:12346 pub v6 :::0 system_ip 192.168.30.6 color 5 spi 333 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_set_del_marker_internal[852]: (32771:32772) proto 50 src 192.168.110.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_set_del_marker_internal[852]: (32770:32772) proto 50 src 192.168.109.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1285]: UPDATE local tloc log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_create[238]: Attempting BFD session creation. Remote-tloc: tloc-index 32772, system-ip 192.168.30.6, color 5 encap 2from local WAN Interface ge0_0 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_clear_delete_marker[828]: (32771:32772) proto 50 src 192.168.110.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_create[238]: Attempting BFD session creation. Remote-tloc: tloc-index 32772, system-ip 192.168.30.6, color 5 encap 2from local WAN Interface ge0_1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_clear_delete_marker[828]: (32770:32772) proto 50 src 192.168.109.5:12366 dst 192.168.110.6:12346 ref_count 1 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_sa[1207]: BFD-session TNL 192.168.110.5:12366->192.168.110.6:12346,l-tloc(32771)->r-tloc(32772),TLOC 192.168.30.5:biz-internet->192.168.30.6:public-internet IPSEC: session sa index changed from 484 to 484 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1653]: BFD (32771:32772) src 192.168.110.5:12366 dst 192.168.110.6:12346 record index 8 ref-count 1 sa-idx 484 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: bfdmgr_session_update_sa[1207]: BFD-session TNL 192.168.109.5:12366->192.168.110.6:12346,l-tloc(32770)->r-tloc(32772),TLOC 192.168.30.5:public-internet->192.168.30.6:public-internet IPSEC: session sa index changed from 485 to 485 log:local7.debug: May 7 16:23:09 vedge2 FTMD[674]: ftm_tloc_add[1653]: BFD (32770:32772) src 192.168.109.5:12366 dst 192.168.110.6:12346 record index 9 ref-count 1 sa-idx 485 log:local7.info: May 7 16:23:09 vedge2 FTMD[674]: %Viptela-vedge2-ftmd-6-INFO-1400002: Notification: 5/7/2019 14:23:9 bfd-state-change severity-level:major host-name:"vedge2" system-ip:192.168.30.5 src-ip:192.168.110.5 dst-ip:192.168.110.6 proto:ipsec src-port:12366 dst-port:12346 local-system-ip:192.168.30.5 local-color:"biz-internet" remote-system-ip:192.168.30.6 remote-color:"public-internet" new-state:down deleted:false flap-reason:timeout log:local7.info: May 7 16:23:09 vedge2 FTMD[674]: %Viptela-vedge2-ftmd-6-INFO-1400002: Notification: 5/7/2019 14:23:9 bfd-state-change severity-level:major host-name:"vedge2" system-ip:192.168.30.5 src-ip:192.168.109.5 dst-ip:192.168.110.6 proto:ipsec src-port:12366 dst-port:12346 local-system-ip:192.168.30.5 local-color:"public-internet" remote-system-ip:192.168.30.6 remote-color:"public-internet" new-state:down deleted:false flap-reason:timeout

