JP2014053658A - Failure site estimation system and failure site estimation program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make it possible to rapidly estimate and narrow down a failure suspicion site in the case of a failure in a large scale network system including a logical failure.SOLUTION: A failure site estimation system comprises: a route information acquisition unit 110 for acquiring route information composed of interfaces on a communication route to each node and storing the route information in a route information DB 130 when a monitoring target NW 300 is normal; a hop-by-hop polling unit 121 for acquiring route information on each route to a failure node from the route information DB 130 when a failure occurs in the monitoring target NW 300, and sequentially performing polling to each interface included in the route information to collect results of OK or NG; a suspicion pair extraction unit 122 for acquiring a suspicion pair set by extracting a suspicion pair, which is a pair of the nearest one of interfaces whose results are NG and the interface whose result is OK immediately in front of the nearest one, from each failure node; and a failure site output unit 123 for extracting a failure suspicion site on the basis of the suspicion pair set and the route information and outputting the failure suspicion site.

Description

  The present invention relates to a network management technique, and more particularly to a technique effective when applied to a failure part estimation system and a failure part estimation program for estimating a failure part in the event of a network failure.

  Normally, when operating and managing a network system, for example, a network monitoring system or the like monitors and detects a fault and identifies a faulty part. In general, a network monitoring system is configured by software, a system, a device, or the like provided / marketed by a vendor or the like, for example.

  However, in a large-scale network system, for example, when a failure occurs in a core network device, other devices are affected, and the network device detected as a failure by the network monitoring system is temporarily In many cases, it is difficult to specify an exact fault site. In particular, if the network device that has failed is not in a state where it has been completely stopped due to a hardware failure, etc., but in a “half-dead” state in which normal processing and error processing are repeated, the network It becomes more difficult to identify the faulty part by the monitoring system.

  Usually, in such a case, an engineer or developer who is familiar with the network system such as SE (System Engineer) manually analyzes and isolates the fault to identify the fault site. However, such failure analysis and failure location identification methods are personal, inefficient, and take a long time to implement countermeasures (for example, restarting specific network devices). There are many cases.

  On the other hand, as a mechanism for efficiently identifying a faulty part in a network system, for example, Japanese Patent Laying-Open No. 2006-229421 (Patent Document 1) describes a tree-type network topology composed of branches and terminals. , Using a hierarchical structure table in which the root side of the tree is the upper layer side and the tip side is the lower layer side, the next lower layer appears in each branch, and each branch and its lower layer side are associated with each other in a hierarchical structure. Describes a technique for easily diagnosing failures other than network terminals by finding the branch portion as an estimated failure location when failures in all lower-layer terminals from a certain branch toward the top of the tree are detected .

  Japanese Patent Laying-Open No. 2006-238052 (Patent Document 2) discloses a flow quality information collection unit that collects flow quality information including a sender address, a receiver address, and communication quality of a flow that is being flowed by a network user. And a route information collection means for collecting network configuration information, and a link through which the flow passes is determined based on the collected flow quality information and the network configuration information, and the presence / absence of flow quality degradation is determined. In the flow quality / routed link table management unit and table storage unit that manage the results as a table, and in the managed table, if there is quality degradation in one or more flows, the flow of any flow that caused the quality degradation A link through which an arbitrary flow that has degraded quality is in a subset of the set of links through which the set passes Technology that enables high-precision and high-speed quality degradation location estimation by having a quality degradation location estimation unit that outputs a subset that includes a minimum number of elements as a quality degradation location. Is described.

  Japanese Patent Laid-Open No. 2010-147595 (Patent Document 3) discloses a network configuration DB storage unit that holds a management target device and path information indicating a management target device on a path to the device, and a delivery If there is no response to the confirmation, it is extracted from the information holding the route information of the managed device that has not responded, the delivery confirmation of the route information to the managed device is performed, and the response to the delivery confirmation A technology is described that includes a network management unit that identifies a management target device that has not been detected as a failure generation device so that failure monitoring in the network layer is performed by confirmation of delivery, and a device that causes a network failure is quickly identified.

JP 2006-229421 A JP 2006-238052 A JP 2010-147595 A

  With the technique described in Patent Document 1, it is possible to estimate a branch portion of a failure location from a tree-type network topology. However, for that purpose, it is necessary to create information related to the network topology in advance, for example, by CAD or the like, and there are cases where simplicity and flexibility are lacking in consideration of changes in the network configuration. Further, a failure may be determined based on the presence or absence of a response to polling, and a failure may not be accurately determined when the network device is in a “half dead” state due to a logical failure or the like.

  Further, in the technique as described in Patent Document 2, flow quality degradation is determined based on communication quality such as packet loss and delay, and a set of links through which a set of flows causing quality degradation passes. A quality degradation location can be estimated based on information. However, there may be a case where the quality information itself cannot be collected from a terminal device or the like due to a network failure, and there may be a case where the estimation accuracy cannot be maintained depending on the failure mode.

  In addition, in the technology as described in Patent Document 3, when there is no response to the delivery confirmation to the management target device, the failure cause device is determined by confirming the delivery to the management target device on the route. Although it is possible to identify the failure, the failure is judged based on the presence or absence of a response to the delivery confirmation. Therefore, there may be a case where the network device cannot accurately determine the failure in a “half-dead” state due to a logical failure or the like. .

  Accordingly, an object of the present invention is to quickly estimate and narrow down a suspected part of a failure in the case of a failure in a large-scale network system, including the case where the network device that caused the failure is a logical failure. An object of the present invention is to provide an obstacle site estimation system and an obstacle site estimation program. The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.

  Of the inventions disclosed in this application, the outline of typical ones will be briefly described as follows.

  A failure site estimation system according to a representative embodiment of the present invention estimates a failure site when a failure occurs in a monitored network having a configuration in which nodes composed of network devices are connected in a tree shape. A system having the following characteristics.

  That is, when the monitoring target network is normal, for each node in the monitoring target network, route information including the interface of each node on the communication route to the node is acquired and recorded in the route information recording unit In the event of a failure of the monitoring target network, the acquisition unit acquires route information from the route information recording unit to each of the failed nodes, and sequentially polls each interface included in the route information. , A sequential polling unit that collects OK or NG results, and the interface that is included in the path information, the interface that is closest to the polling result is NG, and the polling result that is immediately before that is OK The failed interface to each failed node. A suspicious pair extraction unit that extracts a suspicious pair and obtains a suspicious pair set, and a failure that extracts and outputs a suspicious part based on the suspected pair set and the route information recorded in the route information recording means It has the site | part output part, It is characterized by the above-mentioned.

  The present invention can also be applied to a program that causes a computer to operate as the above-described failure site estimation system.

  Among the inventions disclosed in the present application, effects obtained by typical ones will be briefly described as follows.

  That is, according to the representative embodiment of the present invention, in the event of a failure in a large-scale network system, the suspected site of failure is quickly estimated, including the case where the network device that caused the failure is a logical failure. It becomes possible to narrow down.

It is the figure which showed the outline | summary about the structural example of the network monitoring system which has a failure site | part estimation system in one embodiment of this invention. It is the figure which showed the outline | summary about the example of the network monitoring in one embodiment of this invention. It is the figure which showed the outline | summary about the example of the process which acquires the route information and quality information in one embodiment of this invention. It is the figure which showed the outline | summary about the example of the process which acquires the route information and quality information in one embodiment of this invention. It is the figure which showed the outline | summary about the example of the process which acquires the route information and quality information in one embodiment of this invention. It is the figure which showed the example of the source code for obtaining the hop-by-hop list | wrist in one embodiment of this invention. It is the figure which showed the outline | summary about the example of the process which acquires a suspicious pair set with respect to the node in which the failure was detected in one embodiment of this invention. It is the flowchart which showed the outline | summary about the example of the process which estimates and outputs the failure | damage suspected site | part in one embodiment of this invention. It is the figure which showed the outline | summary about the example of the process which estimates a failure suspected site | part based on the suspicious pair set in one embodiment of this invention. It is the figure which showed the outline | summary about the example of the network monitoring in a prior art.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted. In the following, in order to make the features of the present invention easier to understand, the description will be made in comparison with the prior art.

<Overview>
FIG. 10 is a diagram showing an overview of an example of network monitoring in the prior art. In FIG. 10, a fault monitoring system configured by a commercially available tool or the like provided by each vendor for a tree-type monitored network (NW) 300 configured by a network (NW) device 310 such as a plurality of routers. 200 shows a configuration in which 200 is connected and a failure occurrence in the monitoring target NW 300 is constantly monitored. Here, the failure monitoring system 200 performs alive monitoring on each NW device 310 by, for example, Internet Control Message Protocol (ICMP) / Simple Network Management Protocol (SNMP) polling.

  Here, for example, when a failure occurs in the NW device 310a, in the general failure monitoring system 200, the operator confirms each device under the network configuration (the shaded NW device 310 in the figure). Displayed as a failure on the monitoring screen. In particular, when the NW device 310a is in a “half-dead” state due to a logical failure or the like, the failure device is displayed in a random and large amount depending on the timing of alive monitoring by the failure monitoring system 200. It becomes difficult to determine whether the site is the root cause of the failure.

  In such a case, an engineer such as SE is called to perform failure analysis, isolation, etc., and specify the failure site as the NW device 310a. However, in the case of a logical failure rather than a hardware failure, the failure occurrence status may be unknown even by referring to the device log, etc. In most cases, it takes a long time of several tens of minutes to several hours. In particular, in a large-scale system, it is desirable to identify a faulty part and implement countermeasures more quickly.

  In order to automatically identify the faulty part automatically in the system, a large-scale monitoring system or analysis system corresponding to this is required. On the other hand, in order to perform simply and at a lower cost, for example, automate the process of narrowing down the suspected part of the failure to some extent, and then manually or manually from the narrowed-down target NW device 310. Furthermore, by implementing countermeasures against some of the narrowed down devices, it may be possible to quickly recover.

  In the case of a logical failure (for example, an abnormality in a routing table), as a general tendency, for example, an error or an abnormal log is not output from the NW device 310, and it seems to be operating normally at first glance. May be visible. In addition to the case where ping does not pass, there are cases where ping passes or does not pass, and there are cases where short frame ping passes but long frame ping does not pass. It is possible to grasp the logical failure by devising. In order to quickly recover from a logical failure, it is effective to identify and isolate the faulty part (power supply interruption, restart, etc.).

  In view of this, the failure site estimation system according to an embodiment of the present invention can quickly identify a failure site even when a large number of failure messages are displayed on the failure monitoring system 200 due to a hardware failure. It is possible to identify and efficiently check the log, etc., and even in the case of a logical failure, it is possible to quickly estimate and narrow down the suspected portion of the failure and enable countermeasures.

  In this embodiment, in order to enable easy and quick estimation and narrowing down of a faulty part, in this embodiment, route information and quality information in the monitoring target NW 300 are collected and recorded periodically during normal operation. At the time / abnormality (when a failure is detected by the failure monitoring system 200), hop-by-hop polling is performed on a hop-by-hop basis according to the communication path acquired at the normal time. Based on the success or failure (life and death information) of this polling, a set of faulty parts is extracted, and a faulty suspected part causing the problem is estimated and extracted from the set. Here, the success or failure of polling is not limited to the presence or absence of a response, but it is determined as a faulty part when a quality deterioration is more than a certain level based on a comparison with quality information at normal time, such as a logical fault. Even in the case of “half-dead”, it is possible to estimate the site of failure.

