防火墙是M9014会话不通
- 0关注
- 0收藏,27浏览
问题描述:
防火墙是M9014,外部直接访问此地址172.28.11.1不通怎么回事,响应方aspf无法匹配会话
是墙的BUG吗,还是引流问题
172.28.11.1做了NAT server 和这个NAT Server有关系吗,
RBM_P<fw001.pri.bjyz.ltzx>
*Jun 10 11:43:23:724 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=8.1;
Receiving, interface = Route-Aggregation2.185
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 65469, offset = 0, ttl = 63, protocol = 6
checksum = 22566, s = 10.17.34.170, d = 172.28.11.1
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.185.
Payload: TCP
source port = 44500, destination port = 22
sequence num = 0xe83f08ff, acknowledgement num = 0x00000000, flags = 0x2
window size = 64240, checksum = 0xd56b, header length = 40.
*Jun 10 11:43:23:724 2026 fw001.pri.bjyz.ltzx SESSION/7/TABLE: -Slot=8.1;
Tuple5(EVENT): 10.17.34.170/44500-->172.28.11.1/22(TCP(6))
Session entry was created.
*Jun 10 11:43:23:724 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=8.1; The packet is permitted. Src-ZOne=Security, Dst-ZOne=cupaas;If-In=Route-Aggregation2.185(7073), If-Out=Route-Aggregation2.187(7044); Packet Info:Src-IP=10.17.34.170, Dst-IP=172.28.11.1, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=44500, Dst-Port=22, Protocol=TCP(6), Application=ssh(13), Url-category=invalid(65535), SecurityPolicy=VPN_To_cupaas, Rule-ID=1303.
*Jun 10 11:43:23:724 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=8.1;
Sending, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 65469, offset = 0, ttl = 62, protocol = 6
checksum = 22822, s = 10.17.34.170, d = 172.28.11.1
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Sending IP packet received from interface Route-Aggregation2.185 at interface Route-Aggregation2.187.
Payload: TCP
source port = 44500, destination port = 22
sequence num = 0xe83f08ff, acknowledgement num = 0x00000000, flags = 0x2
window size = 64240, checksum = 0xd56b, header length = 40.
*Jun 10 11:43:23:724 2026 fw001.pri.bjyz.ltzx SESSION/7/TABLE: -Slot=8.1;
Tuple5(EVENT): 10.17.34.170/44500-->172.28.11.1/22(TCP(6))
Session entry was backuped.
*Jun 10 11:43:23:425 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 44500
sequence num = 0x05bae468, acknowledgement num = 0xe83f0900, flags = 0x12
window size = 65160, checksum = 0xf959, header length = 40.
*Jun 10 11:43:23:425 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=44500, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:43:23:425 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=44500. Protocol=TCP(6). Flag=SYN/ACK. Seq=96134248.
*Jun 10 11:43:23:425 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:43:24:443 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 44500
sequence num = 0x05bae468, acknowledgement num = 0xe83f0900, flags = 0x12
window size = 65160, checksum = 0xf55f, header length = 40.
*Jun 10 11:43:24:443 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=44500, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:43:24:443 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=44500. Protocol=TCP(6). Flag=SYN/ACK. Seq=96134248.
*Jun 10 11:43:24:443 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:43:25:480 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 44500
sequence num = 0x05bae468, acknowledgement num = 0xe83f0900, flags = 0x12
window size = 65160, checksum = 0xf152, header length = 40.
*Jun 10 11:43:25:480 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=44500, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:43:25:480 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=44500. Protocol=TCP(6). Flag=SYN/ACK. Seq=96134248.
*Jun 10 11:43:25:480 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:43:26:491 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 44500
sequence num = 0x05bae468, acknowledgement num = 0xe83f0900, flags = 0x12
window size = 65160, checksum = 0xed5f, header length = 40.
*Jun 10 11:43:26:491 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=44500, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:43:26:491 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=44500. Protocol=TCP(6). Flag=SYN/ACK. Seq=96134248.
*Jun 10 11:43:26:491 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:43:28:551 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 44500
sequence num = 0x05bae468, acknowledgement num = 0xe83f0900, flags = 0x12
window size = 65160, checksum = 0xe553, header length = 40.
