No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Customer Fails to Open Login Page by Clicking Sub Link on Web Site Due to Default Dual-egress Route of USG5350

Publication Date:  2012-07-23 Views:  34 Downloads:  0
Issue Description
Some information on the customer's Web site can be displayed only after sub-link address resolution. The customer's network has two egresses. The USG5350 maps the internal server main site and sub-link sites to the public network. However, only the Web page of the main site can be displayed, but the login page of a sub link cannot be displayed.
Alarm Information
None.
Handling Process
To address the problem, do as follows:
Method 1: Change the route pointing to the education network to an exact route.
Method 2: Configure policy-based routing that enables GigabitEthernet0/0/2 to forward all packets of the server.
Root Cause
Some information on the customer's Web site can be displayed only after sub-link address resolution. The customer's network has two egresses. The USG5350 maps the internal server main site and sub-link sites to the public network. However, only the Web page of the main site can be displayed, but the login page of a sub link cannot be displayed.
The networking diagram and the abnormal Web page are shown as follows:
<a pic deleted here>
  1. The sub-link Web page can be normally opened from the extranet, so the address release is normal.
  2. When the main page of the Web site is accessed from the extranet, the firewall sessions do not contain the session to 10.18.110.3 (the sub-link addresses). This indicates that the packets of the sub link are discarded and no session is created.
      <USG5350>disp firewall session table destination inside  10.18.110.3
         DNS  VPN: public -> public 172.23.38.20:24268-->10.18.110.3:53
         DNS  VPN: public -> public 172.23.38.20:24201-->10.18.110.3:53
  1. The address of the interface GigabitEthernet0/0/2 is checked.
             ip address 61.155.66.222 255.255.255.240
          interface GigabitEthernet0/0/3
             ip address 218.91.159.58 255.255.255.252       address pool: nat address-group 21 61.155.66.222 61.155.66.222       mapped main page address and the sub-link address:
          nat server global 61.155.66.215 inside 10.18.110.3
          nat server global 61.155.66.216 inside 10.18.110.4
The configuration information indicates that the mapped public address and the egress address is on the same network segment. Packets accessing the page are forwarded from 0/0/2.   
The default route is checked.
           ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2 61.155.66.209
           ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/3 218.91.159.57
One route points to the Internet, and the other points to the education network. Because the inbound packet forwarding path is inconsistent with the outbound packet forwarding path, the user fails to open the sub link.
  1. After the interface to the education network is disabled, the login page through a sub link can be normally displayed. Then the configuration is changed to the default route. This indicates that the problem is caused by the inconsistency between the inbound path and the outbound path. After the access succeeds, the session table is as follows:
         <USG5350>disp firewall session table destination inside 10.18.110.3
           10.18.110.4:4323[61.155.66.216:4323]-->61.155.66.215:8000[10.18.110.3:8000]
Suggestions
For a network with dual egresses and web services, you are not advised to configure multiple default routes.

END