Strange MicroSemi PDS-208 behavior
-
@jarhead the dumb switch shouldn't matter.
But have already went over testing the changing of this switches management IP without any other switches or pfsense involved at all.
Connect your PC to say port 1 of the switch, not the console port.. Any of the ports on the switch.. Set your IP on your pc to 192.168.0.51, access the switch gui - change the IP to 192.168.1.2.. or .22 if you want... Now change the IP of your PC to 192.168.1.X
Can you ping the IP of the switch, and you access the gui - if not then the switch isn't changing its IP or its just plain freaking borked..
-
That is your client 192.168.1.50 saying that IP that is suppose to be on my network does not have a mac address.. via arp..
Not exactly. It's what I've been explaining many times.
I have configured an IP on the microsemi that is on the same network as the other devices are on LAN. I've given it 192.168.1.22, a free IP, not being used anywhere else.
From just another client, in this case, a Centos server on the network, I start pinging that IP but get nothing. I get nothing unless I reboot the microsemi or unplug the Ethernet cable then plug it back in. Any time it does ping, it only pings 3-4 times or so then no more.
In this image, I show that I'm pinging the switch while it's rebooting. The moment I see a response, I run an nmap.
Somehow, the nmap completes showing the open ports on the device.
Maybe the probe kept the switch communicating until it was done or something.And yes, it's the correct MAC address as well.
Great. Then I immediately start pinging it again and as you can see, it's already gone.
On the terminal connected to the microsemi, I can still ping 192.168.1.22.
So where's the router in this?
The router is on the WAN side, it's not involved at all.
Since the terminal is connected directly to the microsemi port, it's not involved in any firewall/router either.Why not get rid of the main lan switch for a second.
Plug the microsemi into the lan port from pfSense and a pc into another switchport.I can't do that, it would take down too many things. Everything across the networks is working just fine, it's only this microsemi I'm having a problem with.
This sounds like the main lan switch is in between.
The fact that the microsemi was reachable for a short while by a client on the LAN seems to confirm there is nothing wrong with the main LAN switch.
From pfsense, using ping, it's the same it cannot reach 192.168.1.22 even though it was reachable a few moments ago.
-
Excuse for jumping in, but can you do a simple test and post the outcome?
Just connect the microsemi switch and a notebook directly with a LAN cable. If the notebook has a 1Gb/s interface an usual cable will work, no crossover cable mandatory.
Assign a static IP to the notebook in same subnet (i.e. switch: 192.168.1.22, notebook 192.168.1.10, subnet mask 255.255.255.0 at both devices).
So no "foreign" devices are involved.
Is ping then continously?Regards
-
@fsc830 exactly..
Take the rest of the network out of the equation completely..
Also that destination host unreachable is where the client doesn't know the mac.. if there was a firewall blocking, or the device just didn't want answer then the response would be timeout. Not unreachable - unreachable means the client doesn't know what mac address to send the traffic too.
Or it doesn't have a route, etc. but if devices are on the same network and you get host unreachable - that means there is no mac for that IP..
Look in your arp table.. on the client your using to ping that is on the same network as the switches management IP.
edit: here is a question for you - are you actually apply the config.. You can change the running config, but are you saving that running config?
Page 86 of the manual talks about saving the running config.. If you are rebooting the device and didn't actually save the config, it would go back to the saved config.. Ie revert to the old IP, etc.
-
Connect your PC to say port 1 of the switch, not the console port.. Any of the ports on the switch.. Set your IP on your pc to 192.168.0.51, access the switch gui - change the IP to 192.168.1.2.. or .22 if you want... Now change the IP of your PC to 192.168.1.X
I'm not connected to the console port, I don't have the cable. I thought about that also and tried connecting the terminal to 1-8 ports and the same thing happens.
On the terminal, I constantly have a ping going along with the GUI open in a browser.Can you ping the IP of the switch, and you access the gui - if not then the switch isn't changing its IP or its just plain freaking borked..
The switch is using the new IP of 192.168.1.22.