*Jun 10 11:43:28:551 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=44500, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:43:28:551 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=44500. Protocol=TCP(6). Flag=SYN/ACK. Seq=96134248.
*Jun 10 11:43:28:551 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:43:30:523 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 44500
sequence num = 0x05bae468, acknowledgement num = 0xe83f0900, flags = 0x12
window size = 65160, checksum = 0xdd9f, header length = 40.
*Jun 10 11:43:30:523 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=44500, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:43:30:523 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=44500. Protocol=TCP(6). Flag=SYN/ACK. Seq=96134248.
*Jun 10 11:43:30:523 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:44:03:077 2026 fw001.pri.bjyz.ltzx SESSION/7/TABLE: -Slot=8.1;
Tuple5(EVENT): 10.17.34.170/44500-->172.28.11.1/22(TCP(6))
Session entry was deleted.
*Jun 10 11:45:45:138 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=8.1;
Receiving, interface = Route-Aggregation2.185
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 55392, offset = 0, ttl = 63, protocol = 6
checksum = 32643, s = 10.17.34.170, d = 172.28.11.1
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.185.
Payload: TCP
source port = 59996, destination port = 22
sequence num = 0xb8a4464a, acknowledgement num = 0x00000000, flags = 0x2
window size = 64240, checksum = 0x62cd, header length = 40.
*Jun 10 11:45:45:138 2026 fw001.pri.bjyz.ltzx SESSION/7/TABLE: -Slot=8.1;
Tuple5(EVENT): 10.17.34.170/59996-->172.28.11.1/22(TCP(6))
Session entry was created.
*Jun 10 11:45:45:138 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=8.1; The packet is permitted. Src-ZOne=Security, Dst-ZOne=cupaas;If-In=Route-Aggregation2.185(7073), If-Out=Route-Aggregation2.187(7044); Packet Info:Src-IP=10.17.34.170, Dst-IP=172.28.11.1, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=59996, Dst-Port=22, Protocol=TCP(6), Application=ssh(13), Url-category=invalid(65535), SecurityPolicy=VPN_To_cupaas, Rule-ID=1303.
*Jun 10 11:45:45:138 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=8.1;
Sending, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 55392, offset = 0, ttl = 62, protocol = 6
checksum = 32899, s = 10.17.34.170, d = 172.28.11.1
channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Sending IP packet received from interface Route-Aggregation2.185 at interface Route-Aggregation2.187.
Payload: TCP
source port = 59996, destination port = 22
sequence num = 0xb8a4464a, acknowledgement num = 0x00000000, flags = 0x2
window size = 64240, checksum = 0x62cd, header length = 40.
*Jun 10 11:45:45:138 2026 fw001.pri.bjyz.ltzx SESSION/7/TABLE: -Slot=8.1;
Tuple5(EVENT): 10.17.34.170/59996-->172.28.11.1/22(TCP(6))
Session entry was backuped.
*Jun 10 11:45:44:839 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=59996, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:45:44:839 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 59996
sequence num = 0xe620668e, acknowledgement num = 0xb8a4464b, flags = 0x12
window size = 65160, checksum = 0xfbc9, header length = 40.
*Jun 10 11:45:44:839 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=59996. Protocol=TCP(6). Flag=SYN/ACK. Seq=3860883086.
*Jun 10 11:45:44:839 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:45:45:885 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 59996
sequence num = 0xe620668e, acknowledgement num = 0xb8a4464b, flags = 0x12
window size = 65160, checksum = 0xf7b2, header length = 40.
*Jun 10 11:45:45:886 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=59996, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:45:45:886 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=59996. Protocol=TCP(6). Flag=SYN/ACK. Seq=3860883086.
*Jun 10 11:45:45:886 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:45:46:922 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 59996
sequence num = 0xe620668e, acknowledgement num = 0xb8a4464b, flags = 0x12
window size = 65160, checksum = 0xf3a6, header length = 40.
*Jun 10 11:45:46:922 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=59996, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:45:46:922 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=59996. Protocol=TCP(6). Flag=SYN/ACK. Seq=3860883086.
