No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Two USG6600 can't ping each other caused by some default configuration case

Publication Date:  2014-07-30 Views:  135 Downloads:  0
Issue Description
The customer uses two USG6600 firewalls connect to each other directly, but always can't ping each other.
Alarm Information
None
Handling Process
The customer sends us the firewall configuration, after check, i find that the interface which used is added to the zone, and the default security policy is permit, as following:

(1)
firewall zone dmz                                                              
set priority 50                                                               
add interface GigabitEthernet1/0/9 

(2)
security-policy                                                                
default action permit 

And then, check the physical interface and cable, after confirmed, they are normal.

Finally, i check some default configuration for the new firewall USG6600,I find that on USG6600 current version, the service-manage function is enable by default,but at the same time, all the protocols are deny by default, except the management interface GigabitEthernet0/0/0.

So, on the USG6600 version, need to permit the protocol which want to use, or disable the service-manage function under the interface. As following:

interface GigabitEthernet1/0/9                                                 
description To_USG6650_02_XG1/0/9 
ip address 192.168.1.1 255.255.255.0 
undo service-manage enable

Or:     
                                     
interface GigabitEthernet1/0/9                                                 
description To_USG6650_02_XG1/0/9 
ip address 192.168.1.1 255.255.255.0 
service-manage ping permit

After change the configuration like the above, the firewalls can ping each other now.
Root Cause
According to the problem description customer feedback, the possible reason maybe:
(1) The basic firewall configuration is incomplete (such as the interface wasn't added to the zone).
(2) The security policy deny the packets.
(3) There are some physical problem with the interface or cable.
Suggestions
For firewall USG6600, the default value of service-manage function is different from the old firewalls(such as USG5500,USG2200). In the new firewall USG6600, this function is enable by default,meanwhile all the protocols are deny except management interface GigabitEthernet0/0/0. But in the old firewalls,this function is disable by default.

So we need to pay attention to the service-manage function between different firewalls.

END