I tried this just now. I connected the terminal to an unmanaged switch.
I connected the microsemi to the same switch.
The terminal was able to ping it a few times but then no more as all other times so far.The manual says no need for a cross-over cable or anything unusual but for some reason, the microsemi won't work using an Ethernet switch.
-
@fsc830 said in Forced to use vlan1:
Excuse for jumping in, but can you do a simple test and post the outcome?
Just connect the microsemi switch and a notebook directly with a LAN cable. If the notebook has a 1Gb/s interface an usual cable will work, no crossover cable mandatory.
Assign a static IP to the notebook in same subnet (i.e. switch: 192.168.1.22, notebook 192.168.1.10, subnet mask 255.255.255.0 at both devices).
So no "foreign" devices are involved.
Is ping then continously?Regards
HI, thanks for your input. Yes, that's how it was. The terminal as I call it is a tiny stand alone Linux box I use for stuff like this. It's only connected to the microsemi.
-
can we see a snip of your port to vlan membership page from your main switch?
-
Take the rest of the network out of the equation completely..
That's how it all started. I connected a terminal to the microsemi and it's fine, it can communicate.
Then just a while ago, I connected the microsemi to a small unmanaged switch and the terminal to the same switch and the terminal can no longer reach the microsemi. As usual, I saw a few pings then no more. As soon as I connected the terminal back into the microsemi, it pings again.
Also that destination host unreachable is where the client doesn't know the mac.. if there was a firewall blocking, or the device just didn't want answer then the response would be timeout. Not unreachable - unreachable means the client doesn't know what mac address to send the traffic too.
Or it doesn't have a route, etc. but if devices are on the same network and you get host unreachable - that means there is no mac for that IP..
It has a route and it's reachable from the LAN but only for a few seconds.
The reason there's no MAC is only because it goes MIA :). That's why nmap doesn't see the host. In what I shared, I'm showing that by the time I was able to ping it then nmap it, it was reachable long enough to get the nmap result back then no more.edit: here is a question for you - are you actually apply the config.. You can change the running config, but are you saving that running config?
Yes, the config is saved and the microsemi has been rebooted a few times and comes back with the same 192.168.1.22 IP.
-
@lewis said in Forced to use vlan1:
HI, thanks for your input. Yes, that's how it was. The terminal as I call it is a tiny stand alone Linux box I use for stuff like this. It's only connected to the microsemi.
So, to clarify: only one Linux box is directly connected to the microsemi switch and ping dies out after a very short time!?
If the switch is really "dump" and does not have any mechanism to detect an DoS attack, my guess is that here is a broken network stack.
The ping should never die out.Does this happen with another client too?
Regards
-
@daduls Sure but there's no extra configuration on it, it's just default.
-
@lewis Thx, this noob sees no reason your microsemi switch should be giving you such a hard time. I'm gonna make popcorn and watch.....
-
@fsc830 said in Forced to use vlan1:
So, to clarify: only one Linux box is directly connected to the microsemi switch and ping dies out after a very short time!?
The initial IP of the microsemi was 192.168.0.50 and I've since changed it to 192.168.1.22 and the Linux box is at 192.168.1.75 connected directly to any port.
The short ping responses are when I connect the microsemi to the network and ping it from anything else on the same LAN. From that, I get 3-5 pings then no more and only if I restart the microsemi or if I unplug the Ethernet and plug it back in. After that, nothing else.
I shared an image above showing I was pinging it, when it came back online, it started responding so I quickly ran an nmap. The nmap result came back which surprised me since it only stays online for a few pings. Yet there was the result. Right after that, I pinged it again and it was gone.
It's as if the nmap kept it alive long enough to complete the scan then done.
If the switch is really "dump" and does not have any mechanism to detect an DoS attack, my guess is that here is a broken network stack.
The ping should never die out.Sorry, what does 'dump' mean in your comment?
Does this happen with another client too?
Yes, I kept two different clients pinging non stop so I could monitor the behavior. Both saw the same thing. The only one that never stops seeing it is the Linux box connected directly to it. And of course, as mentioned above, it did exactly the same as the others did when I connected it to a switch and the microsemi to the same switch, unmanaged.
