Manuals / Nortel Networks / Computer Equipment / Network Router

Nortel Networks NN46110-602 manual Performance considerations

Models: NN46110-602

1 230

Download 230 pages 7.59 Kb

Page 110

110 Chapter 5 Packet capture

You can create new capture objects until the maximum block size reaches 25 Mbyte. (The VPN Router does not allow you to reduce the maximum block size to less than 25 Mbyte.) If you allocate too much memory to packet capture buffers, you receive an error message suggesting a smaller buffer size.

To check the maximum block size, select Status > Statistics and click Memory in the Resources section. Scroll to the bottom of the window to find the maximum block size. The output looks similar to this:

Shared Heap Statistics:
status	bytes	blocks	ave block	max block
------	--------- -------- ---------- ----------
current
free	40542960	18	2252386	39532912
alloc	64815872	135	480117	-

You can display the same information by entering the command show status statistics resources memory.

Performance considerations

Running packet capture can affect VPN Router performance. You can run only one capture object at one time for a specific source (interface or tunnel). Multiple capture objects can exist for the same source, but only one object is allowed to start. You can run capture objects for different sources at the same time with no limitations.

To reduce the effect on VPN Router performance, use packet capture for troubleshooting only and observe the following guidelines:

•Configure the capture object to capture the least amount of data needed for troubleshooting: for example, only inbound or outbound traffic, only the first n bytes of the packet.

•Configure a capture object for promiscuous mode only when necessary. (Promiscuous mode affects VPN Router performance.)

•Configure filters and triggers to capture only relevant traffic, in particular if you need to run the global IP object.