*Jun 10 11:45:46:922 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:45:47:934 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 59996
sequence num = 0xe620668e, acknowledgement num = 0xb8a4464b, flags = 0x12
window size = 65160, checksum = 0xefb2, header length = 40.
*Jun 10 11:45:47:934 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=59996, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:45:47:934 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=59996. Protocol=TCP(6). Flag=SYN/ACK. Seq=3860883086.
*Jun 10 11:45:47:934 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:45:49:994 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 59996
sequence num = 0xe620668e, acknowledgement num = 0xb8a4464b, flags = 0x12
window size = 65160, checksum = 0xe7a6, header length = 40.
*Jun 10 11:45:49:994 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=59996, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:45:49:994 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=59996. Protocol=TCP(6). Flag=SYN/ACK. Seq=3860883086.
*Jun 10 11:45:49:994 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:45:51:966 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_PACKET: -Slot=5.1;
Receiving, interface = Route-Aggregation2.187
version = 4, headlen = 20, tos = 0
pktlen = 60, pktid = 0, offset = 0, ttl = 62, protocol = 6
checksum = 22756, s = 172.28.11.1, d = 10.17.34.170
channelID = 1, vpn-InstanceIn = 0, vpn-InstanceOut = 0.
prompt: Receiving IP packet from interface Route-Aggregation2.187.
Payload: TCP
source port = 22, destination port = 59996
sequence num = 0xe620668e, acknowledgement num = 0xb8a4464b, flags = 0x12
window size = 65160, checksum = 0xdff2, header length = 40.
*Jun 10 11:45:51:966 2026 fw001.pri.bjyz.ltzx FILTER/7/PACKET: -Slot=5.1; The packet is denied. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=, Src-MacAddr=30c6-d7e4-6401,Src-Port=22, Dst-Port=59996, Protocol=TCP(6), Application=invalid(0), Url-category=invalid(65535), SecurityPolicy=any-any, Rule-ID=999.
*Jun 10 11:45:51:966 2026 fw001.pri.bjyz.ltzx ASPF/7/PACKET: -Slot=5.1; The packet that matches no session was dropped by packet filter or object-policy. Src-ZOne=cupaas, Dst-ZOne=Security;If-In=Route-Aggregation2.187(7044), If-Out=Route-Aggregation2.185(7073); Packet Info:Src-IP=172.28.11.1, Dst-IP=10.17.34.170, VPN-Instance=none, Src-Port=22, Dst-Port=59996. Protocol=TCP(6). Flag=SYN/ACK. Seq=3860883086.
*Jun 10 11:45:51:966 2026 fw001.pri.bjyz.ltzx IPFW/7/IPFW_INFO: -Slot=5.1;
MBUF was intercepted! Phase Num is 9(post routing beforefrag), Service ID is 3(interzone), Bitmap is 1000000000000000, return 1(0:continue, 1:dropped, 2:consumed, 3:enqueued, 4:relay)! Interface is Route-Aggregation2.185,
s= 172.28.11.1, d= 10.17.34.170, protocol= 6, pktid = 0.
*Jun 10 11:46:24:218 2026 fw001.pri.bjyz.ltzx SESSION/7/TABLE: -Slot=8.1;
Tuple5(EVENT): 10.17.34.170/59996-->172.28.11.1/22(TCP(6))
Session entry was deleted.