-
@lewis So then the problem is clearly in the Main Lan switch. Do you have something configured on the port you're using? Did you add a vlan to it already maybe?
Try a different port on that switch. -
"Dump" in my question means that there is no "intelligence" which handles a continued ping as DoS (Denial of Service) attack and blocks responding.
Just downloaded the manual and did took a short(!) look into it.
The switch has some security features, so i.e. an ARP monitoring, if a port receives more than 200 ARP requests, the switch handles this as an attack (as far as the quick review is correct).
So its may be worth to dig in a bit more in the port settings.No idea, if this is part of your problem.
Regards
-
@jarhead said in Forced to use vlan1:
@lewis So then the problem is clearly in the Main Lan switch. Do you have something configured on the port you're using? Did you add a vlan to it already maybe?
Try a different port on that switch.It's not related to the main switch at all since I'm not using it. My test above was using another switch not connected to anything but the terminal and the microsemi with the same behavior. I also shared the setup of the main switch a few comments back.
-
@lewis You just posted that when the pc is on the micro switch it pings constantly, but when on the main switch it fails.
Did you not say that?The short ping responses are when I connect the microsemi to the network and ping it from anything else on the same LAN.
Yes, I kept two different clients pinging non stop so I could monitor the behavior. Both saw the same thing. The only one that never stops seeing it is the Linux box connected directly to it. And of course, as mentioned above, it did exactly the same as the others did when I connected it to a switch and the microsemi to the same switch, unmanaged.
-
@fsc830 said in Forced to use vlan1:
"Dump" in my question means that there is no "intelligence" which handles a continued ping as DoS (Denial of Service) attack and blocks responding.
Just downloaded the manual and did took a short(!) look into it.
The switch has some security features, so i.e. an ARP monitoring, if a port receives more than 200 ARP requests, the switch handles this as an attack (as far as the quick review is correct).
So its may be worth to dig in a bit more in the port settings.No idea, if this is part of your problem.
Regards
Well, you're on to something because that's how it's behaving only it should not do that after just a few pings. I've looked at all the config and there aren't any blocking rules in place.
I wonder if these things are just borked? Brand new in the box though.
I connected one of the ports back to the main network.
I can ping the terminal but I can't ping the gateway on the main lan.So basically, it only wants devices connected directly and wants nothing to do with anything connected to another switch.
That's kinda confusing.
-
Well, to be honest, I would reset the microsemi back to factory defaults (page 88 in manual) and start over.
Do not assign any vlans or something else.
Just connect a pc, check ping to default IP 192.168.0.50.
Modify IP to 192.168.1.x (x an unused IP in your "main" LAN).
Check ping again. If ping is constant, connect it to the main switch and repeat ping test.
If ping dies again, I am rather sure its something weird in the settings.Regards
-
@fsc830 said in Forced to use vlan1:
Well, to be honest, I would reset the microsemi back to factory defaults (page 88 in manual) and start over.
Do not assign any vlans or something else.
Just connect a pc, check ping to default IP 192.168.0.50.
Modify IP to 192.168.1.x (x an unused IP in your "main" LAN).
Check ping again. If ping is constant, connect it to the main switch and repeat ping test.
If ping dies again, I am rather sure its something weird in the settings.Regards
Well, that's what I've done repeatedly :).
I took another one out of the box, brand new, no changes what so ever.
I have the Linux box on the same network and am connected to it using 192.168.0.50.
The only option is to change the vlan1 IP so I change it to 192.168.1.22. I change the Linux box and can reach it again but it can't be seen from the rest of the LAN when connecting a port to that. -
@jarhead said in Forced to use vlan1:
@lewis You just posted that when the pc is on the micro switch it pings constantly, but when on the main switch it fails.
Did you not say that?I did but I also added that the same happens when only the Linux box and the microsemi were connected to an unmanaged switch. To me, that eliminates the main switch as being a problem.
