No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

How to Deal with It When Policy-based Routes Delivered by the Uplink Interface Lead to the Fact That Users Under the NE40 Cannot Successfully Ping the Intranet Interface

Publication Date:  2012-07-27 Views:  28 Downloads:  0
Issue Description
Networking:
NE40-3/0/1------.21--------.22---------MA5200-(gateway)---------static user
The static user cam into the NE40 through 3/0/1 and went out after redirection. The gateway address (222.45.32.1) of the MA5200 could be successfully pinged from the user and the address (222.45.248.21) of the interface on the NE40 could also be successfully pinged from the MA5200. But, the user could not successfully ping 222.45.248.21. After the redirection policy was removed, the user could successfully ping 222.45.248.21.
The configuration of the policy-based route is as follows:
acl number 11019
rule ip source 222.45.32.88 0.0.0.0
traffic classifier shuchuanshi
if-match acl 11019
traffic behavior eudemon
redirect ip-nexthop 192.168.60.2 GigabitEthernet2/0/3
interface GigabitEthernet3/0/1
description To_ZhongXinSuo-MA5200G
undo shutdown
ip address 222.45.248.21 255.255.255.252
traffic-policy to80-2 inbound 
 
Alarm Information
Null
Handling Process
The problem was solved by removing the configuration of the policy-based route on GigabitEthernet2/0/3. 
Root Cause
Checking configurations showed that the outbound interface after redirection incorrectly delivered policy-based routes.
interface GigabitEthernet2/0/3
description to-eudemon-out
undo shutdown
ip address 192.168.60.1 255.255.255.252
traffic-policy to80-2 inbound
The packet of the problematic static user comes in from the downlink interface and is forwarded to GigabitEthernet2/0/3 after redirection, with the next hop changed to 192.168.60.2. Therefore, after reaching the NE40, the ICMP packet is directly forwarded to a router that is connected to GigabitEthernet2/0/3 instead of being sent to the SRU by the NE40 for processing which finds the policy configured on the downlink interface. If the router has a route to the NE40, the ICMP packet is sent back to the NE40 and afterwards forwarded repeatedly until TTL times out because the same policy is applied on GigabitEthernet2/0/3. Under this configuration, it is normal that the NE40 cannot be pinged. 
 
Suggestions
Null

END