Router Goes "Mute"

Hi Andy,

A few questions in order to understand it better:

Is it a specific router that always fail, or is it another router each time?

When the router "goes mute", does it still send link status messages?

I understand it will not route messages when mute. It is not clear, though, whether packets sent from the application in the effected router are actually sent of blocked as well.

Please provide sniffer traces of the issue in the original TI packet sniffer format (psd). The logs should include as much information as possible, before and after the issue happens. Please also refer us to the actual line numbers where you observed the issue.

Best regards,

OD.

OD,

Thanks for the quick followup.

Which Router: The router that fails seems to be random.  For the last few instances of this that we've had, the routers were all powered down for long enough that all of the end devices knew that they weren't connected anymore and tried to rejoin.  I don't know the relationship of the router that fails to the rest of the mesh.

Link status messages: None.  In fact, no traffic at all with the short source address it had before going away until the Beacon thing kicks it again.  I'm presuming the Data Ack's are from the locator because of packets immediately before that share the same 802.15.4 sequence number.

Other traffic/packets from the application: We don't see that either.  No application generated traffic.  Assuming the diagnostic code I added did what I intended, our application task was running.  There is a timer that would cause it to sent an update to the coordinator every 25 seconds.  Noe of those come out.

Unfortunately I can't provide TI format sniffer format data.  With the TI sniffer I wouldn't have been able to reliably capture packets continuously over the last few days.  Wireshark is easy to download; there's nothing special about the version I'm using to review my capture data.  In total, I have about 1.1GB of capture data.  Each file is 20MB.  I can work on pairing it down but it might be easier if I could get you some of the 20MB files and point you to places in those.  Is there a place I could do that to?

Thank you for your quick attention!

Andy

The capture files .zip'd down to about 4.5MB each.  Here's a try at all of the relevant details:

Wireshark available here: http://www.wireshark.org/download.html

File #00051 shows the router going mute.

File #00056 shows where it was provoked by beacon activity to come back.

Offending node extended address: 0x00124B00040BD63E.  In both files it’s short address is 0x25C6.

End device in File #56 that was rebooted extended address: 0x00124B00040BD42B.  Short address, both before and after reset, 0x9812

WS Searching examples:

802.15.4 addresses: (long) wpan.src64 == 0x00124B00040BD63E

(short) wpan.src16 == 0x25C6

Logical operators work: 

Search for NWK layer traffic originated by this node: wpan.src16 == 0x25C6 && (wpan.src16 == zbee_nwk.src)

Search for 802.15.4 traffic in or out of the node (less data acks): wpan.src16 == 0x25C6 || wpan.dst16 == 0x25C6

Particular types of the Application Endpoint 232 message can be distinguished by zbee_aps.dst==232 && data[18]==0x15. Values at data[18] that may be interesting from the router are 0x15, 0x25, 0x26.  From end devices a value at data[0] of 0x42 should correlate with their broadcast messages that cause all of the routers that heart it to produce their 0x15 message types.

The files:

Look for the file number in the name right before the timestamp field; for instance PairingAfterL09Onward-_00051_20140721202352.pcapng.

File #51:3716.PairingAfterL09Onward-_00051_20140721202352.zip2287.PairingAfterL09Onward-_00052_20140721231807.zip8407.PairingAfterL09Onward-_00056_20140722110753.zip  Router goes mute sometime after its last transmit at Pkt#165718; (wpan.src16==0x25c6).  Others continue to direct traffic at it until after Pkt#166023; (wpan.src16==0x25c6 || wpan.dst16 == 0x25c6).  After that, only short address 0x9196 keeps making data requests.

File #52: Aftermath; (wpan.src16==0x25c6 || wpan.dst16 == 0x25c6).  Nobody except 0x9169 is interested in talking to it any more.

The next day, I show up and find the router in the weeds and reset an end device to see if that will wake it up.

File #56: Reset of end device causes router to start transmitting again around Pkt#79849; (wpan.src16==0x25c6 || wpan.dst16 == 0x25c6 || wpan.src16 == 0x9812 || wpan.src64 == 0x00124B00040BD42B).  Running that search, selecting packet 79849 and then “clear”ing the search will leave the selection in the same place and allow you to see the first beacon request at 79843 and the other router responses after it.