  FIG. 2 is a diagram showing an overview of an example of network monitoring according to an embodiment of the present invention. Here, in addition to the conventional failure monitoring system 200, the failure portion estimation system 100 for estimating the failure portion is provided, and when the failure caused by the NW device 310a is detected in the failure monitoring system 200 or the like (FIG. 10). As in the case, the subordinate NW device 310 is detected as a failure state), and the failure site estimation system 100 analyzes the route information to each NW device 310 that is in failure and the life / death information on the communication route. Thus, it is possible to estimate that the NW device 310a is a suspected part of the failure.

<System configuration>
FIG. 1 is a diagram showing an outline of a configuration example of a network monitoring system having a failure site estimation system 100 according to an embodiment of the present invention. As shown in FIG. 2 described above, the network monitoring system has a configuration in which the failure monitoring system 200 and the failure site estimation system 100 are connected to the monitoring target NW 300.

  The monitoring target NW 300 is a tree-type network composed of a number of NW devices 310 such as routers, and each NW device 310 has a routing table 311 that holds route information as necessary. Further, the failure monitoring system 200 is configured by a commercially available tool or the like provided by each vendor as described above, and performs life / death monitoring on each NW device 310 of the monitoring target NW 300 by, for example, ICMP / SNMP polling. In this information processing system, a failure is detected and displayed on a map representing a network topology or displayed as a failure notification message.

  When the failure monitoring system 200 detects a failure in a plurality of nodes (NW devices 310) in the monitoring target NW 300, the failure site estimation system 100 and route information to each node and life / death information in each node on the communication route are detected. Based on the above, a common site on the communication path that causes each node failure is identified and estimated as a failed site. In the present embodiment, an example is shown in which the failure site estimation system 100 is configured as a system separate from the failure monitoring system 200, but it is naturally possible to configure these as a single system.

  The fault site estimation system 100 is an information processing system including, for example, a PC (Personal Computer), a server device, and the like, and includes a path information acquisition unit 110 and a fault site estimation unit 120 implemented as software, a database and a file. A route information database (DB) 130 and the like mounted as a table or the like are included.

  The route information acquisition unit 110 performs route search by ping / traceroute and SNMP on all nodes (NW devices 310) in the monitoring target NW 300 when the monitoring target NW 300 is normal, and acquires normal route information. It has a function of recording in the route information DB 130. Details of the route information acquisition process will be described later.

  The fault site estimation unit 120 estimates a suspected fault site that causes a fault from the NW device 310 in which the fault is detected when the monitoring target NW 300 is faulty or abnormal (when a fault is detected by the fault monitoring system 200 or the like). And, for example, each unit such as a hop-by-hop (sequential) polling unit 121, a suspicious pair extraction unit 122, and a faulty part output unit 123. The hop-by-hop polling unit 121 obtains normal route information from the route information DB 130 for the IP address in which a failure is detected, and sends it to all IP addresses (hop-by-hop list) on the communication route. It has a function of grasping the state of each node by performing polling by ping sequentially (hop-by-hop) and collecting results (OK / NG).

  The suspicious pair extraction unit 122 includes the IP address that is the closest to the communication path (closest to the faulty part estimation system 100) among the IP addresses in which the ping result is abnormal in the polling by the hop-by-hop polling unit 121; A function that extracts the IP address of the hop immediately before on the communication path (the result of the ping is normal) as a suspected pair and performs this for each IP address in which a failure is detected to obtain a suspected pair set Have The failure part output unit 123 has a function of performing a unique process on the suspicious pair set extracted by the suspicious pair extraction unit 122, and extracting and outputting the suspicious part by a predetermined logic based on the result. The contents of the process for estimating the suspected part will also be described later.

