Possible causes for a failure to learn ND entries

15

In V100R002 and later versions, a switch fails to learn ND entries due to the following possible causes:
- The physical state or protocol state of the interface is Down. You can run the display ipv6 interface interface-type interface-number command in any view to check the physical state and protocol state of an interface.
- The STP state of the interface is Discarding. You can run the display stp brief command in any view to check the STP state of an interface.
- The number of ND entries or IPv6 routes exceeds the limit.
- You can run the display ipv6 neighbors command in any view to check information about ND entries.
- You can run the display ipv6 routing-table statistics command in any view to check statistics on IPv6 routes.

Other related questions:
Possible causes for a failure to ping an IPv6 address
In V100R002 and later versions, the IPv6 address of a device fails to be pinged due to the following possible causes: l. The physical state or protocol state of the interface is Down. You can run the display ipv6 interface interface-type interface-number command in any view to check the physical state and protocol state of an interface. 2. The switch fails to learn ND entries of the peer device. You can run the display ipv6 neighbors command in any view to check information about ND entries. 3. The link transmission delay is too long. The source device does not receive any Response packet from the destination device within the waiting time, and the ping operation fails. You can run the ping ipv6 -t timeout destination-ipv6-address command in any view to set “-t&rdquo to increase the timeout interval for waiting for Response packets.

What are possible causes for L2TP dial-up failures of the AR router
Possible causes for L2TP dialup failures are as follows: - The firewall is configured on the public network or the local PC has the firewall, so L2TP packets are discarded. - When corresponding L2TP port is disabled or occupied, UDP port 1701 is often used. For example, ACL and NAT are configured. - The user name and password of the LAC are incorrect, or no users are specified for the LNS. - The configured address is incorrect. For example, the statically configured address of the VT interface is incorrect. - Tunnel authentication modes are different. - LCP renegotiation is not configured. - The IP address allocation is improper. The IP address pool has a small address range or not configured. - Gateway addresses are not configured in the IP address pool, so gateway addresses are allocated to clients. - There are unreachable routes. - In the L2TP group view, the specified tunnel name at the remote end is incorrect. - The configured authentication domain is incorrect. - L2TP negotiation fails because control packets sent by clients of the local PC do not carry the SQ. - When IPSec encryption is used, the IPSec parameters on the two ends of the tunnel are inconsistent.

What are the possible causes for SSH+TACACS authentication failure
There is no default authentication mode for SSH users. If no authentication mode is specified for SSH users, users cannot access the Internet. Solution: When configuring SSH authentication, run the ssh authentication-type default password command to configure password authentication for SSH users.

For S series switches, how to handle the failure to learn ARP entries caused by ARP Miss packets
For S series switches, the reasons for the failure to learn ARP entries caused by ARP Miss messages are as follows: - The rate limit on ARP Miss messages is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network depending on ARP Miss messages. - The CPCAR value of the ARP Miss packet is small. This causes the switch to discard normal ARP Miss messages and fail to send ARP Request packets to the destination network. - The attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages. Perform the following steps to locate the fault. Save the results of each troubleshooting step so that you can provide collected information for Huawei technical support engineers if the fault fails to be rectified. 1. Run the display arp all command in the user view to check statistics about ARP entries. If the MAC address field is in Incomplete state, the device fails to learn the ARP entry. IP address and interface information can be obtained through the ARP entry. 2. Capture the packet header on the interface used to connect to a user and check the source IP address of the ARP packet. 3. Run the display cpu-defend statistics packet-type arp-miss all command in the user view to check whether the number of the dropped ARP Miss packets is increasing. - If the number of dropped ARP Miss packets is 0, no ARP Miss packets are discarded by the switch. ARP entry learning fails because the rate limit on ARP Miss messages is too small. Go to step 5. Increase the ARP Miss message rate limit according to the actual network environment. - If the number of dropped ARP Miss packets is not 0, the rate of ARP Request packets exceeds the CPCAR rate limit and excessive ARP request packets are discarded. Check whether the CPCAR value of ARP Miss messages is configured correctly. -- If not, go to step 4. Increase the CPCAR value of ARP Miss messages. -- If so, ARP entry learning fails because the attacker sends a large number of network scanning packets to the switch. This causes the switch to trigger a large number of ARP Miss messages, consuming CPU resources and affecting the normal processing of ARP Miss messages. Find the attacker based on the source IP address, and check whether the user is infected with viruses. Alternatively, add the source address to the blacklist or configure a blackhole MAC address entry to discard ARP Request packets sent by the attacker. 4. Run the car command in the attack defense policy view to increase the CIR value for ARP Miss messages. Note: Improper CPCAR settings may affect services on your network. It is recommended that you contact Huawei engineers before adjusting the CPCAR settings. After the configuration is complete, the attack defense policy takes effect only after it is applied. After the preceding steps are performed, if the fault persists or has been rectified but the CPU usage is high, go to step 5. Decrease the rate limit on ARP Miss messages. 5. Run the display arp anti-attack configuration [ arpmiss-speed-limit | arpmiss-rate-limit ] command to view the ARP rate limit configuration. 6. If the fault persists, collect the following information and contact Huawei technical support. Results of the preceding troubleshooting procedure Configuration file, logs, and alarms of the switch

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top