Ping V7防火墙本地大包不通，小包正常解决办法

Ping防火墙本地大包不通，小包正常。流统确认防火墙已接收到报文，但并未回应。

1.检查域间策略配置
#
security-zone name Untrust
 import interface GigabitEthernet1/0/0
#
zone-pair security source Any destination Any
 object-policy apply ip test
#
object-policy ip test
 rule 1 pass service ping
 rule 2 pass service telnet
#

2.域间策略及会话建立相关debug
首先定义一个acl，acl匹配的为ping测试的源、目的IP（本次测试源IP为172.31.0.14，目的IP为防火墙接口IP 172.31.0.24）
#
acl advanced 3010
 rule 0 permit icmp source 172.31.0.14 0 destination 172.31.0.24 0
 rule 5 permit icmp source 172.31.0.24 0 destination 172.31.0.14 0
#
<H3C>debug object-policy packet ip acl 3010
This command is CPU intensive and might affect ongoing services. Are you sure you want to continue? [Y/N]:y
<H3C>debug session session-table all acl 3010
<H3C>t m
The current terminal is enabled to display logs.
<H3C>t d
The current terminal is enabled to display debugging logs.

从172.31.0.14这台设备ping大包（以2000 Bytes为例）：
<H3C>*Jun 12 10:59:53:916 2016 H3C SESSION/7/TABLE: -COntext=1;
 Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
 Session entry was created.
*Jun 12 10:59:53:916 2016 H3C SESSION/7/TABLE: -COntext=1;
 Tuple5  (FSM): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
 FSM:NONE-->ICMP_REQUEST, dir:ORIGIN, PacketType:REQUEST(8)
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=other(1), ObjectPolicy=test, Rule-ID=1.

*Jun 12 10:59:53:916 2016 H3C SESSION/7/TABLE: -COntext=1;
 Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
 Session entry was backuped.
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.

*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.

*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.

*Jun 12 10:59:53:917 2016 H3C SESSION/7/TABLE: -COntext=1;
 Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
 Session entry was deleted.
*Jun 12 10:59:53:950 2016 H3C SESSION/7/TABLE: -COntext=1-Slot=2;
 Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
 Session entry was deleted.

从debug信息可以看出，有一些被域间策略deny的信息：
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.
其中，源端口号是9,目的端口号是2048（0x0800）

再回过头来看之前配置的域间策略：
object-policy ip test
 rule 1 pass service ping
放通了ping这个预定义服务，接下来看一下这个ping服务定义的具体内容，指定了icmp的type/code作为源/目的端口
[H3C]probe
[H3C-probe]display system internal object-group service default name ping slot 1
Service object group ping: 1 object(in use)
 0 service icmp 8 0

Ping大包时，分片首包过来，aspf使用type/code作为源/目的端口去匹配对象策略，通过。
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is permitted. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=8, Dst-Port=0, Protocol=ICMP(1), Application=other(1), ObjectPolicy=test, Rule-ID=1.
建立会话，这里使用icmp id（11）作为会话源端口，0x0800（2048）作为目的端口
<H3C>*Jun 12 10:59:53:916 2016 H3C SESSION/7/TABLE: -COntext=1;
 Tuple5(EVENT): 172.31.0.14/11-->172.31.0.24/2048(ICMP(1))
 Session entry was created.
后续非首分片过来，不携带icmp头，命中了首包建立的会话， 使用会话里携带的源/目的端口去匹配对象策略，没有命中，被丢弃。
*Jun 12 10:59:53:916 2016 H3C FILTER/7/PACKET: -COntext=1; The packet is denied. Src-ZOne=Untrust(matched=Any), Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1), If-Out=InLoopBack0(132); Packet Info:Src-IP=172.31.0.14, Dst-IP=172.31.0.24, VPN-Instance=,Src-Port=11, Dst-Port=2048, Protocol=ICMP(1), Application=other(1), ACL=none, Rule-ID=none.

规避方法：

定义一个icmp服务，然后在策略中调用
#
object-group service icmp
 0 service icmp
#
object-policy ip test
 rule 1 pass service ping
 rule 3 pass service icmp
#

解决方法：

升级软件版本，不同设备的软件版本号见软件版本说明书中解决问题列表。