<Route information acquisition processing>
Below, the content of the route information acquisition process by the route information acquisition unit 110 at the normal time will be described first. Here, a list of complete IP addresses on a normal communication path to all the monitoring target nodes (NW devices 310) in the monitoring target NW 300 is created and used as path information, and the communication path (monitoring target Node) is acquired and recorded in the route information DB 130. It is desirable to execute this processing periodically when it is normal, or at least when there is a system or network configuration change that may affect the communication path and communication quality.

  3 to 5 are diagrams showing an outline of an example of processing for acquiring route information and quality information. Here, the failure site estimation system 100 is a node “n00”, and each NW device 310 such as a router in the monitoring target NW 300 is a node “n01”, “n21”, “n22”, “n41”, “n42”, “ An example of a tree-type network configuration represented as n43 ″ is shown (devices such as layer 2 switches are omitted). Each node has an interface (IF) 312 represented as “i00” to “i43”. In the example of FIGS. 3 to 5, the case where the route information and the quality information about the interface 312 (IP address) of “i41” are acquired is described as an example.

  First, in order to acquire normal quality information, as shown in FIG. 3, the path information acquisition unit 110 of the fault site estimation system 100 (node “n00”) performs the monitoring target interface 312 (“i41”). The ping command is issued, and the packet loss rate and the average delay time are obtained from the response. In the example of FIG. 3, an arrow indicates a state in which an echo-reply packet is received as a response to an echo packet for the interface 312 of “i41” by ping. The acquired quality information is recorded in the route information DB 130 in association with the target interface 312. The quality information may be accumulated for a certain period, and a predetermined statistical process may be performed on the quality information to obtain a quality baseline.

  Next, in order to obtain the normal path information, as shown in FIG. 4, a traceroute command is issued to the monitored interface 312 (“i41”), and the node that has passed through to the interface 312 is obtained. Get information. In the example of FIG. 4, an arrow indicates a state in which echo packets are sequentially transmitted to the nodes “n01”, “n21”, and “n41” on the communication path and the time-exceeded packet is received as a response.

  Next, a route search by SNMP is executed for each transit node acquired by traceroute, and all input interfaces 312 and output interfaces 312 for each hopping node are acquired. In the example of FIG. 5, the state in which the snmpget command is issued for each of the relay nodes “n01” and “n21” with respect to the destination node “n41” is indicated by an arrow. With this command, information on the input and output interfaces 312 can be acquired from management information of MIB (Management Information Base) obtained based on the routing table 311 of each node.

  Based on the information on the transit node acquired by the process shown in the example of FIG. 4 and the information on the input and output interfaces 312 at each transit node acquired by the process shown in the example of FIG. As shown in the table, communication from the interface 312 (“i00”) of the failure site estimation system 100 (node “n00”) to the interface 312 (“i41”) of the monitored NW device 310 (node “n41”). A list of interfaces 312 (hop-by-hop list 131) on the route is created. The information of the created hop-by-hop list 131 is recorded in the route information DB 130 in association with the monitored interface 312. Note that the order of acquiring the quality information and the route information is not limited to the above order, and the route information may be acquired first.

  FIG. 6 is a diagram showing an example of source code for obtaining the hop-by-hop list 131 as reference information. In the upper diagram, as an example of a target network configuration, an IP address of the failure site estimation system 100 (node “n00”) and its interface 312, a target node (NW device 310) and interface 312, a relay node (NW device) 310) and its input / output interface 312 and routing table 311. Further, the lower diagram shows an example of the source code 111 for obtaining a list of interfaces 312 up to the target interface 312 in the configuration as shown in the upper diagram.

<Injury site estimation process>
Below, the content of the fault site estimation processing by the fault site estimation unit 120 at the time of fault / abnormality will be described. When the failure monitoring system 200 or the failure site estimation system 100 detects a network failure by, for example, periodically polling each node in the monitoring target NW 300 by ping or the like, the failure site estimation unit The 120 hop-by-hop polling unit 121 performs hop-by-hop ping on each interface 312 (IP address) in which a failure is detected. That is, the route information (hop-by-hop list 131) to the target interface 312 is acquired from the route information DB 130, and the IP address of each interface 312 included in the list is polled by ping, and communication OK / NG is determined.