排查步骤及命令:
1. 检查NAT Server配置:
display nat server 查看是否存在172.28.11.1的NAT Server条目,确认格式(如 nat server tcp global 172.28.11.1 80 inside 10.1.1.10 80),重点核对内部服务器地址(inside IP)是否正确,内外网接口是否匹配。
2. 检查安全策略:
display security-policy 查看是否有允许外部(外网接口)到172.28.11.1的策略,方向为inbound,服务/端口需匹配目标协议(如TCP 80)。
3. 检查会话表:
display firewall session-table destination 172.28.11.1 查看是否有会话建立。若无,可能策略未放通或NAT Server未生效。
4. 检查ASPF配置:
display aspf service-list 确认目标服务(如TCP)是否在ASPF服务列表中;display aspf global 确认ASPF是否全局启用。
5. 检查路由与接口:
display ip routing-table 确认防火墙有到内部服务器网段的路由;display interface brief 确认外网接口(Route-Aggregation2.185)是否UP且有IP。
6. 验证流量路径:
外部ping 172.28.11.1,若不通,检查公网链路连通性;若通但服务不通,用tracert 172.28.11.1 追踪路径,确认是否被拦截。
结论:优先排查NAT Server和安全策略,其次检查ASPF与路由,非BUG。
172.28.11.1 不通且日志提示“ASPF无法匹配会话”的问题,这不是墙的 BUG,而是典型的跨板卡/跨引擎状态同步或安全策略缺失问题。一、 核心故障根因分析
- 去程(Slot=8.1)正常建会话:
客户端发往172.28.11.1:22的 SYN 报文由 Slot 8.1 接收,安全策略命中了VPN_To_cupaas(Rule-ID=1303) 并放行,成功创建了会话,并将该会话备份到了备板 (Session entry was backuped)。 - 回程(Slot=5.1)无会话被丢弃:
服务器返回的 SYN-ACK 报文却由 Slot 5.1 接收。此时 Slot 5.1 在本地会话表中找不到对应的连接记录,将其视为新连接。随后它去匹配安全策略,但只匹配到了默认的拒绝规则any-any(Rule-ID=999),最终被 ASPF 模块作为非法首包直接丢弃 (dropped by packet filter or object-policy)。
二、 为什么跟 NAT Server 有关?
但是,由于做了 NAT Server,外网访问内网服务器的流量方向是从
Security 区域进入 cupaas 区域,而回程流量则是从 cupaas 区域回到 Security 区域。如果缺少这条反向的安全策略,在多板卡协同的环境下极易导致此类丢包。三、 解决方案与排查步骤
方案 1:补全反向安全策略(最稳妥的根治方法)
security-policy
rule name Allow_cupaas_to_Security_SSH
source-zone cupaas
destination-zone Security
service ssh
action permit方案 2:检查并优化会话同步机制
Session entry was backuped,说明会话备份动作已执行,但 Slot 5 没查到。请排查以下几点:- 检查集群/HA状态:确认两台主控及各个业务板卡的 HA 状态是否正常,是否存在脑裂或心跳链路拥塞导致会话表同步延迟。
- 关闭不必要的 ASPF:对于 SSH(22端口) 这种简单的 TCP 协议,通常不需要开启 ASPF。如果开启了,可能会干扰正常的会话匹配。建议在相关域间关闭 ASPF:
undo aspf enable - 检查接口绑定:确认
Route-Aggregation2.185和Route-Aggregation2.187是否都正确加入了相应的安全区域,并且没有遗漏子接口的区域划分。
方案 3:验证与测试命令
- 查看当前会话分布:
display session table verbose destination 172.28.11.1(观察会话是否能在两个 Slot 上同时查到) - 查看策略命中计数:
display security-policy statistics(确认新建的反向策略是否有命中数) - 查看 NAT Server 映射:
display nat server(再次确认公网 IP 与私网 IP 的映射关系无误)
暂无评论
一、核心结论
不是设备 BUG,也不是单纯引流问题;根因是跨板卡会话同步异常 + 反向域间安全策略缺失。
NAT Server 本身不直接报错,但内网公网地址混用、多板卡转发会放大该问题。
现象总结:正向流量(Security→cupaas)正常建会话、放行;回程 SYN+ACK 报文到达另一板卡,找不到对应会话,被默认策略 Rule-ID 999 丢弃,ASPF 提示无匹配会话。
二、日志逐点拆解
正向流量(10.17.34.170 → 172.28.11.1:22)
