ADPIPV4/4/CPCAR_TTL1_DROP

Message

ADPIPV4/4/CPCAR_TTL1_DROP: The number of packets sent to the CPU exceed the threshold [ULONG]. (Slot=[STRING], CPCARType=[STRING], DiscardPacketCount=[STRING], Reason="[STRING]")

Description

The device receives a large number of TTL-expired packets, which are then discarded because the packet rate exceeds CPCAR settings.

If the number of received TTL-expired packets exceeds 30,000 in a detection period (10 minutes), the packets are discarded. If packet loss occurs in three consecutive detection periods, the log is generated. If packet loss still occurs in the next detection period after the log is printed, the log is printed every 10 minutes. If packet loss no longer occurs in the next detection period after the log is generated, the device does not print the log until packet loss occurs in three consecutive detection periods again.

After an active/standby switchover is performed, the number of lost packets and the number of consecutive detection periods during which packet loss occurs are recalculated.

Parameters

Parameter Name	Parameter Meaning
Slot	Indicates the slot ID.
CPCARType	Indicates the CPCAR type. CPCAR_TTL1: TTL-expired packets will be discarded.
DiscardPacketCount	Indicates the number of discarded packets.
Reason	Indicates the reasons for packet discarding. A routing loop may occur: A routing loop may occur on the network. As a result, a large number of TTL-expired packets are received by the device and then discarded because the packet rate exceeds CPCAR settings.

Possible Causes

Cause 1: A routing loop occurs on the network.

Cause 2: The device is attacked by TTL-expired packets.

Procedure

Run the display cpu-defend statistics command in the user view multiple times to check whether the number of discarded TTL-expired packets continuously increases.
- If the number of discarded TTL-expired packets does not continuously increase and current services are normal, no action is required.
- If the number of discarded TTL-expired packets continuously increases, go to step 2.
Check whether a routing loop occurs on the network. If so, eliminate the loop.
Check whether the device is under an TTL-expired packet attack. If so, you are advised to configure the CPU attack defense policy to reduce the number of TTL-expired packets sent to the CPU and identify the attack source based on the source address and port information of attack packets.
If the alarm persists after the routing loop and attack packets are removed, collect log information and configuration information, and then contact technical support personnel. You can collect diagnostic information using the display diagnostic-information command.