When NTA detects abnormal traffic, it can notify ADS to divert the traffic. ADS sends route diversion notifications to the router, redirecting the traffic to ADS for cleaning. Based on this scenario, this article will summarize troubleshooting directions when traffic is not successfully diverted to ADS.
1. Check whether automatic diversion is triggered. You can check the NTA diversion log (Logs -> Diversion Log), if there is a record in the diversion log, indicating that the NTA sent a diversion notice to the ADS.
NTA sends diversion notifications to ADS when the below terms are met:
(1) The alert is generated.
(2) The traffic generated in the alert meets the diversion conditions.
For example, the alert level is High in the figure below, triggering the Default DDoS Attack Alert. Within the Default DDoS Attack Detection Threshold, the Diversion Level for SYN Flood is configured to Divert Traffic of Medium-level Alert. The alert in the picture meets the conditions specified in Default DDoS Attack Detection Threshold-> SYN Flood -> Diversion Level.
(3) The IP address corresponding to the alert is configured with ADS diversion. Check whether the Region/IP Group where the IP address is located is configured with ADS diversion. If the IP address is not configured in any Region/IP Group, check Default Diversion Configuration(Configuration -> Global Divert Settings -> Default Diversion Configuration).
2. Check whether ADS has successfully received the diversion notification dispatched by NTA. Check ADS Logs -> System Logs -> Traffic Diversion Log to confirm whether ADS has received the diversion notification dispatched by NTA. If not, please check whether the integration between ADS and NTA is normal and whether there are network problems between the two.
3. Check the ADS Diversion Routing Table(Diversion & Injection -> Traffic Diversion -> Diversion Routing Table). If the ADS successfully sends diversion to the router, you can view the diversion item in the Diversion Routing Table.
4. If the ADS fails to send route diversion notifications to the router due to an ADS configuration problem, the failure cause is displayed in the traffic diversion log. You can adjust the configuration according to the error caused in the log.
The following ADS configuration could be checked:
- Diversion interface configuration: Configure the diversion interface at Diversion & Injection -> General Settings -> IP Address
- BGP configuration: Configure BGP Route and Neighbor at Diversion & Injection -> Diversion Route -> BGP Route. Confirm the neighbor status by clicking the “Neighbor Status” button.
- IP Route Assignment configuration: Configure the protected IP address and assign route daemon at Diversion & Injection -> Diversion Route -> IP Route Assignment. Add the IP addresses or prefixes here to make sure auto-diversion can happen once NTA triggers the ADS diversion notification.
- Filtering Rules configuration: Check the “Filtering Rules” and make sure the protected IP addresses are properly in filtering rules on ADS. The parameter Diversion-Allowed in each filtering rule indicates whether the ADS are allowed to trigger diversion for the corresponding IP addresses, no matter whether auto-diversion or manual diversion. Note the parameter Enable by Default is an implicit any-any allow, which means if the parameter is selected, ADS will implement the rule following the top-to-bottom sequence, and any unconfigured IP addresses are allowed to be diverted by ADS.
- Injection interfaces and injection routers configuration: Configure injection interfaces at Diversion & Injection -> Traffic Injection -> Injection Interfaces. Then configure the injection route at Diversion & Injection -> Traffic Injection -> Injection Routers. Make sure the protected IP addresses are configured in the Injection Routes. Otherwise, ADS will fail to inject the traffic. As a result, either manual diversion or auto-diversion won’t be allowed or triggered. Please verify if the MAC address of Injection Interfaces is learned so that the injection could work. If it is not learned dynamically, may try “MAC learning” again at Diversion & Injection -> Traffic Injection -> Injection Routers -> Operation or add the MAC address manually at Diversion & Injection -> Traffic Injection -> MAC Address Table -> Static MAC Configuration.
