Guest

Preview Tool

Cisco Bug: CSCvt91284 - Rpl route-poisoning not working in startup-config

Last Modified

Aug 26, 2020

Products (1)

  • Cisco 1000 Series Connected Grid Routers

Known Affected Releases

15.7(3.0i)M

Description (partial)

Symptom:
The Level 0, 1 & 2 recovery scripts are working.

However, for the RPL POISON,it appears after the CGR reload (after Level 2 recovery), the RPL POISON gets DISABLED even if the backhaul remained down. 

The expected behavior is the RPL POISON remains ENABLED after the CGR reloaded since the backhaul is still down…or if it was enabled after the reload, it will get disabled 2 hrs later.

Conditions:
For a solution across reloads, we need some kind of memory that will exist across a reboot. 
 The challenge is that any ?write mem? or ?copy run start? will persist entire config and not just certain commands.  
 Thus, there is significant cross talk between the various applets.  Your implementation has some significant custom applets (from a show tech):

!
event manager environment ZTD_SCEP_CGNA_Profile cg-nms-tunnel
event manager environment ZTD_SCEP_LDevID_trustpoint_name LDevID
event manager environment q "
event manager environment wanmon_if_list1 {Cellular3/1 {recovery {60 60} {120 120} {480 480}}}
event manager directory user policy "flash:/eem"
event manager applet primaryTunnelDown authorization bypass
event snmp oid 1.3.6.1.2.1.2.2.1.8.21 get-type exact entry-op ge entry-val "2" exit-op eq exit-val "1" poll-interval 30
action 1.0  syslog priority critical msg "Primary Tunnels down, bringing UP secondary tunnels"
action 1.1  cli command "en"
action 1.2  cli command "conf t"
action 17.0 cli command "int Tunnel10"
action 18.0 cli command "shut"
action 19.0 cli command "exit"
action 3.0  cli command "int Tunnel1"
action 4.0  cli command "no shut"
action 5.0  cli command "exit"
action 7.0  cli command "int Tunnel11"
action 8.0  cli command "no shut"
action 9.0  cli command "exit"
event manager applet primaryTunnelUp authorization bypass
event snmp oid 1.3.6.1.2.1.2.2.1.8.21 get-type exact entry-op eq entry-val "1" exit-op ge exit-val "2" poll-interval 30
action 1.0  syslog priority critical msg "Primary Tunnels up, shutting down secondary tunnels"
action 1.1  cli command "en"
action 1.2  cli command "conf t"
action 17.0 cli command "int Tunnel10"
action 18.0 cli command "no shut"
action 19.0 cli command "exit"
action 3.0  cli command "int Tunnel1"
action 4.0  cli command "shut"
action 5.0  cli command "exit"
action 7.0  cli command "int Tunnel11"
action 8.0  cli command "shut"
action 9.0  cli command "exit"
event manager applet CELLULAR_DOWN authorization bypass
event syslog pattern "Line protocol on Interface Cellular3/1, changed state to down"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "no event manager applet RPL_POISON_DISABLE authorization bypass"
action 3.1 cli command "event manager applet RPL_POISON_ENABLE authorization bypass"
action 3.2 cli command "event timer countdown time 7200"
action 3.3 cli command "action 1.0 syslog msg $q RPL POISON ENABLED $q"
action 3.4 cli command "action 2.0 cli command $q enable $q"
action 3.5 cli command "action 3.0 cli command $q configure terminal $q"
action 3.6 cli command "action 4.0 cli command $q interface wpan4/1 $q"
action 3.7 cli command "action 5.0 cli command $q rpl route-poisoning $q"
action 3.8 cli command "action 6.0 cli command $q end $q"
action 4.0 cli command "exit"
action 4.1 cli command "no ip sla schedule 1 life forever start-time now"
action 4.2 cli command "ip sla 1"
action 4.3 cli command "frequency 600"
action 4.4 cli command "exit"
action 4.5 cli command "ip sla schedule 1 life forever start-time now"
action 4.6 cli command "no event manager environment wanmon_if_list1"
action 4.7 cli command "event manager environment wanmon_if_list1 {Cellular3/1 {ipsla 1} {recovery {60 60} {120 120} {480 480}}}"
action 4.8 cli command "end"
event manager applet CELLULAR_UP authorization bypass
event syslog pattern " Line protocol on Interface Cellular3/1, changed state to up"
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "no event manager applet RPL_POISON_ENABLE authorization bypass"
action 3.1 cli command "event manager applet RPL_POISON_DISABLE authorization bypass"
action 3.2 cli command "event timer countdown time 60"
action 3.3 cli command "action 1.0 syslog msg $q RPL POISON DISABLED $q"
action 3.4 cli command "action 2.0 cli command $q enable $q"
action 3.5 cli command "action 3.0 cli command $q configure terminal $q"
action 3.6 cli command "action 4.0 cli command $q interface wpan4/1 $q"
action 3.7 cli command "action 5.0 cli command $q no rpl route-poisoning $q"
action 3.8 cli command "action 6.0 cli command $q end $q"
action 4.0 cli command "exit"
action 4.1 cli command "no ip sla schedule 1 life forever start-time now"
action 4.2 cli command "no event manager environment wanmon_if_list1"
action 4.3 cli command "event manager environment wanmon_if_list1 {Cellular3/1 {recovery {60 60} {120 120} {480 480}}}"
action 4.4 cli command "end"
event manager applet UPDATE_VTY authorization bypass
event timer countdown time 300
action 1.0 cli command "enable"
action 2.0 cli command "configure terminal"
action 3.0 cli command "line vty 0 15"
action 3.1 cli command "authorization exec CMD"
action 3.2 cli command "authorization commands 0 CMD"
action 3.3 cli command "authorization commands 1 CMD"
action 3.4 cli command "authorization commands 2 CMD"
action 3.5 cli command "authorization commands 15 CMD"
action 3.6 cli command "end"
action 4.0 cli command "wr"   <<<<<<<<<<<< Other case this was recommended to be removed to avoid unexpected poisoning after reboot



If it was OK to ALWAYS come up with route poisoning enabled, you could save that as the default via device config template.  Then rely on cellular coming up and triggering:

event manager applet CELLULAR_UP authorization bypass
event syslog pattern " Line protocol on Interface Cellular3/1, changed state to up"

This applet would then create the highlighted:

event manager applet RPL_POISON_DISABLE authorization bypass"
event timer countdown time 60"

Then 60 seconds later, poisoning would be disabled.  Note ?timer countdown? does NOT reset and thus is one shot.

If Cellular did not come up, the WPAN would continue with poisoning enabled after startup.

Keep in mind you will never see a trigger this applet on startup…the interface is already down and thus will not log this message:

event manager applet CELLULAR_DOWN authorization bypass
event syslog pattern "Line protocol on Interface Cellular3/1, changed state to down"

add a ?description? command the WPAN indicating ?Note: Start with poisoning enabled? so future engineers are warned.



Tested setting ?rpl route-poisoning? and saving to startup-config.  I can see it there:
JAD20250F42#show startup-config | begin interface Wpan4/1
interface Wpan4/1
description SMM: Dummy stuff from Duke! NOTE: Poison on startup.
no ip address
ieee154 panid 9097
ieee154 ssid I25
ieee154 txpower 2
no ieee154 fec-off
outage-server FD00:AC8:0:C002::10
rpl dag-lifetime 60
rpl dio-min 18
rpl route-poisoning
rpl version-incr-time 120
authentication host-mode multi-auth
authentication port-control auto
ipv6 address FD00:ABD:6:A000::/64
ipv6 dhcp relay destination  FD00:AC8:0:C004::10
dot1x pae authenticator
!

However, after reload, this does not take!  Here is the info after reload:
JAD20250F42#show wpan 4/1 config
module type:    RF-WPAN (IEEE 802.15.4e/g RF 900MHz)
ssid:           I25
panid:          9097
phy_mode:       2
transmit power: 2
channel:        254
dwell:          window 20000 max-dwell 400
fec:            enabled
beacon async:   min-interval 262 max-interval 1048 suppression-coefficient 1
security mode:  0
test mode:      0 (test firmware only)
admin_status:   up
rpl prefix:            FD00:ABD:6:A000::/64
rpl route-poisoning:   off
rpl dodag-lifetime:    60
rpl dio-dbl:           0
rpl dio-min:           18
rpl version-incr-time: 120
detach bridge:         no
bootloader mode:       no
mcast-agent:           FF38:40:FD00:ABD:6:A000:0:1 61624 1153
firmware version:      5.6.10
slave mode:            no

