问题描述:
2台路由器、防火墙、交换机均做IRF,三者之间的4条线路均做三层链路聚合,配置NAT后无法正常连接【HCL配置文件在附件中】
防火墙上已配置下面的会话相关命令:
session dual-active enable
session synchronization enable asymmetric
session synchronization dns http
session state-machine mode loose
(1)在防火墙上做出接口IP 192.168.1.2 的PAT地址转换,交换机无法ping 通 2.1.1.1和20.1.1.1;
acl basic 2000
rule 0 permit
#
interface Route-Aggregation1
ip address 192.168.1.2 255.255.255.0
nat outbound 2000
在防火墙上debug ip packet,信息如下(完整参考附件debug-pat.log)
[Firewall]*May 8 16:09:53:239 2024 Firewall IPFW/7/IPFW_PACKET: -COntext=1; 【从防火墙 IRF主接收】
Receiving, interface = Route-Aggregation2
checksum = 39007, s = 10.1.1.1, d = 20.1.1.1
prompt: Receiving IP packet from interface Route-Aggregation2.
Payload: ICMP
*May 8 16:09:53:239 2024 Firewall IPFW/7/IPFW_PACKET: -COntext=1;
Sending, interface = Route-Aggregation1
checksum = 58038, s = 192.168.1.2, d = 20.1.1.1
prompt: Sending IP packet received from interface Route-Aggregation2 at interface Route-Aggregation1.
Payload: ICMP
*May 8 16:09:53:083 2024 Firewall IPFW/7/IPFW_PACKET: -COntext=1-Slot=2; 【从防火墙 IRF备返回】
Receiving, interface = Route-Aggregation1
checksum = 57782, s = 20.1.1.1, d = 192.168.1.2
prompt: Receiving IP packet from interface Route-Aggregation1.
Payload: ICMP
*May 8 16:09:53:083 2024 Firewall IPFW/7/IPFW_PACKET: -COntext=1-Slot=2;
Delivering, interface = Route-Aggregation1
checksum = 57782, s = 20.1.1.1, d = 192.168.1.2
prompt: Forwarding IP packet to upper layer. 【转发到上层到哪了?】
Payload: ICMP
(2)在防火墙上做IP地址组 192.168.1.3 的PAT地址转换,交换机无法ping 通 20.1.1.1,但是可以ping 通2.1.1.1;
nat address-group 1 name outip
address 192.168.1.3 192.168.1.3
#
interface Route-Aggregation1
ip address 192.168.1.2 255.255.255.0
nat outbound address-group name outip
在防火墙上debug ip packet,信息如下(完整参考附件debug-nat.3.log)
<Firewall>*May 8 16:02:59:642 2024 Firewall IPFW/7/IPFW_PACKET: -COntext=1; 【从防火墙 IRF主接收】
Receiving, interface = Route-Aggregation2
checksum = 39027, s = 10.1.1.1, d = 20.1.1.1
prompt: Receiving IP packet from interface Route-Aggregation2.
Payload: ICMP
*May 8 16:02:59:642 2024 Firewall IPFW/7/IPFW_PACKET: -COntext=1;
Sending, interface = Route-Aggregation1
checksum = 58057, s = 192.168.1.3, d = 20.1.1.1
prompt: Sending IP packet received from interface Route-Aggregation2 at interface Route-Aggregation1.
Payload: ICMP
*May 8 16:02:58:843 2024 Firewall IPFW/7/IPFW_PACKET: -COntext=1-Slot=2; 【从防火墙 IRF备返回】
Receiving, interface = Route-Aggregation1
checksum = 57801, s = 20.1.1.1, d = 192.168.1.3
prompt: Receiving IP packet from interface Route-Aggregation1.
Payload: ICMP
*May 8 16:02:58:843 2024 Firewall IPFW/7/IPFW_PACKET: -COntext=1-Slot=2;
Discarding, interface = Route-Aggregation1
checksum = 58057, s = 20.1.1.1, d = 192.168.1.3
prompt: FIB BLACKHOLE. 【转发黑洞丢弃了!!!】
Payload: ICMP
(3)在防火墙上做IP地址组 192.168.1.4 的PAT地址转换,交换机可以ping 通 20.1.1.1和2.1.1.1;
nat address-group 1 name outip
address 192.168.1.3 192.168.1.4
#
interface Route-Aggregation1
ip address 192.168.1.2 255.255.255.0
nat outbound address-group name outip
在防火墙上debug ip packet,信息参考附件debug-nat.4.log
最佳答案
HCL不支持FW配置IRF组网,流量转发有问题。
请更换RBM组网
- 2024-05-08回答
- 评论(3)
- 举报
-
(0)
请教一下,HCL的防火墙RBM组网,是否支持双主的会话信息同步?
支持
在防火墙上配了RBM remote-backup group backup-mode dual-active data-channel interface Route-Aggregation10 undo configuration sync-check local-ip 100.1.1.2 remote-ip 100.1.1.1 port 38888 device-role primary 但是会话信息一直无法同步,导致非对称流量失败,这是还缺少什么配置命令吗? 另:搜索了社区上关于RBM会话同步的问题,有人说HCL不支持会话同步,你是否在HCL上成功实验过?
在防火墙上配了RBM
remote-backup group
backup-mode dual-active
data-channel interface Route-Aggregation10
undo configuration sync-check
local-ip 100.1.1.2
remote-ip 100.1.1.1 port 38888
device-role primary
但是会话信息一直无法同步,导致非对称流量失败,这是还缺少什么配置命令吗?
另:搜索了社区上关于RBM会话同步的问题,有人说HCL不支持会话同步,你是否在HCL上成功实验过?
- 2024-05-10回答
- 评论(0)
- 举报
-
(0)
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
在防火墙上配了RBM remote-backup group backup-mode dual-active data-channel interface Route-Aggregation10 undo configuration sync-check local-ip 100.1.1.2 remote-ip 100.1.1.1 port 38888 device-role primary 但是会话信息一直无法同步,导致非对称流量失败,这是还缺少什么配置命令吗? 另:搜索了社区上关于RBM会话同步的问题,有人说HCL不支持会话同步,你是否在HCL上成功实验过?