Jump to content

Archived

This topic is now archived and is closed to further replies.

it.nannycay

Agent causes device outage

Recommended Posts

it.nannycay

Hi, I am testing this software for our networks. I have installed one agent on one of our NAS (synology RS815+) for this purpose.. The agent (scan) is causing a specific type of device to drop off the network. We run 3 24port DSLAM VDSL2 switches for our hotel rooms. When I enable the agent, 5 minutes later all 3 of these switches will go offline, and need to be hard rebooted. If I disable the agent they operate as normal after a reboot, so they obviously do not like something about the way they are scanned.. I don's see any way to disable the scan for a particular device or devices... Is there a way to do this? Disable IP or block of IPs for scan? I cannot continue to test, or validate until I can get around this..

Thanks

Share this post


Link to post
Share on other sites
Giancarlo

I really apologize for this. We will do our best to find a way to avoid this behavior.

 

Which is the exact model of the switch that is behaving in this way? Name of the vendor or model

Share this post


Link to post
Share on other sites
it.nannycay

Hi, thanks for the prompt reply. The switches are 'Planet IP' 

VDL-2420MR

24-Port VDSL2 IP DSLAM

 

I tried to set a deny rule in DSLAM to ignore IP of agent, but had no effect. I also looked for a new firmware, to no avail.. the log in the DSLAM does not show any error, it just drops off.

Thanks

 

Share this post


Link to post
Share on other sites
Giancarlo

Thanks for the feedback. Interesting. We are in the process of starting to working on the Planet switches in a matter of few days, in order to support them for automatic Port Mapping and PoE. But we also have other users using switches from the same brand, which so far have not reported such issue.

 

We will continue our investigation and let you know our outcomes.

Share this post


Link to post
Share on other sites
it.nannycay

Great thanks, for the update.. I look forward to continue testing your systems once this is rectified, so far I like what I see!

Regards

Share this post


Link to post
Share on other sites
IJoe

IT.Nannycay- First note I am NOT affiliated with DOMOTZ in any way,

 

but saw your post and had curiosity as to your config as I run several systems at MDU /Hotel setups. Which network are you hoping to scan with the agent? the Wan (internet and services side of the DSLAM)  or the Lan side which is technically a DSL solution. Is there NAT in play between your lan/wan or is it a straight through bind one to one.  I am assuming the Nas is connected on the WAN side but this isnt always the case as its easier to place it on a subscriber unit that way it resides inside the lan. If thats the case you would also get the agent to report all your subscribers but only if you allow internal lan traffic via Nat reflection. So lots of questions each with its own ideas about why its dropping the DSLAM units but very curious as plan to rollout in similiar albiet not exact circumstances(my case actually being a UBR7111 CMTS) . Last question is whether you have a router or firewall in play as well ie.-

- end user/ nas to subscriber unit- DSLAM static public to Cable or HICap service,

--or EU/Nas to sub unit- dslam - service offers/Inet/ofc net to router to firewall to hicap.  

--or EU-sub unit to dslam to  Nas/services/ofc net/ to router to hicap. 

reason that's so important is to determine who is assigning the ip's and who is doing the IPS,,,, as IPS(intrusion protection) and DHCP conflict are the only reasons I can imagine that the DSLAMS would require a hard reset. Hope my input helps more than hurts good luck I understand need to keep network design confidential but reposting the resolution or cause is appreciated.

Share this post


Link to post
Share on other sites
it.nannycay

IJoe-

I am scanning 'WAN' side of the DSLAMs although these are really a bridge. The complete net layout is somewhat more complicated as it's really a marina\resort with a hotel, and the hotel only being one part of services provided, but as far as the hotel service is concerned, it is basically like this..

Hotel room(IP phone, Wi-Fi) --- DSLAM (bridge) --- external net (resort  backbone, services, NAS) --- router --- ISP 

The router providers dhcp service for the phones and wifi routers in the hotel, but the DSLAM IP is outside of scope and set as static. I do not see an IP conflict here, and there is only a problem when the domotz agent is running.

As a side note, the external net is actually \20 not \24 and the dhcp scope\ip range for hotel room service is outside of the subnet that the agent is scanning, although the IP of the DSLAMs are within the scan range.

Share this post


Link to post
Share on other sites
IJoe

Well hmmm, you seem to have the basics covered. That being the DSLAM units as staticly assigned and truthfully unless your entire subnet was spoken for a single ip conflict should only drop one box. I had zeroed in on that due to the 5 minute timeframe you spoke of seemed about right for a conflict to propagate and finally force something off the net. Not to be a pain Im just stumped as to what would cause the units to be unable to rejoin the network without requiring a hardcycle except an IP issue. Again I'm unaffiliated with Domotz I just like puzzles and networking seems to be full of crazy ones.

   Ok so was just buffing up on Bridging and saw a note that could be of interest --Bridges work on the store/verify/ forward policy and the Domotz agent initially I would assume does some hefty scanning, the DSLAMS while setup to withstand heavy traffic if they were to fill up their buffers ???? Honestly at this point that is just a shot in the dark hypothesis I'm not smart enough to fully grasp system utilization cost of a forwarding table in a DSLAM environment. You had said the IP network of the subscriber units were not in the same net as the Domotz agent however the bridge is a layer 2 entity(hardware address not IP for those others following along) but I am completely clueless as to how a bridge handles scans or what type of requests the agent even puts out and what effect it would have on a bridge or how a bridge would normally respond but I am thinking its this complexity that's likely a key factor as its an element not as commonly found as most of the other facets you have in play. ie statics in dhcp is common /20 is fairly common but to have 3 bridges that seems to me to be the likely culprit  (not saying thats a network flaw just that to me I think its the location that the packets are getting into trouble through no fault except that of the packet overlords) . Not sure if the DSLAMS have much of a routing/firewall capability but any way to shutdown traffic from the agent at the WAN side so that the bridge never sees any requests? Though I think you said you tried that --I would say shutdown the broadcast addresses but you said the subscribers pull ips from the router not the dslam. Its my uneducated guess that its the broadcast requests that are getting into a mess with the bridge, ---OK Ill stop throwing out guesses but my suspects are the broadcast requests and heavy port scans filling up the DSLAM bridging function and locking up the device or the presence of some routing loop possibly a wifi router however the last parts just cause wifi routers have been my nemesis in past designs. Full disclosure I can barely tie my shoes, and while been in the industry for a long time having very little formal training --take my advice with .....well actually just throw it out normally.

Thanks for entertaining my thoughts look forward to learning the final results--DOMOTZ GUYS this is up to you to weigh in on now I think.

Share this post


Link to post
Share on other sites

×
×
  • Create New...