No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40 does filter route, and NAT switch fails

Publication Date:  2012-07-27 Views:  42 Downloads:  0
Issue Description
MA5801--S3552-->MA5200-->NE40-->Cisco 12000-->Internet
after the users underlying MA5801 acquire the addresses of private network, on NE40, do NAT to Internet and force WEB authentication.
NE40 and C12000 enable OSPF.
the users feedback that they cannot connect Internet, after locale test we know MA5200 can acquire the address of private network and communicate with the gateway, but it cannot access Portal server to authenticate.

Alarm Information
The MA5200 WEB authentication users NE40 underlying MA5200 can acquire the addresses, but it cannot arrive at the authentication page to authenticate.
Handling Process
1.contact the site, after configuring one returning route on C12000, the malfunction disappears,the users underlying 5200 can go on line normally.
2.but the site explain that they never configure the returning route on C12000, before malfunction, they can do NAT normally, so we can know the reason is as simple as considered.
3.continue checking the configuration of NE40 and logs, detect there is modification on NE40.check the configuration carefully and detect one policy route has been established on NE40 to filter out the private network route on NE40.
The relative configuration is:
route-policy deny_private deny node 10
if-match acl 113
route-policy deny_private permit node 20
ospf                                      
import-route direct route-policy deny_private
import-route static route-policy deny_private


But NE40 has no ACL 113. As applying the route policy, NE40 is configured to filter out all the direct connecting route and static route.


Before configuration, the reason that the NAT succeeds is because the configured black hole route is allocated onto the peer C12000 successfully, to solve the problem that the network segment has no returning route. After doing this error route policy, the uplilnk C12000 cannot learn the route of this network segment, so NAT cannot find the return route after traveling out, and the users cannot go on line.


 

Till now, the malfunction source is found out. Configure NE40 correctly and the malfunction is solved. 
Root Cause




1.check the data configuration on MA5200, there is no abnormal condition, and the underlying users can acquire the correct private network addresses. As open any page, fail in communicating with DNS and Portal server, but MA5200 adds these addresses into the accessable list of failing in communicating users.
2.check the NAT configuration relating to NE40, no abnormal configuration. dis nat session can find out the switch records. The NAT switch on NE40 suceeds. But the private network users can communicate with the interface address of NE40 uplink peer device farthest.
3.check the black hole route configured on NE40 for NAT switch.
4.requie the site, before the uplink C12000 malfunction, there is no any operation.
5.on NE40, we find one spare layer 3 Ethernet interface, use one address to configure NAT switch, to allocate source address to communicate with Internet, failed. Tracert the IP on Interface and detect the last hop arrives at one C6509,C6509 connects with another interface of C12000.
at this time, we can know the addresses do not do returning route on the uplink device of NE40.

 
Suggestions
Null

END