No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The Dual-egress Release Server and L2TP Dial-up Communication

Publication Date:  2012-07-25 Views:  3 Downloads:  0
Issue Description
The customers uses the USG2220 to configure dual ingresses and two intranet servers for release. The two servers go through different egress for communication. Meanwhile, the customer uses the L2TP client to dial up to the intranet to communicate with the server.
After the server configuration is released, the expected result that the dual egress data flows go through different servers is not realized. Only one server can be released.
The customer configures the L2TP, the dial-up succeeds on a single link to communicate with the intranet. When the other link is used as the address of the LNS server, the dial-up fails.
The topology is as follows:
Alarm Information
None.
Handling Process
The modified configuration is as follows:
17:55:33  2010/11/23
#
acl number 3000
 rule 5 permit ip
acl number 3001
 rule 0 permit ip
acl number 3011
 rule 0 deny ip source 192.168.102.0 0.0.0.255
 rule 1 permit ip source 192.168.102.2 0
acl number 3012
 rule 6 permit ip source 192.168.102.3 0
#
 sysname USG2220
#
 web-manager enable
#
 l2tp enable
#
 info-center timestamp debugging date
#
 firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
 firewall packet-filter default permit interzone local untrust direction inbound
 firewall packet-filter default permit interzone local untrust direction outbound
 firewall packet-filter default permit interzone local dmz direction inbound
 firewall packet-filter default permit interzone local dmz direction outbound
 firewall packet-filter default permit interzone local untrust2 direction inbound
 firewall packet-filter default permit interzone local untrust2 direction outbound
 firewall packet-filter default permit interzone trust untrust direction inbound
 firewall packet-filter default permit interzone trust untrust direction outbound
  firewall packet-filter default permit interzone trust untrust2 direction inbound
firewall packet-filter default permit interzone trust untrust2 direction outboundoutbound
 firewall packet-filter default permit interzone untrust2 untrust direction inbound
 firewall packet-filter default permit interzone untrust2 untrust direction outbound
nat server protocol tcp global 124.67.49.174 www inside 192.168.102.2 www
 nat server protocol tcp global 123.178.192.194 www inside 192.168.102.3 www
#
 firewall statistic system enable
#
vlan 1
#
vlan 2
#
traffic classifier class2
 if-match acl 3012
traffic classifier class1
 if-match acl 3011
#
traffic behavior behavior1
  remark ip-nexthop 124.67.49.173 output-interface GigabitEthernet0/0/0
traffic behavior behavior2
  remark ip-nexthop 123.178.192.193 output-interface GigabitEthernet0/0/1
#
qos policy mypolicy1
 classifier class1 behavior behavior1
qos policy mypolicy2
classifier class1 behavior behavior2
#
interface Cellular0/1/0
 link-protocol ppp
#
interface Vlanif2
 ip address 192.168.102.1 255.255.255.0
#
interface Ethernet1/0/0
 port link-type access
 port access vlan 2
#
interface Ethernet1/0/1
 port link-type access
#
interface Ethernet1/0/2
 port link-type access
#
interface Ethernet1/0/3
 port link-type access
#
interface Ethernet1/0/4
 port link-type access
#
interface Virtual-Template0
 ppp authentication-mode pap
 ip address 172.19.20.1 255.255.255.0
 remote address pool 1
#
interface GigabitEthernet0/0/0
 ip address 124.67.49.174 255.255.255.252
 qos apply policy mypolicy1 outbound
#
interface GigabitEthernet0/0/1
 ip address 123.178.192.194 255.255.255.252
 qos apply policy mypolicy2 outbound
#
interface NULL0
#
firewall zone local
 set priority 100
#
firewall zone trust
 set priority 85
 add interface Vlanif2
 add interface Virtual-Template0
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet0/0/0
#
firewall zone dmz
 set priority 50
#
firewall zone vzone
 set priority 0
#
firewall zone name untrust2
 set priority 6
 add interface GigabitEthernet0/0/1
#
firewall interzone trust untrust
 nat outbound 3000 interface GigabitEthernet0/0/0
#
firewall interzone trust untrust2
 nat outbound 3001 interface GigabitEthernet0/0/1
#
l2tp-group 1
undo tunnel authentication
 mandatory-lcp
 allow l2tp virtual-template 0
#
aaa
 local-user webadmin password simple webadmin2000
 local-user webadmin service-type web telnet
 local-user webadmin level 3
 local-user dlvpn password simple 7777777
 local-user dlvpn service-type ppp
 local-user dlvpn level 3
 ip pool 1 172.19.20.2 172.19.20.100
#
 authentication-scheme default
#
 authorization-scheme default
#
 accounting-scheme default
#
 domain default
#
#
Dright-manager server-group
#
 slb
#
 ip route-static 0.0.0.0 0.0.0.0 124.67.49.173
 ip route-static 0.0.0.0 0.0.0.0 123.178.192.193 preference 61
 ip route-static 172.19.20.0 255.255.255.0 Virtual-Template0
#
user-interface con 0
user-interface tty 9
 authentication-mode none
 modem both
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
#
return
Root Cause
1. The policy-based policy is incorrectly configured. The policy-based route is applied to the intranet interface. Therefore, it does not take effect after being configured.
2. The customer configures multiple equal-cost default routes, but not the default route. In this case, all data flows match the first default route.
3. The ACL is incorrectly configured.
Suggestions
None.

END