Now there are two USG5300 running on the network and the main equipment cannot telnet .But when we undo default packet filtering , it can telnet .If we don’t undo default packet filtering ,we cannot telnet by using ACL to make packet filtering .
Checking the trouble bases on the reasons above ,we check ACL first ,find the ACL configuration is :
rule permit ip source 192.168.2.3 destination 172.16.1.2
172.16.1.2 is the loopback address of firewall .There is no problem between untrust and local by using ACL , so we can remove the question of ACL .
On the host computer which IP address is 192.168.2.3 using the way of tracert to run after the route path of which IP address is 172.16.1.2 .We can find that the ping packet pass USG5000 untrust interface straight to reach backup firewall ,then it reaches loopback address from trust .we know client choose OSPF to take routing , the shortest path automatism accounted by OSPF get through firewall at first ,allowing client take the ACL control form trust to local and shutting default packet filtering ,the telnet will be normal .
There are some possible reasons:
A、 The ACL configuration is wrong.
B、 Route question ,it can induce that the path is not coming from untrust to local.
The example is question 2 , the route question induces that the path doesn’t pass the ACL configured domain.