Ping防火墙本地大包不通,小包正常。流统确认防火墙已接收到报文,但并未回应。
1.检查域间策略配置
#
security-zone name Untrust
import interface GigabitEthernet1/0/0
#
zone-pair security source Any destination Any
object-policy apply ip test
#
object-policy ip test
rule 1 pass service ping
rule 2 pass service telnet
#
2.域间策略及会话建立相关debug
首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.31.0.14,目的IP为防火墙接口IP 172.31.0.24)
#
acl advanced 3010
rule 0 permit icmp source 172.31.0.14 0 destination 172.31.0.24 0
rule 5 permit icmp source 172.31.0.24 0 destination 172.31.0.14 0
#
<H3C>debug object-policy packet ip acl 3010
This command is CPU intensive and might affect ongoing services. Are you sure you want to continue? [Y/N]:y
<H3C>debug session session-table all acl 3010
<H3C>t m
The current terminal is enabled to display logs.
<H3C>t d
The current terminal is enabled to display debugging logs.
从172.31.0.14这台设备ping大包(以2000 Bytes为例):
<H3C>*Jun 12 10:59:53:916 2016 H3C SESSION/7/TABLE: -COntext=1;
Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
Session entry was created.
*Jun 12 10:59:53:916 2016 H3C SESSION/7/TABLE: -COntext=1;
Tuple5 (FSM): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
FSM:NONE-->ICMP_REQUEST, dir:ORIGIN, PacketType:REQUEST(8)
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=other(1), ObjectPolicy=test, Rule-ID=1.
*Jun 12 10:59:53:916 2016 H3C SESSION/7/TABLE: -COntext=1;
Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
Session entry was backuped.
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.
*Jun 12 10:59:53:917 2016 H3C SESSION/7/TABLE: -COntext=1;
Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
Session entry was deleted.
*Jun 12 10:59:53:950 2016 H3C SESSION/7/TABLE: -COntext=1-Slot=2;
Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
Session entry was deleted.
从debug信息可以看出,有一些被域间策略deny的信息:
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)
再回过头来看之前配置的域间策略:
object-policy ip test
rule 1 pass service ping
放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口
[H3C]probe
[H3C-probe]display system internal object-group service default name ping slot 1
Service object group ping: 1 object(in use)
0 service icmp 8 0
Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过。
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=other(1), ObjectPolicy=test, Rule-ID=1.
建立会话,这里使用icmp id(11)作为会话源端口,0x0800(2048)作为目的端口
<H3C>*Jun 12 10:59:53:916 2016 H3C SESSION/7/TABLE: -COntext=1;
Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
Session entry was created.
后续非首分片过来,不携带icmp头,命中了首包建立的会话, 使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃。
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.
规避方法:
定义一个icmp服务,然后在策略中调用
#
object-group service icmp
0 service icmp
#
object-policy ip test
rule 1 pass service ping
rule 3 pass service icmp
#
解决方法:
升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作