NN46110-602

Image 110

Nortel Networks NN46110-602 manual Performance considerations

Contents

Nortel VPN Router Troubleshooting Restricted rights legend Copyright 2007 Nortel Networks. All rights reservedTrademarks Statement of conditionsNortel VPN Router Troubleshooting Nortel Networks Inc. software license agreementGeneral Contents Chapter Status and logging Chapter Troubleshooting Chapter Packet capture Appendix a MIB support Appendix B Using serial PPP Index Contents NN46110-602 Figures Figures NN46110-602 Tables Tables NN46110-602 Before you begin Text conventionsItalic text Acronyms L2TP Related publications Hard-copy technical manuals How to get help Finding the latest updates on the Nortel Web siteGetting help over the phone from a Nortel Solutions Center Getting help from the Nortel Web siteGetting help through a Nortel distributor or reseller Features New in this releaseSnmp interface index enhancement Automatic backupsPcap enhancements Chapter VPN Router administration Administrator settingsVPN Router administration Dynamic password ToolsSystem configuration File managementSimple Network Management Protocol Snmp VPN Router administration Click Enable for User IP Address Pool Admin Snmp Traps windowTo configure the amount Chapter Status and logging Sessions ReportsStatistics SystemHealth check Accounting Accounting recordsRadius accounting Data collection taskTimestamp Logs Event logSelect Status Event Log Event logsCapture and display filters Configure Display Entity System log Security logConfiguration log Chapter Administrative tasks ShutdownUsing the recovery diskette RecoveryAccessing the diskette drive Recovery Diskette window Software/backup/v101/SN01001 Administrative tasks Automatic backups Triggering a backup when a file or directory changes Using the GUI for automatic backupTransferring backup files through Sftp Select Admin Auto BackupAutomatic Backup window appears. Figure Click Configure Specific Backup Specific Automatic Backup window To overwrite a file, click Overwrite files at destinationUsing the CLI for automatic backup Backing up changes to specific files or directories Stopping the backup of specific files and directoriesBacking up specific files and directories Using Sftp to transfer backup files Stopping the transfer of backup files using SftpUpgrading the software Disabling new loginsSelect Admin Shutdown Click Disable new logins. Figure Select Admin File System Checking available disk spaceCreating a control tunnel to upgrade from a remote location Backing up system files Creating a recovery disketteSelect Admin Recovery and click Create Diskette Select Admin Upgrades Retrieving the new softwareFTP menu example Before completing the upgrade Internal Radius Accounting Interim Radius Accounting RecordApplying the software After you upgrade the softwareSelect Admin Shutdown and deselect Disable new logins Administrative tasks Chapter Troubleshooting Troubleshooting tools Client-based toolsSystem-based tools Other toolsSolving connectivity problems Diagnosing client connectivity problemsCommon client connectivity problems Remote host not responding Login not allowed at this timeAuthentication failed Maximum number of sessions reachedExtranet connection lost Other IPsec errorsNo proposal chosen Problems with name resolution using DNS services Network browsing problems Cannot browse the network with NetBEUITroubleshooting Diagnosing WAN link problems Check the T1/V.35 interface Check the Hdlc framing Check the PPP layerEliminating modem errors Solving performance problemsPerformance tips for configuring Microsoft networking Hardware encryption accelerator connectivityWhat should be configured on the Pptp or IPsec client? Why should Wins settings be different for extranet access? What Wins settings are recommended?What can you try on the Wins server when it is not working? Can I control which machine is the master browser? Why are subnet masks important? What should I do about subnets? Why cant I browse another client in a different tunnel? Troubleshooting Additional information Solving general problems Web browser problems and the VPN Client ManagerImproving performance with Internet Explorer Long delays when Web browsingEnabling Web browser options Internal error message Web browser error messagesClearing your Web browser cache when upgrading Clearing cacheDocument not found message New administrator login ignoredExcess resource consumption using Internet Explorer Internet Explorer 4.0 multiple help windowsPower failure Reporting a problem with a Web browserSystem problems Distorted background imagesGroup and user profile settings not saved Select Servers Ldap Click Stop ServerSolving routing problems Client address redistribution problemsAn error occurred while communicating with the VPN Router Solving firewall problemsAn error occurred while parsing the policy Action Close the Stateful Firewall ManagerUnable to communicate with the VPN Router Authorization failed. Please try againContents of the database may have changed Deselect Cache JARs in Memory System files were not loaded properlyAction Troubleshooting NN46110-602 Chapter Packet capture Pcap features Security features File formatTunnel captures Capture typesPhysical interface captures Global IP captures Triggers Filters and triggersCapture filters Saving captured data Memory considerationsPerformance considerations Enabling packet capture on a VPN Router Enter Privileged Exec mode Serial main menu appearsSetting the Pcap file path Capturing packets to disk fileSetting the maximum number of disk capture files Setting the size of the RAM bufferSetting the size of a disk capture file Creating a capture object Configuring and running packet capture objectsSaving captured data Configuring a capture object CES#capture ether0 Tunnel capture parameters Using the show capture command to display capture status Starting, stopping, and saving capture objectsCES# show capture Exit Capture Configuration mode Sample packet capture configurationsInterface capture object using a filter and direction Interface capture object using triggers CES#show capture test-filter-inCES#capture test-trigger start Tunnel capture object using a remote IP address CES#show capture test-trigger Capture state Stopped by stopLocate the Microsoft Windows row and click local archive Installing Ethereal softwareViewing a packet capture output file on a PC Click ethereal-setup-n.nn.n.exe Saving, downloading, and viewing Pcap filesViewing a Pcap file with Sniffer Pro Global IP captureDeleting capture objects and disabling packet capture Click Tools Options Protocol ForcingCES# no capture