要啟用的另一個有價值的調試是 Tunnel Traffic Manager (TTM) 事件調試，它是 debug ttm events。

下面是從TTM角度看事 BFD DOWN 件的外觀：

log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[194]: Received TTM Msg LINK_BFD, Client: ftmd, AF: LINK log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[413]: Remote-TLOC: 192.168.30.6 : public-internet : ipsec, Local-TLOC: 192.168.30.5 : biz-internet : ipsec, Status: DOWN, Rec Idx: 13 MTU: 1441, Loss: 77, Latency: 0, Jitter: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[194]: Received TTM Msg LINK_BFD, Client: ftmd, AF: LINK log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[413]: Remote-TLOC: 192.168.30.6 : public-internet : ipsec, Local-TLOC: 192.168.30.5 : public-internet : ipsec, Status: DOWN, Rec Idx: 14 MTU: 1441, Loss: 77, Latency: 0, Jitter: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[194]: Received TTM Msg BFD, Client: ftmd, AF: TLOC-IPV4 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[402]: TLOC: 192.168.30.6 : public-internet : ipsec, Status: DOWN log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_af_tloc_db_bfd_status[234]: BFD message: I SAY WHAT WHAT tloc 192.168.30.6 : public-internet : ipsec status is 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[194]: Sent TTM Msg TLOC_ADD, Client: ompd, AF: TLOC-IPV4 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[213]: TLOC: 192.168.30.6 : public-internet : ipsec, Index: 32772, Origin: REMOTE, Status: DOWN, LR enabled: 0, LR hold time: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[217]: Attributes: GROUP PREF WEIGHT GEN-ID VERSION TLOCv4-PUB TLOCv4-PRI TLOCv6-PUB TLOCv6-PRI SITE-ID CARRIER ENCAP RESTRICT log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[220]: Preference: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[223]: Weight: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[226]: Gen-ID: 2147483661 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[229]: Version: 2 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[232]: Site-ID: 13 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[235]: Carrier: 4 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[241]: Restrict: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[249]: Group: Count: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[262]: Groups: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[269]: TLOCv4-Public: 192.168.110.6:12346 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[273]: TLOCv4-Private: 192.168.110.6:12346 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[277]: TLOCv6-Public: :::0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[281]: TLOCv6-Private: :::0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[285]: TLOC-Encap: ipsec-tunnel log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[295]: Authentication: unknown(0x98) Encryption: aes256(0xc) SPI 334 Proto ESP log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[312]: SPI 334, Flags 0x1e Integrity: 1, encrypt-keys: 1 auth-keys: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[317]: Number of protocols 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[328]: Number of encrypt types: 2 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[333]: Encrypt type[0] AES256-GCM log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[333]: Encrypt type[1] AES256-CBC log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[339]: Number of integrity types: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[344]: integrity type[0] HMAC_SHA1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[349]: #Paths: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[194]: Sent TTM Msg TLOC_ADD, Client: ftmd, AF: TLOC-IPV4 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[213]: TLOC: 192.168.30.6 : public-internet : ipsec, Index: 32772, Origin: REMOTE, Status: DOWN, LR enabled: 0, LR hold time: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[217]: Attributes: GROUP PREF WEIGHT GEN-ID VERSION TLOCv4-PUB TLOCv4-PRI TLOCv6-PUB TLOCv6-PRI SITE-ID CARRIER ENCAP RESTRICT log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[220]: Preference: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[223]: Weight: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[226]: Gen-ID: 2147483661 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[229]: Version: 2 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[232]: Site-ID: 13 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[235]: Carrier: 4 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[241]: Restrict: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[249]: Group: Count: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[262]: Groups: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[269]: TLOCv4-Public: 192.168.110.6:12346 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[273]: TLOCv4-Private: 192.168.110.6:12346 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[277]: TLOCv6-Public: :::0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[281]: TLOCv6-Private: :::0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[285]: TLOC-Encap: ipsec-tunnel log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[295]: Authentication: unknown(0x98) Encryption: aes256(0xc) SPI 334 Proto ESP log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[312]: SPI 334, Flags 0x1e Integrity: 1, encrypt-keys: 1 auth-keys: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[317]: Number of protocols 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[328]: Number of encrypt types: 2 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[333]: Encrypt type[0] AES256-GCM log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[333]: Encrypt type[1] AES256-CBC log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[339]: Number of integrity types: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[344]: integrity type[0] HMAC_SHA1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[349]: #Paths: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[194]: Sent TTM Msg TLOC_ADD, Client: fpmd, AF: TLOC-IPV4 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[213]: TLOC: 192.168.30.6 : public-internet : ipsec, Index: 32772, Origin: REMOTE, Status: DOWN, LR enabled: 0, LR hold time: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[217]: Attributes: GROUP PREF WEIGHT GEN-ID VERSION TLOCv4-PUB TLOCv4-PRI TLOCv6-PUB TLOCv6-PRI SITE-ID CARRIER ENCAP RESTRICT log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[220]: Preference: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[223]: Weight: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[226]: Gen-ID: 2147483661 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[229]: Version: 2 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[232]: Site-ID: 13 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[235]: Carrier: 4 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[241]: Restrict: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[249]: Group: Count: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[262]: Groups: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[269]: TLOCv4-Public: 192.168.110.6:12346 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[273]: TLOCv4-Private: 192.168.110.6:12346 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[277]: TLOCv6-Public: :::0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[281]: TLOCv6-Private: :::0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[285]: TLOC-Encap: ipsec-tunnel log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[295]: Authentication: unknown(0x98) Encryption: aes256(0xc) SPI 334 Proto ESP log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[312]: SPI 334, Flags 0x1e Integrity: 1, encrypt-keys: 1 auth-keys: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[317]: Number of protocols 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[328]: Number of encrypt types: 2 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[333]: Encrypt type[0] AES256-GCM log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[333]: Encrypt type[1] AES256-CBC log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[339]: Number of integrity types: 1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[344]: integrity type[0] HMAC_SHA1 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[349]: #Paths: 0 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[194]: Sent TTM Msg DATA_DEVICE_ADD, Client: pimd, AF: DATA-DEVICE-IPV4 log:local7.debug: May 7 16:58:19 vedge2 TTMD[683]: ttm_debug_announcement[431]: Device: 192.168.30.6, Status: 2 log:local7.info: May 7 16:58:19 vedge2 FTMD[674]: %Viptela-vedge2-ftmd-6-INFO-1400002: Notification: 5/7/2019 14:58:19 bfd-state-change severity-level:major host-name:"vedge2" system-ip:192.168.30.5 src-ip:192.168.110.5 dst-ip:192.168.110.6 proto:ipsec src-port:12366 dst-port:12346 local-system-ip:192.168.30.5 local-color:"biz-internet" remote-system-ip:192.168.30.6 remote-color:"public-internet" new-state:down deleted:false flap-reason:timeout log:local7.info: May 7 16:58:20 vedge2 FTMD[674]: %Viptela-vedge2-ftmd-6-INFO-1400002: Notification: 5/7/2019 14:58:19 bfd-state-change severity-level:major host-name:"vedge2" system-ip:192.168.30.5 src-ip:192.168.109.5 dst-ip:192.168.110.6 proto:ipsec src-port:12366 dst-port:12346 local-system-ip:192.168.30.5 local-color:"public-internet" remote-system-ip:192.168.30.6 remote-color:"public-internet" new-state:down deleted:false flap-reason:timeout