This problem continues to occur.  From diagnostics that have been incorporated into the code we can tell:

• Main task loop is running and no tasks are being starved of CPU.
• Stacks are not being overrun.  XDATA and IDATA stack diagnostics are in place as "fences" to detect if the stack pointers run past the defined area.
• Periodic application level messages sent through AF_DataRequest() return afStatus_SUCCESS, perhaps with multiple tries, within 5 seconds of starting to try to send a message.

With updates to our diagnostics we can now tell what the maximum stack usage and heap high water mark is.  In addition, we have a flag that is set inside of osal_mem_alloc() if the alloc ever returns NULL since reset.  These three pieces of information are available in messages being sent from the routers.  From them we see in the two new cases that heap usage before the "mute" event was 1879 to 2437 bytes out of an allocation of ~3600 bytes. Afterward, we see that some osal_mem_alloc() call did receive a null and the heap high watermark is on the order of 3300 to 3400 bytes.

More code review was done on the application code, looking for possible buffer overrun errors.  None were found, even on storage that was allocated from osal_mem_alloc().

The most troubling part of this problem is that it seems to be undetectable from the application code.  If we could see that we were not getting packets out we could restart the node and go back to normal operation.

What can be done from TI's end to identify methods to detect this or the mechanism that is in play here that causes it in a way that Beacon Requests / Beacon Reception wakes it up?

Over the last two days there is some more, hopefully helpful information, to report.

We've added an additional diagnostic to walk the heap.  This is run every 5 seconds out of the main task loop.  It has not tripped yet, even though over the last 24 hours we've had another group of 4 routers go "mute", taking their end devices with them because of the data request ACKing that they do.  If necessary, I can proved the captured traffic around both the disappearance and the recovery of these nodes.

Also, with the error logging capability we have seen one instance where a router stopped talking but in a different way: No packets of any kind came out.   It took a power cycle on the device to bring it out of this state; for some reason the logging / restarting function got hung up.  When we looked at the logged error we determined that it came from a call to halAssertHandler() which in this system is only called by the TI libraries.  We've replaced this function with one that calls our own assert handler.  Our assumption is that there are no parameters passed to this function by the TI libraries.  Hence we have no further information about its source.

Hi Andy,

We are still looking into finding the reason for the issue. As a work-around, The application shall be able to identify this "mute" state, by monitoring the neighbor table:

You specified that link status are not being sent out when in mute. This means that the neighboring devices will mark the link cost from the mute device as 0 after about 45 seconds (the default 3 link status periods). Assuming the nwk layer operates correctly, the mute device, upon reception of the updated link status from its neighbors, will reflect the outgoing link cost in its neighbor table, to indicate a dead link to these neighbors. Another option is that the mute device will fail to process the incoming link statuses due to this erroneous state, and in this case even the incoming cost will be marked as 0. In any way, assuming that the age-out of the neighbor table entries is operational despite the error, the content of the neighbor table shall reflect the fact that the device went mute, so that the application can decide to reset the device.

Best regards,

OD

Hi OD,

We now have a diagnostic implemented that scans the neighborTable[], counting all of the entries with non-zero .linkInfo.txCost members.  When this count has been above zero in the past and drops back to zero, we log the error and restart.

From its name it seemed that nwkNeighborCount() should have done the same job as our table scan & count.  It didn't seem to reliably go back to zero, even after all of the txCost values had change to zero.

Can you confirm that this method that we're using is what you were recommending and that the behavior of nwkNeighborCount() is what you'd expect?

Andy

More update:

After reviewing the various logs it appears that the diagnostic tripped in five routers overnight.  Of those, only one appears to be a suspect false-positive; it happened when router nodes and end devices were being powered up.

It's taking about 80 seconds for the diagnostic to conclude that all of its neighbors have gone away.  With the design constraints on the system, this period inactivity will be visible to the end user.