入接口:Route-Aggregation2.185(Slot 8.1),安全域 Security → cupaas
正常创建会话、备份会话,匹配策略 Rule 1303 放行,转发至出接口 Route-Aggregation2.187。
回程流量(172.28.11.1:22 → 10.17.34.170)
入接口:Route-Aggregation2.187(Slot 5.1),跨板卡接收报文。
本板卡未同步到已创建的会话表,ASPF 查不到会话。
匹配全局默认策略 Rule 999(any-any deny),报文直接丢弃,TCP 握手中断,最终会话老化删除。
关键报错
ASPF/7/PACKET: The packet that matches no session was dropped
典型跨板卡会话同步失效 + 反向域间无放行策略双重问题。
三、根因分级(按优先级)
1. 最高优先级:M9014 多板卡会话同步 / 分布式会话问题(主因)
M9014 分布式架构,流量入、出不在同一块业务板:
会话在 Slot 8.1 创建并备份;
回程报文从 Slot 5.1 进入,本板本地会话表无条目;
会话同步机制未正常把会话同步到接收回程报文的板卡。
2. 次优先级:反向域间安全策略缺失
cupaas → Security 方向没有自定义允许策略,报文命中全局默认拒绝规则 Rule 999。
即使会话同步正常,若反向策略不放行,依然不通。
3. NAT Server 影响(关联因素)
你对 172.28.11.1 配置了 NAT Server:
该地址同时存在内网路由 + 外网映射,地址语义混乱;
容易导致路由选路不一致、来回路径不一致(来回流不对称),进一步加剧跨板卡会话匹配失败;
并非报错直接原因,但会放大故障、增加排查难度。
4. 排除项
不是固件 BUG:该场景为分布式防火墙典型配置 / 会话同步问题,属于部署类故障。
四、分步修复方案(按顺序执行)
步骤 1:先补全反向安全策略(快速验证)
放行 cupaas → Security 方向 TCP 22 流量,临时绕过默认拒绝规则:
plaintext
# 创建ACL匹配回程流量
acl advanced 3002
rule permit tcp source 172.28.11.1 0 destination 10.17.34.0 0.0.255.255
# 安全策略:cupaas -> Security 放行
security-policy
rule 1400 permit
source-zone cupaas
destination-zone Security
source-ip 172.28.11.1 255.255.255.255
destination-ip 10.17.34.0 255.255.0.0
service ssh
测试访问,若依旧报错,说明核心还是跨板卡会话同步问题,继续下一步。
步骤 2:检查并优化分布式会话 / 会话同步(M9014 重点)
1)查看会话同步状态
plaintext
display session synchronization status
display session distribution
2)开启 / 加固全局会话同步(V7 分布式防火墙通用)
plaintext
system-view
# 开启会话热备份/跨板会话同步
session synchronization enable
# 开启分布式会话(部分版本需要)
session distribute enable
# 开启ASPF严格状态检测(默认开启,确认即可)
aspf enable all
3)关闭不对称路由检查(来回路径不一致场景专用)
你的环境存在来回接口 / 板卡不同,关闭会话严格回路径检测:
plaintext
undo session strict-reverse-path enable
步骤 3:优化 NAT Server + 路由,保证来回路径一致
核查 172.28.11.1 的 NAT Server 配置,区分内网访问和外网映射,避免地址路由冲突。
保证访问该地址的上行、回程流量固定走同一聚合接口 / 同一板卡,彻底解决流量不对称。
若业务允许,可临时取消该地址 NAT Server 测试,验证是否为路由 / 地址混淆导致。
步骤 4:临时规避方案(紧急业务)
将上下行接口(Route-Aggregation2.185 / 187)调整到同一块业务板卡,消除跨板转发。
临时把目标主机划入同一安全域,绕开域间策略 + ASPF 检测。
步骤 5:极端修复(同步仍异常)
清空旧会话表:reset session table all
检查业务板卡状态、固件版本,M9014 早期版本存在少量分布式会话兼容问题,升级至官方推荐稳定版本。
五、精简总结 & 运维建议
故障本质:跨板卡会话同步失败 + 反向安全策略拒绝,和设备 BUG 无关。
修复顺序:先加反向安全策略 → 开启会话同步 + 关闭严格反向路由检测 → 优化 NAT 与路由保证来回路径一致。
NAT Server 会造成地址、路由混乱,加剧流量不对称,建议梳理该地址的映射与路由规划。
M9014 多业务板卡环境,尽量保证业务流量入出站同板卡,减少分布式会话压力。
暂无评论
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论