JAD20250F42#show running-config | begin interface Wpan4/1
interface Wpan4/1
description SMM: Dummy stuff! NOTE: Poison on startup.
no ip address
ieee154 panid 9097
ieee154 ssid I25
ieee154 txpower 2
no ieee154 fec-off
outage-server FD00:AC8:0:C002::10
rpl dag-lifetime 60
rpl dio-min 18
rpl version-incr-time 120
authentication host-mode multi-auth
authentication port-control auto
ipv6 address FD00:ABD:6:A000::/64
ipv6 dhcp relay destination  FD00:AC8:0:C004::10
dot1x pae authenticator
!

Thus, saving in startup does not work!  

Option would be another applet used for startup only!  
Pushed by device configuration template and saved in startup-config to trigger on startup of interface. 
 Hopefully this gets poisoning as soon as possible but not too soon that interface is not up…which a timer may do.  May need to add a ?action wait? for a few seconds, but likely not.

event manager applet RPL_POISON_ENABLE authorization bypass
event syslog pattern "%LINK-3-UPDOWN: Interface Wpan4/1, changed state to up? maxrun 120
action 0.5 puts "Make sure wpan comes up with RPL poisoning enabled.  When cellular comes up it will clear RPL poisoning and this applet from config." 
 action 1.0 syslog msg " RPL POISON ENABLED "
action 2.0 cli command " enable "
action 3.0 cli command " configure terminal "
action 4.0 cli command " interface wpan4/1 "
action 5.0 cli command " rpl route-poisoning "
action 6.0 cli command " end " 
 action 6.5 puts "Double check cellular did not come up before wpan! If it did, clear poisoning and log." 
 action 7.0 cli command "show int cellular 3/1 | count line protocol is up"
action 8.0 regexp "Number of lines which match regexp = 1" "$_cli_result"
action 9.0 if "$_regexp_result" eq "1"
action 10.0 syslog msg "WARNING: Cellular came up too fast, clear RPL poisoning."
action 11.0 cli command " configure terminal "
action 12.0 cli command " interface wpan4/1 "
action 13.0 cli command " no rpl route-poisoning "
action 14.0 cli command " end " 
 action 15.0 end

Please check a well-managed CGR to make sure this does not conflict with current settings and applets. 
 May have to review device config template due to the ?wr? bug noted above and commented on below.

See Note 2 below on maxrun.


NOTES:
Note 1:
The ?wr? needs to be removed…not sure if it has been or not.  It will cause overwrite of the startup and kill the above functionality. 
 With the above, if UPDATE_VTY triggers and poisoning is enabled at the time, it will be persisted to startup unexpectedly!  
 If the expected was changed to be poisoning after startup, then UPDATE_VTY Could mess this up by saving startup config after poisoning was disabled. 
 IT IS JUST DANGEROUS!  
The functionality of the UPDATE_VTY applet may need to be rapped into configuration template to make it unneeded.  There may be other options around this applet with FND in the picture, ZTD, and goals of the engineer that created it.  Certainly, with FND involved there may be cleaner options.

Note 2:
You may also want to add ?maxrun? to all ?event manager applets? ?event? lines to have OS kill if for some reason they stall in execution.

CONCLUSION based upon SR 687585566 
This can be done and I think the above gives you some ?proof of concept? design ideas to run with.  I believe the best solution would be to have poisoning enabled on startup, then turn off once the cellular comes up.  
Some defects in how the ?rpl route-poisoning? command performs in statup-config, some complexity is needed.  
One risk is that if anyone does a ?wr? or ?copy run start? on a CGR, the normal running config is not what the starting config is.  This would ?clear? the base state of the applets.  However, any future re-configuration by FND would rest back to normal.
I think these ideas should be shared with the design engineers and they should run with them to create a solution that works as needed.  This solution is custom, and supported only in that we would assist is something is not working as expected.  However, the development and maintenance would fall to BCH.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.