  When detecting a failure in polling by ping or determining whether communication is OK / NG, it is not determined only by whether or not a ping response is received, but quality information such as packet loss rate and average delay is not determined. The value is determined by comparing with normal quality information (baseline) recorded in the route information DB 130. For example, determination may be made based on whether or not the current quality information values have fallen by a predetermined threshold or more from the baseline, or a failure may be estimated using a statistical method. Good.

  Further, the suspicious pair extraction unit 122 of the faulty part estimation unit 120 includes the interface 312 that is the foremost on the communication path among the interfaces 312 in which the polling result is NG, and the hop that is one hop before the communication path. The interface 312 is extracted as a suspect pair. This is performed for each interface 312 in which a failure is detected, and the suspected pair set 132 is acquired.

  FIG. 7 is a diagram showing an overview of an example of processing for acquiring the suspected pair set 132 for a node in which a failure is detected. Here, a case where the interface 312 of “i21” becomes a failure in the configuration of the monitoring target NW 300 shown in the upper left side of the drawing (similar to that shown in the examples of FIGS. 3 to 5) is taken as an example.

  At this time, the hop-by-hop polling unit 121 communicates with each node (“n21”, “n41”, “n42”) in which the failure is detected in the failure monitoring system 200 (polling by ping becomes NG). Polling by ping is performed hop-by-hop with respect to each interface 312 on the route. In this case, in the example of FIG. 7, for example, polling is performed in each interface 312 (shown by shading in the upper left diagram) of “i21”, “i31”, “i32”, “i41”, “i42”. Becomes NG, and the other interface 312 becomes OK. The result of this polling is added to and reflected in the table of the hop-by-hop list 131 is the table on the upper right side of FIG. The value of OK / NG in the table indicates the result of polling by ping for the target interface 312.

  Here, among the interfaces 312 on the route where the hop-by-hop polling result for each interface 312 is NG, the foremost interface 312 and the immediately preceding hop interface 312 are extracted as suspected pairs. To do. That is, in the hop-by-hop list 131, the interface 312 at the boundary where the polling result changes from OK to NG is extracted as a suspect pair, and a suspected pair set 132 (the lower table in FIG. 7) is created.

  In the suspicious pair set 132, an item “NG” indicates an interface 312 in which the polling result at the boundary portion is NG, and an item “PREV” indicates an interface 312 in which the polling result of the previous hop is OK. In the example of FIG. 7, “PREV” is “i11” and “NG” is “i21” in all the monitoring target interfaces 312.

  Next, the failure site output unit 123 of the failure site estimation unit 120 estimates and outputs the suspected failure site based on the suspected pair set 132 and the route information recorded in the route information DB 130. FIG. 8 is a flowchart showing an overview of an example of processing for estimating and outputting a suspected failure site. First, unique processing (excluding duplicates) is performed on the interface 312 of the NG item of each entry of the suspected pair set 132 (S01). Next, it is determined whether or not the number of entries (number of NG item interfaces 312) as a result of the unique processing is 1 (S02). If the number of entries is 1, the interface 312 of the NG item of the entry is output as the suspected failure part (pattern 1) (S03). That is, as shown in the figure, an NG interface 312 (only one exists) at the boundary between OK and NG is output as a suspected failure site.

  If there are a plurality of NG item entries in step S02, the unique processing is further performed on the interface 312 of the PREV item of each entry of the suspected pair set 132 (unique processing for the NG item) (S04). Next, it is determined whether or not the number of entries (number of PREV item interfaces 312) as a result of the unique processing is 1 (S05). When the number of entries is 1, the section between the PREV item interface 312 and the NG item interface 312 of the entry is output as a suspected failure site (pattern 2) (S06). That is, as shown in the figure, the section of the boundary part between OK and NG (as shown, this part may include a network provided by a provider or the like) is output as a suspected failure part.