`使用Packet-Trace捕獲BFD資料包（20.5及更高版本）`

在20.5.1及更高版本軟體中引入的另一個有用工具是vEdge的資料包跟蹤。由於BFD會話使用相同的標準埠(通常12346)，因此根據對等體IP地址過濾是最簡單的。

舉例來說：

vedge# show bfd sessions SOURCE TLOC REMOTE TLOC DST PUBLIC DST PUBLIC DETECT TX SYSTEM IP SITE ID STATE COLOR COLOR SOURCE IP IP PORT ENCAP MULTIPLIER INTERVAL(msec) UPTIME TRANSITIONS ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10.4.4.1 101 up default default 192.168.16.29 192.168.22.103 12386 ipsec 7 1000 0:03:23:34 0 10.4.4.2 102 up default default 192.168.16.29 192.168.29.39 12346 ipsec 7 1000 0:03:21:24 1

將配置packet-trace：

vedge# debug packet-trace condition ingress-if ge0/0 vpn 0 source-ip 192.168.29.39 vedge# debug packet-trace condition start vedge# debug packet-trace condition stop

使用下面註明的show命令可顯示結果。對於入口資料包，BFD流量有一個「isBFD」標誌，該標誌設定為「1」(true)。

vedge# show packet-trace statistics 
packet-trace statistics 0
 source-ip             192.168.29.39
 source-port           12346
 destination-ip        192.168.16.29
 destination-port      12346
 source-interface      ge0_0
 destination-interface loop0.1
 decision              FORWARD
 duration              25
packet-trace statistics 1
 source-ip             192.168.29.39
 source-port           12346
 destination-ip        192.168.16.29
 destination-port      12346
 source-interface      ge0_0
 destination-interface loop0.1
 decision              FORWARD
 duration              14
packet-trace statistics 2
 source-ip             192.168.29.39
 source-port           12346
 destination-ip        192.168.16.29
 destination-port      12346
 source-interface      ge0_0
 destination-interface loop0.1
 decision              FORWARD
 duration              14
 