test-trigger Packet capture NN46110-602 Novell RIP-SAP MIB Snmp RFC supportNovell IPX MIB RFC 1850-OSPF Version 2 Management Information BaseRFC 2667-IP Tunnel MIB RFC 1724-RIP Version 2 MIB ExtensionRFC 1213-Network Management of TCP/IP-Based Internets RFC 2787-VRRP MIB RFC 2737-Entity MIBRFC 2571-Snmp-Framework MIB RFC 1573-IanaIfType MIBRFC 2233-If MIB RFC2790-Host Resources MIBRFC2495-DS1 MIB RFC2863 Interface MIB 64 bit counters support VPN Router MIBCestraps.mib-Nortel proprietary MIB TRAP-TYPEVariables Newoak.mib Hardware-related traps Appendix a MIB support Appendix a MIB support Appendix a MIB support Server-related traps Appendix a MIB support Login-related traps Software-related trapsIntrusion-related traps System-related trapsInformation passed with every trap Provides trap categories and explanations Provides descriptions for the VPN Router traps Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions Attached Failed Please note that X corresponds to Is not reachable and at least one Appendix a MIB support Appendix a MIB support VPN Router traps MIB descriptions IfReasonForStatus-ces-reason for the change in status Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix B Using serial PPP Establishing a serial PPP connectionSetting up a Dial-Up Networking connection Double-click the Microsoft Dial-Up Networking iconSelect System Settings Setting up the VPN RouterSetting up the modem Appendix B Using serial PPP Cause Troubleshooting Serial PPPDialing in to the VPN Router ActionsAction PPP option settings Appendix B Using serial PPP NN46110-602 Certificate messages Error removing CA certificate fileInstalled new CA certificate from file TCert task creation failed TCert X.509 certificates disabled in flash memoryTCert Shutdown complete Isakmp messages Isakmp 13 No proposal chosen in message from xxx a.b.c.dIsakmp 13 Authentication failure in message from xxx a.b.c.d Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging out No response from client-logging outCouldnt install route for remxxx@xxx Branch office messagesChecking chain invalid child cert SSL messagesChecking chain invalid parent cert Child cert xxx not valid signature by xxxNo matching trusted CA certs Configuration file xxx does not existDatabase messages Failed to startAccount xxxxxx uid xxx not found in account Ldif file could not restoreSecurity messages AuthServer ldap inconsistent no server type in entrySecurity store new system name xxx failed-xxx Conn backlog reached, possible SYN attackSecurity store new system IP address xxx failed-xxx Error copying tree xxx to Error copying entry xxx toError copying subentries of xxx to Security store new system subnet mask xxx failed-xxxSchemaCls Database schema not available Error deleting entryError deleting tree LocalAuthServer failed remove-xxxXxx xxx being referenced by Session xxx uid invalid-authentication failedSession xxxxxx invalid uid-authentication failed Session xxxxxx session rejected-system is initializingSession xxxxxxxxx xxx auth method not allowed Session xxxxxxxxx AddLink failed xxx current linksSession xxxxxxxxx IP address assignment failed Session xxxxxxxxx L2TP host xxx account misconfiguredSession xxxxxxxxx account is disabled Session xxxxxxxxx account has max linksSession xxxxxxxxx connect Qos level xxx full Session xxxxxxxxx authentication failed usingSession xxxxxxxxx account not allowed now Session xxxxxxxxx no memory free xxx threshold Session xxxxxxxxx login rejected new logins disabledDisable logins after restart checkbox is selected Session xxxxxxxxx only one session/static address allowedSession xxxxxxxxx static address xxx already in use Session xxxxxxxxx pool address xxx already in useSession xxxxxxxxx session directed to use server Session xxxxxxxxx system has max sessionsRadius server-name server timed out Radius accounting messagesRadius no reply from server server-nameport number Non-matching ID in server response Radius server-name server failedIndicated packet length too large Response OK Unsupported response type number received from serverReceived bad attribute type from server Radius user-name accounting record sent to server-name OKRadius no reply from Radius server server-nameport number Radius authentication messagesLogin failure due to Server network connection failure Radius server-name server timed out authenticating user-name Non-matching id in server response Radius server rejected access Radius server returned access challengeRadius access challenge received Radius server-name sent challenge for user-nameOspf Disabled Radius user-name access Denied by server server-nameRadius user-name access OK by server server-name Routing messagesOpened OSPF-RTM connection Ospf EnabledClosing OSPF-RTM connection LoadOspfIntf Failed Can not accept x.x.x.x as router idLoadOspfAreas Failed VR xxx Starting xxx as Master forVR xxx Shutting down xxx on VR xxx Starting xxx as Backup forVR xxx Starting xxx as master delayed Backup for RIP xxx RIP Disabled Unable to get configuration for VRRIP xxx RIP Enabled RIP xxx Cant alloc main nodeRIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failed RIP xxx Circuit xxx deletedRIP xxx Unable to register with UDP RIP xxx bind RIP socket xxx failedInterface nnn not present, deleting from config RIP xxx Unable to spawn timer task xxx for RIPRIP xxx cid xxx mismatched auth password from Interface nnn replaced, resetting configInterface nnn replaced, deleting from config HWAccel nnn not present, deleting from configAppendix C System messages NN46110-602 Appendix D Configuring for interoperability Configuring the Cisco 2514 router, VersionVPN Router and Cisco 2514 network topology NN46110-602 Following is a show config command Configuring the VPN Router for Cisco interoperability Appendix D Configuring for interoperability Connecting to IRE SafeNET/Soft-PK Security Policy Client Mask10.42 Click Pre-Shared KeySafeNet/Soft-PK Security Policy Editor dialog box appears SA Life Seconds and 3000 Seconds Configuring the VPN Router for IRE interoperabilityEncapsulation Protocol ESP Go to Profiles Networks and click EditThird-party client installation Considerations for using third-party clients Appendix D Configuring for interoperability Configuring the VPN Router as a branch office tunnel Configuring the VPN Router as a user tunnel Set Perfect Forward Secrecy PFS to match the client sideTo configure the VPN Router as a user tunnel Configuring IPX IPX client Windows 95 and Windows IPX group configurationSample IPX VPN Router topology Windows NTIPX topology Nortel VPN Router Troubleshooting Appendix D Configuring for interoperability NN46110-602 Index Index Pptp Wins