No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

URL query failed on USG5500 due to Equal-Cost routing

Publication Date:  2014-07-23 Views:  138 Downloads:  0
Issue Description

The topology is shown as above, there are two links between USG5500 and Internet. When implement URL query, no results.
<USG5530>display url-filter category pre-defined url www.sina.com
10:37:49 2014/07/16
<USG5530>display url-filter category pre-defined url www.youtube.com
10:38:00 2014/07/16
<USG5530>display url-filter category pre-defined url www.baidu.com
10:38:40 2014/07/16
Alarm Information
None
Handling Process
1. Check the configuation on USG5500, the basic configuration is correct.
#
country JP
#                                     
dns resolve
dns server 8.8.8.8
#
...
#
update schedule ips daily 01:00
update schedule av daily 02:00
security server domain sec.huawei.com
#
2. Check the logs on URL server, there is only connection to UCDB but no connection to UCSS which response the URL query
#
Jul 15 02:41:28 ip-10-208-63-66 ucdb: ESN:210235G6HR10D8xxxxxx
Jul 15 02:41:28 ip-10-208-63-66 ucdb: LAC:
Jul 15 02:41:28 ip-10-208-63-66 ucdb: productName:USG5530
Jul 15 02:41:28 ip-10-208-63-66 ucdb: productVersion:V200R001
Jul 15 02:41:28 ip-10-208-63-66 ucdb: modeName:LSU5UFMU01
Jul 15 02:41:28 ip-10-208-63-66 ucdb: UTM device connected!
Jul 15 02:41:28 ip-10-208-63-66 ucdb:  status_code:0
Jul 15 02:41:28 ip-10-208-63-66 ucdb: Notice: A new Client[x.33.1.1] request for UCSS cfg[x.x.76.206].
Jul 15 02:41:28 ip-10-208-63-66 ucdb: get 1 ucss ip
#
3.Check the sessions on USG5500, there are two sessions from different source IP address to same URL server
#
[USG5530]display firewall session table verbose destination global x.x.76.206
Current Total Sessions : 2
  230747  udp  VPN:public --> public
  Zone: local--> untrust  PolicyID: default  TTL: 00:02:00  Left: 00:01:46
  Output-interface: GigabitEthernet0/0/8  NextHop: x.33.2.2  MAC: 00-00-5e-00-zz-zz
  <--packets:0 bytes:0   -->packets:12 bytes:1152
  x.33.2.1:51732-->x.x.76.206:55460

  782180  tcp  VPN:public --> public
  Zone: local--> sonatel2  PolicyID: default  TTL: 00:00:10  Left: 00:00:08
  Output-interface: GigabitEthernet0/0/7  NextHop: x.33.1.2  MAC: 00-00-5e-00-xx-xx
  <--packets:12 bytes:2745   -->packets:12 bytes:2241
  x.33.1.1:49199-->46.137.76.206:8890
4. From the sessions above, we can confirm that USG connects to UCDB (port is 8890) with source ip x.33.1.1, meanwhile connects to UCSS(port is 55460) with source ip x.33.1.2. In this situation, UCSS will drop the packets sent by x.33.1.2 because the session is established by x.33.1.1, and this is the root cause why URL query failed.
5. After checking the route configuration, we found there are two Equal-Cost default routings between USG and Internet, and the traffic is load balance.
#
ip route-static 0.0.0.0 0.0.0.0 x.33.1.2
ip route-static 0.0.0.0 0.0.0.0 x.33.2.2
#
6. Change the route preference, ensure all packets sent by unique source ip address
#
ip route-static 0.0.0.0 0.0.0.0 x.33.1.2
ip route-static 0.0.0.0 0.0.0.0 x.33.2.2 preference
#
7.After the modification above, URL query successfully
#
<USG5530>display url-filter category pre-defined url www.baidu.com
16:49:06  2014/07/17
<USG5530>
===========================================================================
*                         pre-defined category                            *
===========================================================================
Category-ID  Name                              Matched-Times
---------------------------------------------------------------------------
15           Search Engines/Portals            0  
---------------------------------------------------------------------------
Root Cause
1. Configuration of url feature is incorrect.
2. The URL query packets didn't reach URL server.
3. The URL reply packets didn't reach USG5500 
Suggestions
When implement URL query on USG, ensure all packets sent by same source ip address. Otherwise, packets will be dropped by URL server 

END