vedge# show packet-trace detail 0  
==========================================================================================================================
Pkt-id           src_ip(ingress_if)            dest_ip(egress_if)           Duration           Decision           Protocol
==========================================================================================================================
0         192.168.29.39:12346 (ge0_0)    192.168.16.29:12346 (loop0.1)        25 us             FORWARD              17
INGRESS_PKT:
00 50 56 84 79 be 00 50 56 84 3c b5 08 00 45 c0 00 96 ab 40 40 00 3f 11 e0 c1 c0 a8 1d 27 c0 
a8 10 1d 30 3a 30 3a 00 82 00 00 a0 00 01 02 00 00 0e 3f 4b 65 07 bc 61 03 38 71 93 53 58 
88 d8 08 41 95 7c 1a ff 8b cc b4 d0 d8 61 44 40 67 cc 1a 01 fd 1f c4 45 95 ea 7e 15 c9 08 
2e b6 63 84 00 
EGRESS_PKT: 
a1 5e fe 11 00 00 00 00 00 00 00 00 00 00 04 00 0c 04 00 41 01 02 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 04 00 00 00 00 00 00 00 02 00 3a 30 3a 30 1d 10 a8 c0 00 00 00 00 00 00 
00 00 00 00 00 00 01 00 00 00 27 1d a8 c0 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 
a4 00 01 00 00 
Feature Data 
------------------------------------ 
TOUCH : fp_proc_packet  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_proc_packet2  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_ip_forward  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_ipsec_decrypt  
core_id: 2
DSCP: 48
------------------------------------ 
FP_TRACE_FEAT_IPSEC_DATA: 
src_ip : 192.168.29.39
src_port : 3784
dst_ip : 192.168.16.29
dst_port : 3784
isBFD : 1
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_send_pkt  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_hw_x86_pkt_free  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_proc_remote_bfd_  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : BFD_ECHO_REPLY  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_hw_x86_pkt_free  
core_id: 2
DSCP: 48以類似方式捕獲出口BFD資料包。這些結果標識了特定型別，是回應請求還是應答。
vedge# debug packet-trace condition vpn 0 destination-ip 192.168.29.39 
vedge# debug packet-trace condition start
vedge# debug packet-trace condition stop
vedge# show packet-trace statistics 
packet-trace statistics 0
 source-ip             192.168.16.29
 source-port           3784
 destination-ip        192.168.29.39
 destination-port      3784
 source-interface      loop0.0
 destination-interface ge0_0
 decision              FORWARD
 duration              15
packet-trace statistics 1
 source-ip             192.168.16.29
 source-port           3784
 destination-ip        192.168.29.39
 destination-port      3784
 source-interface      loop0.0
 destination-interface ge0_0
 decision              FORWARD
 duration              66
packet-trace statistics 2
 source-ip             192.168.16.29
 source-port           3784
 destination-ip        192.168.29.39
 destination-port      3784
 source-interface      loop0.0
 destination-interface ge0_0
 decision              FORWARD
 duration              17

