Web Pages Cannot Be Opened When Two Outbound Interfaces Are Available

Publication Date:  2013-12-31 Views:  216 Downloads:  0
Issue Description
USG5100              ————    pppoe   2.2.2.2/32     untrust         Next hop 2.2.2.3/32      
V300R001C00SPC700
                             ————          1.1.1.1/24              untrust         Next hop 1.1.1.2/24

Two public network interfaces are located in the untrust zone. During the NAT, the private network segment 172.16.0.0 is translated using 2.2.2.2. The policy-based routes on the private network segment 172.16.0.0 are sent from PPPoE links and default routes on other private network segments are sent from the next hop of 1.1.1.1.
The customer cannot open web pages but can ping the corresponding websites.

Alarm Information
None
Handling Process
Change the TCP-MSS value. The fault persists.
Access www.baidu.com and capture packets.

No HTTP Response packet is received.
Check session information.
http  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:10:00  Left: 00:09:58
  Interface: GigabitEthernet0/0/1  NextHop: 1.1.1.2  MAC: 00-23-ff-21-4d-ae
  <--packets:1 bytes:52   -->packets:6 bytes:252
  172.16.255.185:50501[2.2.2.2:2063]-->220.181.111.147:80
The routes are sent through the next hop of 1.1.1.1.
Check whether the PBR is matched. Modify the PBR configuration, and the fault is rectified.
Root Cause
1. The TCP-MSS value on the PPPoE link is incorrect.
2. Other faults that may occur when two outbound interfaces are available.
Suggestions
When two outbound interfaces are available, pay attention to the packet direction.

END