  If there are a plurality of entries in the PREV item in step S05, the unique set of these interfaces 312 is output as a suspected failure site (pattern 3) (S07). In other words, as shown in the figure, the OK interface 312 (plural) at the boundary between OK and NG is output as a suspected failure site.

  FIG. 9 is a diagram showing an outline of an example of processing for estimating a suspected fault site based on the suspected pair set 132. Here, based on the suspected pair set 132 acquired in the example shown in FIG. 7, the case where the suspected failure site is estimated by the example of the suspected failure site estimation method shown in FIG. 8 is shown. In the example of FIG. 9, as a result of performing the unique process for the interface 312 of the NG item for the suspected pair set 132 by the process of step S01 of FIG. 8, the entry of the NG item is only one record of “i21”. , The pattern “i21” is estimated to be a suspected fault site and output according to pattern 1.

  The mode of output is not particularly limited. For example, the output may be highlighted on the map representing the topology of the monitoring target NW 300 on the screen of the failure monitoring system 200 so that the suspected failure portion can be identified. Moreover, the structure which displays the IP address applicable to a failure suspected part, the interface 312, the identification information of the NW apparatus 310, etc. as a message may be sufficient. The suspected failure site output here is a site suspected of being the cause of the failure, and may contain components other than the exact cause, but is very important in terms of quick failure response. It is information.

  As described above, according to the failure site estimation system 100 according to an embodiment of the present invention, the route information and the quality information in the monitoring target NW 300 are collected and recorded periodically during normal operation. Polling by ping is performed hop-by-hop according to the communication path acquired in the normal state when an abnormality (when a failure is detected by the failure monitoring system 200). Based on the success or failure (life and death information) of this polling, a set of faulty parts is extracted, and a faulty suspected part causing the problem is estimated and extracted from the set. Here, the success or failure of polling is not limited to the presence or absence of a response, but it is determined as a faulty part when a quality deterioration is more than a certain level based on a comparison with quality information at normal time, such as a logical fault. Even in the case of “half-dead”, it is possible to estimate the site of failure.

  Thus, even in the case of a large-scale network failure, the failure site estimation system 100 can easily analyze the route information to each failed node (NW device 310) and the life / death information on the communication route. Therefore, it is possible to quickly estimate and narrow down the suspected failure site. In addition, since it is possible to easily estimate the suspected failure site by an operator or the like without requiring difficult operations, it becomes possible to narrow down the suspected failure site early and take immediate countermeasures depending on the situation. .

  As mentioned above, the invention made by the present inventor has been specifically described based on the embodiment. However, the present invention is not limited to the embodiment, and various modifications can be made without departing from the scope of the invention. Needless to say. For example, the above-described embodiment has been described in detail for easy understanding of the present invention, and is not necessarily limited to the one having all the configurations described. In addition, it is possible to add, delete, and replace other configurations for a part of the configuration of the embodiment. Moreover, in each said figure, the control line and the information line have shown what is considered necessary for description, and do not necessarily show all the control lines and information lines on mounting. Actually, it may be considered that almost all the components are connected to each other.

  INDUSTRIAL APPLICABILITY The present invention can be used for a failure site estimation system and a failure site estimation program for estimating a failure site in the event of a network failure.

1 ... Network (NW) monitoring system,
DESCRIPTION OF SYMBOLS 100 ... Fault site estimation system, 110 ... Path information acquisition unit, 111 ... Source code, 120 ... Fault site estimation unit, 121 ... Hop-by-hop (sequential) polling unit, 122 ... Suspicious pair extraction unit, 123 ... Fault site output unit , 130 ... Route information database (DB), 131 ... Hop-by-hop list, 132 ... Suspicious pair set,
200 ... Fault monitoring system,
300: Network to be monitored (NW), 310, 310a ... Network (NW) device, 311 ... Routing table, 312 ... Interface.