Any updates on finding the root cause?

Andy

Hi Andy,

The diagnostic implementation you describe is indeed according to my suggestion.

You specified it takes it 80 seconds to identify the failure, while I'd expect a maximum of 45 seconds (unless you changed NWK_LINK_STATUS_PERIOD or NWK_ROUTE_AGE_LIMIT from their defaults of 15 and 3, respectively, on the peer nodes).

nwkNeighborCount() includes all valid neighbor table entries, including past neighbors even if they are unreachable (they are kept in the table as long as there is enough space for new entries). This explains your observation.

I hope to be able to provide more insight regarding the root cause by the end of the week.

Best regards,

OD

OD,

Yes, NWK_LINK_STATUS_PERIOD is still 15 and NWK_ROUTE_AGE_LIMIT  is still 3.

Thank you for the confirmation that our diagnostic is valid.

Andy

Hi Andy,

In order to narrow down the possible reasons for this issue, could you please verify whether the network task is being executed and the right event is being called when the mute state happens? To check this, you can hook into osal_run_system() in osal.c. The network task ID is available at the variable NWK_TaskID, and the event that is triggering message propagation from network layer to mac layer is 0x0020. This event is normally called in short intervals as long as there are packets in the network tx queue.

Regards,

OD

OD,

To have an idea of how to implement this, please provide some guidance.  Right now, our focus is on restoring the router to a functioning state as quickly as possible after this occurs.

For the test you suggest, it seems that we'd need to wait in the "mute" state a while to observe the event flags for the NWK task.  How do we know if we've waited long enough? How many times should we expect to see this flag set if it's being set "enough"?  Once implemented, we will have some work to do to attempt to intentionally recreate the conditions that seem to expose this problem.

For us right now, implementing this test for TI is a low priority.  We are focused on removing other reliability issues in the system.

Andy

Hi OD
As you may have seen I've got what looks like the same problems as Andy. Finally I've found some time for more testing and I've implemented debug code for:
- reporting the number of neighbors with non zero txCost and the maximum of these reached over time, and
- reporting the number of times event 0x0020 has been called for the network task
In my first test, this morning, with a small deployment of 40 routers plus 1 coordinator, I've seen 5 routers going mute after the first batch of high traffic load (I don't know if they were mute before but they had had traffic working properly for sure).
This muteness for me means they receive traffic (both unicast and broadcast up to the app layer) but they don't output any traffic. The situation is only solved when a new device is turned on (sending the beacon), or power cycling the muted device.
As for the reporting number for the muted routers all I can say is:
- all of them had a max of neighbors with non zero txCost >0
- all of them had 0 neighbors with txCost>0
- all of them kept updating (incrementing) the counter at the event 0x0020 of the network task

Once I've brought them back to the network by turning on a new device (all of them have come back all together with just this new device) they have been working properly for ours with new bursts of high traffic and no other device has gone mute.

Does this bring any light into the problem? May I add any further information in order to debug it?

Thanks a lot for your help. Regards,
Asier.

Hi Asier,

Sorry for not replying.  I feel your pain.  The project that my original question was about has been canceled.  I have not been following this in detail over the last year or so, since my original question and work-around.

Andy

Hi Andy,

Thanks for the empathy, I hope someone else get into it... It's turning me mad....

If at least someone could assure a z-stack version migration would get rid of the problem, I could maybe venture into it...

Regards,

Asier

Hi Andy and Asier,

I have just uncover the same problem recently.
I have had no problems to date with small networks running for year with no issues. 

Just recently we implemented AES security and a few other little features and this problem has stated occurring even in little networks of 5 routers.
I have also tried turned security back off, but the issues still persist, on devices we have had security turn enabled on. (However this is not conclusive and will investigate further).

The symptoms I have found are;
The router stops transmitting, but still is responsive to unicast messages i.e identity
We have an application broadcast message every 60 seconds sourced from the coordinator.
We have enabled SECURE=1 and TC_LINKKEY_JOIN with pre-configured link key.

Environment:
CC2530 
Zstack 2.5.0

Any luck solving the problem ?