No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The solution about the log warning that a ip continue entering and removing from blacklist at USG9100

Publication Date:  2012-09-18 Views:  35 Downloads:  0
Issue Description
At the VRRP networking mode, using display logbuffer to look over the FW log, find that there is a source ip address as a dynamic blacklist at the user mode. It enters the blacklist after deleted again and again.
The logs are as follows:
2011-10-11 14:16:38 USG9100-FW %%01SEC/4/BLACKLIST(l):-Slot=3; <10.xx.xx.xx/vpn: public> is added to blacklist, reason < Login password incorrect >, time:<10 min>
2011-10-11 14:16:38 USG9100-FW %%01SEC/4/BLACKLIST(l):-Slot=3; <10.xx.xx.xx/vpn: public> is removed from blacklist
2011-10-11 14:16:38 USG9100-FW %%01SEC/4/BLACKLIST(l):-Slot=3; <10.xx.xx.xx/vpn: public> is added to blacklist, reason < Login password incorrect >, time:<10 min>
2011-10-11 14:16:38 USG9100-FW %%01SEC/4/BLACKLIST(l):-Slot=3; <10.xx.xx.xx/vpn: public> is removed from blacklist
2011-10-11 14:16:38 USG9100-FW %%01SEC/4/BLACKLIST(l):-Slot=3; <10.xx.xx.xx/vpn: public> is added to blacklist, reason < Login password incorrect >, time:<10 min>
2011-10-11 14:16:38 USG9100-FW %%01SEC/4/BLACKLIST(l):-Slot=3; <10.xx.xx.xx/vpn: public> is removed from blacklist
Alarm Information
none
Handling Process
Finally, find the V100R001C00SPC001 edition has a problem that the blacklist entry is aging. But it has not removed to the goods pool. If it receives a same backup blacklist from the peer end, the blacklist is in activation again and backup to the peer end. Then blacklist continue aging on the host, and it activation again after receive the same blacklist. So the blacklist on primary and secondary device continues aging and backup come-and-go. When it turn to the log, it displays that one ip address enter the blacklist and then be deleted, again and again.
The problem solving methods:
• Log in to the FW, and write the command on the system view:
• [USG9100]undo firewall blacklist item all
• Cleaning up the blacklist can dodge the problem. There is no reduplicative blacklist log. Because there is no blacklist, the command would not to affect the current service.
Root Cause
At the VRRP networking mode, to make sure the service not be interrupted at the exchange of the primary and secondary device, request backup some data of status messages between primary and secondary device, including the blacklist. As a distributed structure device, USG9100 deals with this service in a complex way. So maybe the reason is the incessant backup the blacklist log between primary and secondary device.
Suggestions
Finally, find the V100R001C00SPC001 edition has a problem that the blacklist entry is aging. But it has not removed to the goods pool. If it receives a same backup blacklist from the peer end, the blacklist is in activation again and backup to the peer end. Then blacklist continue aging on the host, and it activation again after receive the same blacklist. So the blacklist on primary and secondary device continues aging and backup come-and-go. When it turn to the log, it displays that one ip address enter the blacklist and then be deleted, again and again.
The problem solving methods:
• Log in to the FW, and write the command on the system view:
•  [USG9100]undo firewall blacklist item all
• Cleaning up the blacklist can dodge the problem. There is no reduplicative blacklist log. Because there is no blacklist, the command would not to affect the current service.

END