Claims (8)

A failure location estimation system that estimates a suspected failure location when a failure occurs in a monitored network having a configuration in which nodes composed of network devices are connected in a tree shape,
A path information acquisition unit that acquires, for each node in the monitoring target network, path information including an interface of each node on a communication path leading to the node when the monitoring target network is normal, and records the path information in a path information recording unit When,
When a failure occurs in the monitored network, route information to each failed node is obtained from the route information recording means, and each interface included in the route information is sequentially polled, and OK or NG A sequential polling unit that collects the results of
In each interface included in the path information, the most recent interface in which the polling result is NG and the interface in which the previous polling result is OK are used as suspected pairs, resulting in a failure. A suspicious pair extraction unit that extracts a suspicious pair for each node and obtains a suspicious pair set; and
A fault site estimation system comprising: a fault site output unit that extracts and outputs a fault site based on the suspected pair set and the path information recorded in the path information recording means. In the failure site estimation system according to claim 1,
The path information acquisition unit acquires quality information about a communication path that reaches each node in the monitored network when the monitored network is normal, and records the quality information in the path information recording unit,
The sequential polling unit is a result of the sequential polling based on the comparison between the quality information acquired at the time of the sequential polling and the quality information at the normal time for the corresponding communication path recorded in the path information recording unit. It is determined whether or not is OK or NG. In the failure site estimation system according to claim 2,
The fault location estimation system, wherein the quality information recorded in the route information recording means is information on a packet loss rate and / or an average delay time included in a response to the ping command. In the failure site estimation system according to any one of claims 1 to 3,
The route information acquisition unit issues a traceroute command to each node in the monitored network to acquire information on a node on the communication route, and searches for a route by SNMP for each node on the acquired communication route. And acquiring the accounting information by acquiring the input and / or output interface information. In the failure site estimation system according to any one of claims 1 to 4,
When the number of entries from which duplication is eliminated is 1 for the interface in which the polling result is NG in the suspected pair set, the failure part output unit determines that the polling result for the entry is NG. A fault site estimation system that outputs an interface as a fault suspected site. In the failure site estimation system according to any one of claims 1 to 5,
The failure part output unit has a plurality of entries in which the duplication is eliminated for the interface in which the polling result is NG in the suspect pair set, and the polling result is OK in these entries. If the number of entries from which duplication is eliminated is 1 for the interface that has become an error, the section between the interface whose polling result is OK and the interface whose polling result is NG is faulty. A fault site estimation system characterized by outputting as a suspected site. In the failure site estimation system according to any one of claims 1 to 6,
The failure part output unit has a plurality of entries in which the duplication is eliminated for the interface in which the polling result is NG in the suspect pair set, and the polling result is OK in these entries. When there are a plurality of entries whose duplication has been eliminated for a given interface, the interface for which the polling result relating to the entry is OK is output as a suspected fault site. A failure site estimation program for operating a computer as a failure site estimation system for estimating a failure site when a failure occurs in a monitored network having a configuration in which nodes composed of network devices are connected in a tree shape,
A path information acquisition process for acquiring path information composed of interfaces of nodes on a communication path leading to the node for each node in the monitored network when the monitored network is normal and recording the path information in a path information recording unit When,
When a failure occurs in the monitored network, route information to each failed node is obtained from the route information recording means, and each interface included in the route information is sequentially polled, and OK or NG A sequential polling process to collect the results of
In each interface included in the path information, the most recent interface in which the polling result is NG and the interface in which the previous polling result is OK are used as suspected pairs, resulting in a failure. A suspicious pair extraction process for extracting a suspicious pair for each node and obtaining a suspicious pair set;
A faulty part estimation program for causing a computer to execute a faulty part output process for extracting and outputting a faulty suspected part based on the suspected pair set and the route information recorded in the route information recording means.

Images