问

M9000-个别ip不能被访问

NAT444

2019-10-21提问

0关注
1收藏，1153浏览

zhiliao_5b22q

zhiliao_5b22q 二段

粉丝：0人关注：0人

问题描述：

211.81.22.93地址不能被联通电信运营商网络的用户访问。

211.81.22.92是可以的。

nat server protocol tcp global 211.81.22.93 80 inside 10.2.25.6 80

nat server protocol tcp global 211.81.22.92 80 inside 10.2.25.6 80

正常的：

CPU 1 on slot 1 in chassis 1:

Initiator:

Source IP/port: 211.94.240.224/2873

Destination IP/port: 211.81.22.92/80

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Route-Aggregation1

Source security zone: Trust

Responder:

Source IP/port: 10.2.25.6/80

Destination IP/port: 211.94.240.224/2873

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet1/6/0/6

Source security zone: Trust

State: TCP_TIME_WAIT

Application: HTTP

Start time: 2019-10-21 13:17:28 TTL: 0s

Initiator->Responder: 6 packets 776 bytes

Responder->Initiator: 8 packets 4714 bytes

不正常的：

Initiator:

Source IP/port: 211.94.240.224/44976

Destination IP/port: 211.81.22.93/80

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Route-Aggregation1

Source security zone: Trust

Responder:

Source IP/port: 10.2.25.6/80

Destination IP/port: 211.94.240.224/44976

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: Ten-GigabitEthernet1/6/0/6

Source security zone: Trust

State: TCP_SYN_RECV#########################################

Application: HTTP

Start time: 2019-10-21 13:16:56 TTL: 16s

Initiator->Responder: 1 packets 48 bytes

Responder->Initiator: 4 packets 192 bytes

State: TCP_SYN_RECV 这是否正常。

客户端抓包并没有收到ack。

最佳答案

我什么都不知道

我什么都不知道九段

粉丝：8人关注：0人

会话状态不正常，防火墙没收到回包，排查下M9000双逻辑的话每块板卡地址池地址需要2个地址，或者修改下映射的端口为非80端口测试下

2 个回答

按时间按赞数

vhuohuov

vhuohuov 七段

粉丝：1人关注：0人

1.通过debug ip packet ，和debug aspf 查看报文在防火墙上的转发过程。确认报文是否丢在了防火墙上。

2.进一步确认是否丢在防火墙上，可通过流统。

3.如果丢在防火墙上，就需要判断，是否上来回流量上错板卡，或者会话同步有没有开？包括http和DNS 对的会话同步有没有开。

3如果没有丢在防火墙上，则需要继续排查链路上其他设备丢包的原因

*Oct 21 20:57:25:292 2019 M9K IPFW/7/IPFW_PACKET: -Chassis=1-Slot=1.1; Receiving, interface = Route-Aggregation1 version = 4, headlen = 20, tos = 0 pktlen = 52, pktid = 7389, offset = 0, ttl = 117, protocol = 6 checksum = 4393, s = 117.11.121.4, d = 211.81.22.93 channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0. prompt: Receiving IP packet from interface Route-Aggregation1. Payload: TCP source port = 9188, destination port = 80 sequence num = 0x16115621, acknowledgement num = 0x00000000, flags = 0x2 window size = 8192, checksum = 0xe6f9, header length = 32. *Oct 21 20:57:25:292 2019 M9K IPFW/7/IPFW_PACKET: -Chassis=1-Slot=1.1; Sending, interface = Route-Aggregation1 version = 4, headlen = 20, tos = 0 pktlen = 48, pktid = 0, offset = 0, ttl = 63, protocol = 6 checksum = 25610, s = 211.81.22.93, d = 117.11.121.4 channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0. prompt: Sending IP packet received from interface Ten-GigabitEthernet1/6/0/6 at interface Route-Aggregation1. Payload: TCP source port = 80, destination port = 9188 sequence num = 0x36295982, acknowledgement num = 0x16115622, flags = 0x12 window size = 14600, checksum = 0x5236, header length = 28.

zhiliao_5b22q 发表时间：2019-10-21