某局点F1090 RBM透明双主 管理备上下行不通问题处理经验案例

拓扑如下，两台F1090RBM透明双主，上行出口路由器，下行核心交换机，防火墙上下行分别是聚合口1和聚合口2：

ping管理备（56.13）的上下行不通：

以56.4为例，查看会话：

debug查看发现反向报文被ASPF策略丢弃了：

May 17 16:02:50:211 2024 CZ-CJ-F04G04U12-F1090 FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Trust, Dst-ZOne=Untrust;If-In=Bridge-Aggregation2(328), If-Out=Bridge-Aggregation1(327), VLAN-In=364, VLAN-Out=364; Packet Info:Src-IP=X.X.56.4, Dst-IP=X.X.133.2, VPN-Instance=, Src-MacAddr=X-X-X,Src-Port=0, Dst-Port=0, Protocol=ICMP(1), Application=invalid(0),Terminal=invalid(0), SecurityPolicy=Permit-ALL, Rule-ID=10.

*May 17 16:02:50:211 2024 CZ-CJ-F04G04U12-F1090 ASPF/7/PACKET: -COntext=1; The first packet was dropped by ASPF for invalid status. Src-ZOne=Trust, Dst-ZOne=Untrust;If-In=Bridge-Aggregation2(328), If-Out=Bridge-Aggregation1(327), VLAN-In=364, VLAN-Out=364; Packet Info:Src-IP=X.X.56.4, Dst-IP=X.X.133.2, VPN-Instance=none, Src-Port=7680, Dst-Port=0. Protocol=ICMP(1).

查看debug回显信息，确认不存在来回流量转发方式不同，尝试修改会话模式为宽松模式依旧不行

再次对比发现来回VLAN不一致，会话中正向报文vlan362，debug中反向报文vlan364

设备上聚合口是放通了vlan361 to 370：

interface Bridge-Aggregation1

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 361 to 370

 link-aggregation mode dynamic

#

interface Bridge-Aggregation2

 port link-type trunk

 undo port trunk permit vlan 1

 port trunk permit vlan 361 to 370

 link-aggregation mode dynamic

使用undo mac fast-forwarding check-vlan-id 命令关闭快速二层转发时对VLAN ID字段的检查功能