CGW Troubleshooting

This document provides steps for troubleshooting and diagnosing CGW (Carrier Gateway) configurations. It also contains verification methods for different traffic modes, response validation, and log analysis.

Common Symptoms and Causes

Symptom	Possible Cause
No traffic passing through CGW	Incorrect mode selection or configuration error
Traffic not routing as expected	Misconfigured routing rules or incorrect mode setting
Unable to access certain domains/IPs	Blocked or unallowed IPs/domains in selective mode
Unexpected traffic behavior	Misconfigured policy settings or local IP routing issues

Troubleshooting Steps

Access the CE Terminal

sudo su -

Check the Last Configuration Response

To confirm the last applied configuration response, run:

cat /tmp/last_config_response.json |jq .gatewayConfig

This command displays the JSON configuration, allowing you to verify settings like gatewayMode, allowedDomains, blockedIPAddresses, and defaultPolicy. For example:

Example Response:

Global

cat /tmp/last_config_response.json |jq .gatewayConfig
[
  {
    "translationAddress": "masquerade",
    "ceDeviceIp": "100.100.0.77/30",
    "allowedDomains": [
      "www.google.com"
    ],
    "localSeqId": 19,
    "peDeviceIp": "100.100.0.78/30",
    "gatewayMode": "GLOBAL",
    "blockedIPSubnets": [],
    "blockedIPAddresses": [
      "13.13.13.13"
    ],
    "blockedDomains": [
      "www.facebook.com"
    ],
    "mode": "CE_PEGW",
    "defaultPolicy": "ALLOW",
    "sourceSubnet": [
      "172.30.3.0/24"
    ],
    "zone": "cn",
    "id": 1,
    "allowedIPAddresses": [
      "12.12.12.12"
    ],
    "allowedIPSubnets": [],
    "singleArm": null,
    "cid": 38
  }
]

Full

root@jaymin-openWRT:~# cat /tmp/last_config_response.json |jq .gatewayConf
ig
[
  {
    "translationAddress": "masquerade",
    "ceDeviceIp": "100.100.0.77/30",
    "allowedDomains": [
      "www.google.com"
    ],
    "localSeqId": 19,
    "peDeviceIp": "100.100.0.78/30",
    "gatewayMode": "FULL",
    "blockedIPSubnets": [],
    "blockedIPAddresses": [
      "13.13.13.13"
    ],
    "blockedDomains": [
      "www.facebook.com"
    ],
    "mode": "CE_PEGW",
    "defaultPolicy": "ALLOW",
    "sourceSubnet": [
      "172.30.3.0/24"
    ],
    "zone": "cn",
    "id": 1,
    "allowedIPAddresses": [
      "12.12.12.12"
    ],
    "allowedIPSubnets": [],
    "singleArm": null,
    "cid": 38
  }
]

Selected

root@jaymin-openWRT:/tmp# cat last_config_response.json |jq .gatewayConfig
[
  {
    "translationAddress": "masquerade",
    "ceDeviceIp": "100.100.0.77/30",
    "allowedDomains": [
      "www.google.com"
    ],
    "localSeqId": 19,
    "peDeviceIp": "100.100.0.78/30",
    "gatewayMode": "SELECTED",
    "blockedIPSubnets": [],
    "blockedIPAddresses": [
      "13.13.13.13"
    ],
    "blockedDomains": [
      "www.facebook.com"
    ],
    "mode": "CE_PEGW",
    "defaultPolicy": "BLOCK",
    "sourceSubnet": [
      "172.30.3.0/24"
    ],
    "zone": "cn",
    "id": 1,
    "allowedIPAddresses": [
      "12.12.12.12"
    ],
    "allowedIPSubnets": [],
    "singleArm": null,
    "cid": 38
  }
]

Verify Traffic Routing Based on CGW Mode

Global Mode

In global mode, all traffic from the CE device should be routed through the CGW except for traffic destined for the local domain. To test this, perform the following traceroutes:

traceroute -n x.x.x.x

Expected Result: The traceroute to the global IP address should show hops traversing the CGW. The traceroute to the local DNS server IP should not traverse the CGW.
Problem: The configuration is correct if traffic to the global IP address does not pass through the CGW or if traffic from the local domain does pass through the CGW.

Full Mode

In full mode, all traffic by global, selective (if set up), and local domain should be sent over the CGW. Use these commands:

traceroute -n x.x.x.x

Expected Result: Both traceroutes should contain hops crossing over the CGW.
Problem: If any of the traffic passes the CGW, either the mode selection or routing rule needs adjustment.

Selective Mode

Selective mode routes traffic according to defined rules, such as allowed/blocked domains, IPs, and subnets. To test, and execute traceroutes to both allowed and blocked destinations:

traceroute -n x.x.x.x

Expected Result: Traffic to the allowed destinations must be routed over the CGW. Traffic to the blocked destinations should not traverse the CGW.
Problem: If blocked IPs/domains can be reached via the CGW, or allowed traffic is routed around the CGW, then the filtering rules need to be investigated. Selective mode relies on dnsmasq for its functionality.

Check System Logs

If the unexpected behavior persists, review the system log for errors or anomalies using:

logread

Analyze logs to identify problems such as policy misconfigurations, connectivity errors, or authentication failures.

Checking CGW Firewall Rules

Check that firewall rules for CGW are defined properly:

 uci show firewall | grep CGW

Example Response

root@Backup_node:/tmp# uci show firewall | grep CGW
firewall.CGW_ALLOWED_IPADDRESS=ipset
firewall.CGW_ALLOWED_IPADDRESS.name='CGW_ALLOWED_IPADDRESS'
firewall.CGW_ALLOWED_IPADDRESS.match='dst_net'
firewall.CGW_ALLOWED_IPADDRESS.storage='hash'
firewall.CGW_ALLOWED_IPADDRESS.enabled='1'
firewall.CGW_BLOCKED_IPADDRESS=ipset
firewall.CGW_BLOCKED_IPADDRESS.name='CGW_BLOCKED_IPADDRESS'
firewall.CGW_BLOCKED_IPADDRESS.match='dst_net'
firewall.CGW_BLOCKED_IPADDRESS.storage='hash'
firewall.CGW_BLOCKED_IPADDRESS.enabled='1'
firewall.CGW_ALLOWED_IPSUBNETS=ipset
firewall.CGW_ALLOWED_IPSUBNETS.name='CGW_ALLOWED_IPSUBNETS'
firewall.CGW_ALLOWED_IPSUBNETS.match='dst_net'
firewall.CGW_ALLOWED_IPSUBNETS.storage='hash'
firewall.CGW_ALLOWED_IPSUBNETS.enabled='1'
firewall.CGW_BLOCKED_IPSUBNETS=ipset
firewall.CGW_BLOCKED_IPSUBNETS.name='CGW_BLOCKED_IPSUBNETS'
firewall.CGW_BLOCKED_IPSUBNETS.match='dst_net'
firewall.CGW_BLOCKED_IPSUBNETS.storage='hash'
firewall.CGW_BLOCKED_IPSUBNETS.enabled='1'
firewall.CGW_ALLOWED_DOMAIN=ipset
firewall.CGW_ALLOWED_DOMAIN.name='CGW_ALLOWED_DOMAIN'
firewall.CGW_ALLOWED_DOMAIN.match='dst_net'
firewall.CGW_ALLOWED_DOMAIN.storage='hash'
firewall.CGW_ALLOWED_DOMAIN.enabled='1'
firewall.CGW_BLOCKED_DOMAIN=ipset
firewall.CGW_BLOCKED_DOMAIN.name='CGW_BLOCKED_DOMAIN'
firewall.CGW_BLOCKED_DOMAIN.match='dst_net'
firewall.CGW_BLOCKED_DOMAIN.storage='hash'
firewall.CGW_BLOCKED_DOMAIN.enabled='1'
firewall.CGW_ALLOWED=ipset
firewall.CGW_ALLOWED.name='CGW_ALLOWED'
firewall.CGW_ALLOWED.match='dst_set'
firewall.CGW_ALLOWED.storage='list'
firewall.CGW_ALLOWED.enabled='1'
firewall.CGW_ALLOWED.entry='CGW_ALLOWED_IPADDRESS' 'CGW_ALLOWED_IPSUBNETS' 'CGW_ALLOWED_DOMAIN'
firewall.CGW_BLOCKED=ipset
firewall.CGW_BLOCKED.name='CGW_BLOCKED'
firewall.CGW_BLOCKED.match='dst_set'
firewall.CGW_BLOCKED.storage='list'
firewall.CGW_BLOCKED.enabled='1'
firewall.CGW_BLOCKED.entry='CGW_BLOCKED_IPADDRESS' 'CGW_BLOCKED_IPSUBNETS' 'CGW_BLOCKED_DOMAIN'

Firewall-rules query "CGW" should return any firewall-rules containing the word "CGW," thus allowing inspection and confirmation. If the firewall rules are not defined correctly, it can close or misroute the traffic.

CGW Troubleshooting

Common Symptoms and Causes​

Troubleshooting Steps​

Access the CE Terminal​

Check the Last Configuration Response​

Example Response:​

Global​

Full​

Selected​

Verify Traffic Routing Based on CGW Mode​

Global Mode​

Full Mode​

Selective Mode​

Check System Logs​

Checking CGW Firewall Rules​

Example Response​