The MA5800 fails to provision the IPTV service

Hi dear friends,
This time, I will share a case about the failure of configuring the IPTV service.

Issue description

The IPTV service of a newly created user on the MA5800 is unavailable. (The ONT has been replaced twice for a new user.) After the ONT is replaced, the fault persists. The on-site startup progress is suspended at 50%.
Possible causes:
1. The data configuration is incorrect.
2. The upper-layer device is faulty.
3. The board, control board, upstream board, or shelf hardware is faulty.
4. The STB and ONT on the user side are faulty.

 

Issue analysis

1. Log in to the device and check whether the Option 82 function is enabled on the device. It is found that the VLAN attribute is stacking and normal users exist on the same PON port. Therefore, cause 1 is excluded.

 

The MA5800 fails to provision the IPTV service 1

The MA5800 fails to provision the IPTV service 2

 

2. The Option 82 function is enabled on the device. Therefore, packets are sent to the CPU of the device. To check whether user-side packets are reported to the CPU of the control board, perform the following test.

 

  • Perform debugging printing based on service flows. If no response is displayed, packets are not sent to the CPU.

MA5800-X2(diagnose)%ugging dhcp l2 service-port X

MA5800-X2(diagnose)%ugging dhcp l3 packets service-port x

MA5800-X2(config)#dhcp statistics service-port X

MA5800-X2(config)#display dhcp statistics service-port X

MA5800-X2(diagnose)%%terminal debugging

  • Print information on the control board. If no response is displayed, packets are not sent to the CPU.

The MA5800 obtains tag information by printing CPU packets and printing DHCP discover packets.

MA5800-X2(diagnose)%ugging drv-cli

USER>sfd cpu diag print-s 2 1 11 10 // The value 2 indicates all modules, the value 1 indicates the transmit direction (0 indicates the receive direction), and the value 43 indicates DHCPv6. (7 indicates PPPoE packets, and 11 indicates DHCPv4 packets.) The value 10 indicates the number of printed packets.

USER>quit

The MA5800 fails to provision the IPTV service 3

Eliminate cause 2.

 

3. Check whether user-side packets reach the PON port. In this case, you can collect DHCP statistics based on the user MAC address.

The statistical method is as follows: (Adjust the policy based on different service scenarios. If the Option 82 function is enabled, the upstream port cannot pass the traffic statistics.)

 

Check whether DHCP Discover packets reach the PON port

MA5800-X2(config)#acl 3000

MA5800-X2(config-acl-adv-3000) #rule 5 permit udp source-port eq68 destination-port eq 67

MA5800-X2(config-acl-adv-3000) #acl 4300

MA5800-X2(config-acl-adv-4300) #rule 5 permit type 0x0800 source XXXX-XXXX-XXXX 0000-0000-0000

MA5800-X2(config-acl-adv-4300) #quit

MA5800-X2(config)#diagnose

MA5800-X2(diagnose)%% traffic-statistic inbound ip-group3000 rule 5 link-group 4300 rule 5 port 0/19/0

//Coupling Layer 3 and Layer 2 ACLs to identify DHCP packets

 

Check whether the PON receives the DHCP offer packet returned by the BRAS

MA5800-X2(config)#acl 3001

MA5800-X2(config-acl-adv-3001) #rule 5 permit udp source-port eq67 destination-port eq 68

MA5800-X2(config-acl-adv-3001) #acl 4301

MA5800-X2(config-acl-adv-4301) #rule 5 permit type 0x0800destination XXXX-XXXX-XXXX 0000-0000-0000

MA5800-X2(config-acl-adv-4301) #quit

MA5800-X2(config)#diagnose

MA5800-X2(diagnose)%%traffic-statistic outbound ip-group3001 rule 5 link-group 4301 rule 5 port 0/19/0

 

The result is as follows: User-side DHCP packets have reached the PON port but not the control board.

