What Should I Do When Encountering an Access Freezing, Delay, or Failure?
Symptom
Access from a client to the high-defense IP address is frozen, has long delays, or loses packets.
Troubleshooting
- Cross-network access
AAD supports CTCC, CUCC, CMCC, and BGP lines. Access delays and packet loss may occur if cross-network resolution is configured on DNS or cross-network back-to-origin is configured for origin server IP addresses on AAD.
Solution:
- On the DNS console: Check DNS configuration.
This fault will not occur if you use the CNAME resolution provided by HUAWEI CLOUD. If you are using A record resolution, configure high-defense IP addresses based on the carrier of the line transmitting the access traffic. If your traffic is transmitted over the BGP line, retain the default high-defense IP address configuration. HUAWEI CLOUD is not responsible for the packet loss or delays caused by improper DNS configuration.
- On the AAD console: Check the origin server IP address.
If the origin server uses a specific carrier line, packet loss and delays exist inevitably during cross-network access, and HUAWEI CLOUD is not responsible for the packet loss and delays.
If the origin server uses lines of multiple carriers, add origin server IP addresses accordingly based on the high-defense IP addresses of the carrier lines, for example, associate a CTCC high-defense IP address with a CTCC origin server IP address. HUAWEI CLOUD is not responsible for the packet loss or delays caused by improper back-to-origin line configuration.
- On the DNS console: Check DNS configuration.
- Backend server exceptions
Troubleshoot the fault based on the origin server type configured for the high-defense IP address.
- The origin server is a load balancer.
To resolve the problem, perform the following steps:
- Run TCPing using the IP address and port number of the load balancer to locate the fault.
- Check the load balancer status (such as number of connections and backend servers).
- Check whether blacklists, whitelists, or other access control policies have been configured for the load balancer and ensure that the back-to-origin IP address range is allowed through.
- Check backend servers and networks of the load balancer for any IP address blocking policies on firewalls.
- The origin server is a cloud server.
To resolve the problem, perform the following steps:
- Run TCPing using the IP address and port number of the cloud server to locate the fault.
- Check whether the server has encountered exceptions, such as black holes, scrubbing incidents, high CPU usage, slow database requests, and outbound bandwidth exhaustion.
- Check whether blacklists, whitelists, or other access control policies have been configured for the cloud server and ensure that the back-to-origin IP address range is allowed through.
- Check the cloud server or networks for security software or IP address blocking policies that block the back-to-origin IP addresses.
- The origin server is a load balancer.
- Whether high-defense IP addresses have scrubbing incidents
- High-defense IP addresses have experienced scrubbing incidents.
To resolve the problem, perform the following steps:
- Run TCPing to check for and record delays and packet loss on attacked ports.
- Run TCPing to check for and record delays and packet loss on non-attacked ports.
Locate the fault by checking the records against the following table.
Table 1 Results Delay and Packet Loss on Attacked Ports
Delay and Packet Loss on Non-attacked Ports
Cause Analysis
Yes
No
The scrubbing policy is executed properly on attack traffic. Check the backend server status and identify the server's attack defense capability. If the attack defense capability is weak, you need to enforce a powerful defense policy.
Yes
Yes
Normal traffic is scrubbed by the scrubbing policy. You can submit a service ticket for background troubleshooting.
No
No
The fault is not caused by the scrubbing policy.
No
Yes
Generally, this situation does not exist.
In the first two cases, you are advised to submit a service ticket. To enforce a more powerful defense policy, you need to provide details about your server's attack defense performance, including:
- Normal user access
- Service interaction processes
- Application service capabilities
- High-defense IP addresses have not experienced scrubbing incidents.
The fault is not caused by attacks.
- High-defense IP addresses have experienced scrubbing incidents.
- High-defense IP addresses are blocked by black holes.
The high-defense IP address is blocked by a black hole if the attack traffic towards this IP address exceeds the configured elastic protection bandwidth. You can check whether packet loss is caused by a black hole.
If so, you are advised to purchase a large elastic protection bandwidth and adjust your service systems to make them capable of switching traffic to another line when a black hole is triggered.
Faults FAQs
- What Should I Do When Encountering an Access Freezing, Delay, or Failure?
- Why Is Error 504 Displayed When I Access a Website After AAD Is Configured?
- How Do I Identify the Type of Attacks?
- What Should I Do If Error 500, 502, or 504 Is Reported When I Access My Website After I Enable Basic Web Protection for My Domain Name?
- What Can I Do If I Failed to Configure a Forwarding Rule?
- What Can I Do If My UDP Traffic Is Blocked?
- How Do I Unblock the Access That Has Been Automatically Blocked Due to the Threshold-Overtopped Attack Traffic?
- Why Can't I Specify Certain Ports When Configuring the Forwarding Rule?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore
