Fault Symptom
BGP/MPLS VPN is configured on the PEs. CE1, Web server A, and Web server B are in the same VPN. PE3 and Web server A are connected through a firewall. After the configuration is complete, the CE cannot access some Web servers.
Fault Analysis
1. Run the display bgp vpnv4 all peer command on PE1 and PE2. It is found that the BGP peer relationships are set up between the PEs and between the PE and CE and are in the Established state.
2. Run the ping -vpn-instance vpn-instance-name command on PE1, PE2, and PE3. The accessed CEs can be pinged successfully from the PEs.
3. Run the display current-configuration configuration vpn-instance vpn-instance-name command on PE1, PE2, and PE3 to view the configurations of the VPN instances. It is found that the VPN instances on the PEs are configured correctly and the import VPN target on one PE matches the export VPN target on another PE.
4. Get packets head on an interface of the PE. It is found that the length of an IP packet sent from the Web server is 1496 bytes and the IP packet cannot be fragmented. The length of the packet becomes 1504 bytes (1496+8(length of double MPLS labels)) after the packet enters the MPLS network.
5. Run the display mpls interface command on PE1, PE2, and the P to view the MTU of MPLS packets on an interface. It is found that the MTU value for MPLS packets on the P is 1500. As the MPLS packets are longer than 1504 bytes, they are discarded on the PE or P.
Procedure
1. Run the system-view command on the P to enter the system view.
2. Run the interface interface-type interface-number command to enter the interface view of the interface connecting the P to the PE.
3. Run the mtu mtu command to reconfigure the MTU value on the interface.
4. Run the mpls mtu 1600 command to re-configure the MTU value for MPLS packets on the interface.
5. Run the restart command to restart the current interface.
After the preceding operations, it is found that CE1 can access Web server A and Web server B. The fault is rectified.
Summary
The cause of this troubleshooting case is as follows:
· The packet sent from the Web server cannot be fragmented, and the packet length exceeds the MPLS MTU on the P after two MPLS labels are added. As a result, the packet is discarded on the P.
· The Firewall prevents ICMP packets, causing the path MTU discovery mechanism to be invalid.
The basic principle of the path MTU discovery mechanism is as follows:
1. The source initially adopts the MTU on the fist hop interface as the MTU of the path to the destination and sets the value of the Don't Fragment (DF) bit in all IP packets sent to the destination to 1.
2. When a device along the path receives the packet and forwards the packet on an outbound interface, the device discovers that the packet length exceeds the MTU on the outbound interface and the value of the DF bit is 1. In this case, the device discards the packet and responds with an ICMP unreachable packet (type=3, code=4, fragment needed but don't-fragment bit set) to the source.
3. After receiving the ICMP unreachable packet, the source decreases the path MTU value and re-sends the IP packet.
This problem is caused by an incorrect MTU value. To resolve the problem, re-configure the MTU.