 

The MA5800 fails to provision the IPTV service 4

 

4. Perform trace-counter based on user MAC addresses.

Command: MA5800(diagnose)%% trace-counter ingress 0/11/3 source b822-4f5b-XXXX

It is found that some packets are received but not sent by the board. The packets are discarded at ID 1733.

 

The MA5800 fails to provision the IPTV service 5

 

Determine the cause of packet discarding as follows: Drop due to antidos port limit

MA5800(diagnose)%%display statistics type 0/11

 

The MA5800 fails to provision the IPTV service 6

 

5. Check the rate limit of the ONT.
The rate is not limited based on service ports and ONTs.

The MA5800 fails to provision the IPTV service A

The MA5800 fails to provision the IPTV service 7

The MA5800 fails to provision the IPTV service B

 

6. Check the anti-dos configuration. It is found that the anti-dos function is enabled globally, which is a universal configuration on the entire network.

The MA5800 fails to provision the IPTV service C

 

Note: After this function is enabled, the number of packets reported by the ONT to the CPU per second cannot exceed 63.

 

The MA5800 fails to provision the IPTV service 10

 

7. Print packets based on the Ptype of the board and check the reported packets.

MA5800(diagnose)%ture ptype board 0/11 upstream 1733 number 10

It is found that a non-STB MAC address on the user side reports a large number of ARP packets.

 

The MA5800 fails to provision the IPTV service 11

The MA5800 fails to provision the IPTV service 12

The MA5800 fails to provision the IPTV service 13

 

8. Verify the user-side packet reporting of the fault. Capture packets based on the user MAC address on the OLT.
Packet Capture Method (Adjust based on business scenarios):

  • Create an ACL based on user MAC addresses.
    MA5800-X2(config)#acl 4000
    MA5800-X2(config-acl-adv-4000) #rule 5 permit destination xxxx-xxxx-xxxx 0000-0000-0000
    MA5800-X2(config-acl-adv-4000) #rule 10 permit source xxxx-xxxx-xxxx 0000-0000-0000

 

Mirror the packets on the upstream port to the packet capture port. (PON port 0/11/3, connected to PC port 0/9/0)
MA5800-X2(config)#traffic-mirror outbound link-group 4000 rule 5 port 0/11/3 to port 0/9/0
MA5800-X2(config)#traffic-mirror outbound link-group 4000 rule 10 port 0/11/3 to port 0/9/0
MA5800-X2(config)#traffic-mirror inbound link-group 4000 rule 5 port 0/11/3 to port 0/9/0
MA5800-X2(config)#traffic-mirror inbound link-group 4000 rule 10 port 0/11/3 to port 0/9/0

 

Conclusion: The user side reports a large number of ARP packets.

The MA5800 fails to provision the IPTV service 14

 

Root cause

A large number of ARP packets are sent from the faulty ONT, which exceeds the total number of packets on the board port. As a result, DHCP packets for normal dialup are discarded.

 

Solution description

Temporary Workaround

  • Filtering ARP Packets Based on User MAC Addresses

MA5800-X2(config)#acl 4000
MA5800-X2(config-acl-adv-4000) #rule 30 deny type 0x0806 source c409-3859-XXXX 0000-0000-0000
MA5800-X2(config-acl-adv-4000) #quit
MA5800-X2(config)#packet-filter inbound link-group 4000 rule 30 port 0/11/3

 

After the filtering, the service is normal.

The MA5800 fails to provision the IPTV service 15

 

  • Limit the rate of ARP packets so that DHCP packets can pass through.

Check: MA5800-X2(config)#display security anti-dos control-packet rate service-port 3

Limit: MA5800-X2(config)#security anti-dos control-packet  arp rate service-port 3 60

Restore the default: MA5800-X2(config)#security anti-dos control-packet  arp rate service-port 3 no-limit

 

The MA5800 fails to provision the IPTV service 16

 

Final Solution

Replace the ONT with a new one. Thanks for reading.