两台防火墙堆叠双主作为出口,下行链路跨框聚合,上行公网口连接在slot 2上
一台PC接在slot 1下,ping 114不通,将PC接到slot 2下,ping 114则正常
在设备上收集debug ip packet查看报文走向,可以看到整个过程没有问题
*Jul 29 22:46:55:534 2022 FW IPFW/7/IPFW_PACKET: -COntext=1;
Receiving, interface = GigabitEthernet1/0/2 1/0/2口收到终端的报文
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 28308, offset = 0, ttl = 64, protocol = 1
checksum = 4924, s = X.X.X.X, d = 114.114.114.114
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
VsysID = 1
prompt: Receiving IP packet from interface GigabitEthernet1/0/2.
Payload: ICMP
type = 8, code = 0, checksum = 0x4429.
*Jul 29 22:46:55:534 2022 FW IPFW/7/IPFW_PACKET: -COntext=1;
Transferring, interface = GigabitEthernet2/0/24 //发送给slot 2
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 28308, offset = 0, ttl = 63, protocol = 1
checksum = 5180, s = X.X.X.X, d = 114.114.114.114
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
VsysID = 1
prompt: Sending to slot 2
Payload: ICMP
type = 8, code = 0, checksum = 0x4429.
*Jul 29 22:46:55:540 2022 FW IPFW/7/IPFW_PACKET: -COntext=1-Slot=2;
Transferring, interface = GigabitEthernet2/0/24
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 28308, offset = 0, ttl = 63, protocol = 1
checksum = 5180, s = X.X.X.X, d = 114.114.114.114
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
VsysID = 1
prompt: IP TR: Receive packet from another node. //slot 2收到了转发过来的报文
Payload: ICMP
type = 8, code = 0, checksum = 0x4429.
*Jul 29 22:46:55:540 2022 FW IPFW/7/IPFW_PACKET: -COntext=1-Slot=2;
Sending, interface = GigabitEthernet2/0/24 //从2/0/24发出去了
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 28308, offset = 0, ttl = 63, protocol = 1
checksum = 5180, s = X.X.X.X, d = 114.114.114.114
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
VsysID = 1
prompt: Sending IP packet received from interface GigabitEthernet1/0/2 at interface GigabitEthernet2/0/24.
Payload: ICMP
type = 8, code = 0, checksum = 0x4429.
策略已经放通:
*Jul 29 22:46:55:534 2022 FW FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Trust, Dst-ZOne=Untrust;If-In=GigabitEthernet1/0/2(4), If-Out=GigabitEthernet2/0/24(90); Packet Info:Src-IP=X.X.X.X, Dst-IP=114.114.114.114, VPN-Instance=, Src-MacAddr=H-H-H,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=ICMP(22742),Terminal=invalid(0), SecurityPolicy=shangwang, Rule-ID=1.
在公网口无法抓包向114发送请求的报文,debugging nat packet没有对应输出。
后续确认堆叠双主,流量跨框场景,NAT配置在物理口时,会导致NAT无法正常转换,所以出现不通。
将NAT配置在逻辑接口上
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作