No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Two firewalls cannot ping each other in USG6600

Publication Date:  2014-07-22 Views:  135 Downloads:  0
Issue Description
checked configuration on both firewalls and it was as following:

#                                                                              
interface GigabitEthernet1/0/9                                                 
description To_USG6650_02_XG1/0/9                                             
ip address 192.168.1.1 255.255.255.0  

the second firewall:

#                                                                              
interface GigabitEthernet1/0/9                                                 
description To_USG6650_01_XG1/0/9                                             
ip address 192.168.1.2 255.255.255.0   

they are in the same subnet so, they should ping each other

Alarm Information
no alarm found
Handling Process
this issue is caused by the feature “interface access control” by the command “service-manage enable”, In the USG6600 firmware version, this feature is enabled by default(only the management interface g0/0/0 can access the device, the other interface can’t access). So there are 2 solutions you can used to resolve your issue,as following:

(1) Disable the function by using command “undo service-manage enable” under the interface which you used.
(2) Or configuration the command “service-manage ping permit” under the interface which you used.

Root Cause
1- check if the default packet-filter is permit, and change the packet-filter to permit, in the USG6600, the default of packet-filter is deny. After checked, if the issue is still existing, we try another solution

2-this issue is caused by the feature “interface access control” by the command “service-manage enable”, In the USG6600 firmware version, this feature is enabled by default(only the management interface g0/0/0 can access the device, the other interface can’t access). So there are 2 solutions you can used to resolve your issue,as following:

(A) Disable the function by using command “undo service-manage enable” under the interface which you used.
(B) configuration the command “service-manage ping permit” under the interface which you used.

Suggestions
before ping specially in firewall between two interfaces not managment interface you should check the default behaviour like service-manage enable whether enabled or not and check also packet-filter behavior whether permit or deny

END