vedge# show packet-trace details 0 
==========================================================================================================================
Pkt-id           src_ip(ingress_if)            dest_ip(egress_if)           Duration           Decision           Protocol
==========================================================================================================================
0         192.168.16.29:3784 (loop0.0)   192.168.29.39:3784 (ge0_0)           15 us             FORWARD              17
INGRESS_PKT:
45 c0 00 4f 00 00 40 00 ff 11 cc 48 c0 a8 10 1d c0 a8 1d 27 0e c8 0e c8 00 3b 00 00 80 c0 07 
00 00 00 00 01 00 00 00 01 00 0f 42 40 00 0f 42 40 00 0f 42 40 01 00 0c 01 00 00 1d 3b b1 
c9 89 d7 03 00 0f c0 a8 10 1d 30 3a c0 a8 1d 27 30 3a a3 96 07 3b 47 1c 60 d1 d5 76 4c 72 
78 1f 9a 0d 00 
EGRESS_PKT: 
00 50 56 84 3c b5 00 50 56 84 79 be 08 00 45 c0 00 96 ab 40 40 00 3f 11 e0 c1 c0 a8 10 1d c0 
a8 1d 27 30 3a 30 3a 00 82 00 00 a0 00 01 01 00 00 5c 3d 88 9a c7 28 23 1b e6 18 ea fe 73 
1b b9 e3 79 bf d9 f4 72 41 96 c1 47 07 44 56 77 5a a2 fb 43 59 c1 97 59 47 62 21 77 d4 f4 
47 8b 30 b0 00 
Feature Data 
------------------------------------ 
TOUCH : fp_send_bfd_pkt  
core_id: 0
DSCP: 48
------------------------------------ 
TOUCH : BFD_ECHO_REPLY  
core_id: 0
DSCP: 48
------------------------------------ 
TOUCH : fp_ipsec_loopback_f  
core_id: 0
DSCP: 48
------------------------------------ 
TOUCH : fp_send_pkt  
core_id: 0
DSCP: 48
------------------------------------ 
TOUCH : fp_ip_forward  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_send_ip_packet  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_send_pkt  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_hw_x86_pkt_free  
core_id: 2
DSCP: 48
vedge# show packet-trace details 1
==========================================================================================================================
Pkt-id           src_ip(ingress_if)            dest_ip(egress_if)           Duration           Decision           Protocol
==========================================================================================================================
1         192.168.16.29:3784 (loop0.0)   192.168.29.39:3784 (ge0_0)           66 us             FORWARD              17
INGRESS_PKT:
45 c0 00 56 00 00 40 00 ff 11 cc 41 c0 a8 10 1d c0 a8 1d 27 0e c8 0e c8 00 42 00 00 80 c0 07 
00 00 00 00 01 00 00 00 01 00 0f 42 40 00 0f 42 40 00 0f 42 40 01 00 0c 00 00 00 1d b8 35 
a8 09 88 03 00 0f c0 a8 10 1d 30 3a c0 a8 1d 27 30 3a 04 00 07 01 00 05 a6 38 ff 7e 06 1e 
da 23 19 d5 00 
EGRESS_PKT: 
00 50 56 84 3c b5 00 50 56 84 79 be 08 00 45 c0 00 9d ab 40 40 00 3f 11 e0 ba c0 a8 10 1d c0 
a8 1d 27 30 3a 30 3a 00 89 00 00 a0 00 01 01 00 00 5c 3e 2d 3b 9e 81 aa 10 26 54 7f 47 5c 
d8 81 4f 23 2e 3c 39 1e 94 b2 f4 fb a4 ba 98 54 73 99 8f 2e 95 d7 69 fb 91 41 96 93 03 5b 
a4 e4 e8 82 00 
Feature Data 
------------------------------------ 
TOUCH : fp_send_bfd_pkt  
core_id: 0
DSCP: 48
------------------------------------ 
TOUCH : BFD_ECHO_REQUEST  
core_id: 0
DSCP: 48
------------------------------------ 
TOUCH : fp_ipsec_loopback_f  
core_id: 0
DSCP: 48
------------------------------------ 
TOUCH : fp_send_pkt  
core_id: 0
DSCP: 48
------------------------------------ 
TOUCH : fp_ip_forward  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_send_ip_packet  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_send_pkt  
core_id: 2
DSCP: 48
------------------------------------ 
TOUCH : fp_hw_x86_pkt_free  
core_id: 2
DSCP: 48
相關資訊 
      
      技術支援與文件 - Cisco Systems

修訂記錄

修訂	發佈日期	意見
2.0	28-Sep-2022	初始版本
1.0	13-Jun-2019	初始版本

由思科工程師貢獻

Cisco TAC Engineers

vEdge雙向轉發檢測和資料平面連線問題故障排除

下載選項

無偏見用語

關於此翻譯

目錄

簡介

必要條件

需求

採用元件

控制平面資訊

檢查控制項本機內容

檢查控制連線

重疊管理通訊協定

驗證是否已從vEdge通告OMP TLOC

驗證vSmart接收和通告TLOC

雙向轉發檢測

瞭解show bfd sessions命令

命令show tunnel statistics

存取清單

網路地址轉換

如何使用工具stun-client檢測NAT對映和過濾器。

CLI中使用的資料平面隧道支援的NAT型別「傳送」

防火牆

安全性

DSCP標籤流量的ISP問題

調試BFD

使用Packet-Trace捕獲BFD資料包（20.5及更高版本）

相關資訊