No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Troubleshooting Of USG6330 can’t reach sec.huawei.com ( V500R001C60SPC300)

Publication Date:  2018-01-12 Views:  252 Downloads:  0
Issue Description

USG6330 can’t update the signature database by https://sec.huawei.com. And show “ Error: Unknown host sec.huawei.com.”

The topology just as below:


Alarm Information

When update the signature database, there are alarms and fail to update the signature database

Handling Process

1.      Ping sec.huawei.com from USG6330

<USG6330>ping sec.huawei.com

Error: Unknown host sec.huawei.com.

2.      Check the ip for sec.huawei.com from PC.

Pinging sec.huawei.com [45.X.212.170] with 32 bytes of data:

Reply from 45.X.212.170: bytes=32 time=163ms TTL=240

Reply from 45.X.212.170: bytes=32 time=166ms TTL=240

Reply from 45.X.212.170: bytes=32 time=160ms TTL=240

Reply from 45.X.212.170: bytes=32 time=160ms TTL=240

3.      Ping 45.X.212.170 from USG6330. Found USG6330 can reach this IP.

[USG6330]ping 45.X.212.170

  PING 45.X.212.170: 56  data bytes, press CTRL_C to break

    Reply from 45.X.212.170: bytes=56 Sequence=1 ttl=232 time=405 ms

    Reply from 45.X.212.170: bytes=56 Sequence=2 ttl=232 time=372 ms

    Reply from 45.X.212.170: bytes=56 Sequence=3 ttl=232 time=375 ms

    Reply from 45.X.212.170: bytes=56 Sequence=4 ttl=232 time=375 ms

    Reply from 45.X.212.170: bytes=56 Sequence=5 ttl=232 time=374 ms

4.      Check the DNS IP address.

#

dns-transparent-policy

  action tpdns

 dns server bind interface GigabitEthernet1/0/1 preferred 95.X.86.9 alternate 95.X.80.9

     dns server bind interface GigabitEthernet1/0/2 preferred 193.X.11.2 alternate 217.X.190.2

#

5.      Ping DNS IP address.

[USG6330]ping 95.X.86.9

  PING 95.X.86.9: 56  data bytes, press CTRL_C to break

    Reply from 95.X.86.9: bytes=56 Sequence=1 ttl=55 time=6 ms

    Reply from 95.X.86.9: bytes=56 Sequence=2 ttl=55 time=6 ms

    Reply from 95.X.86.9: bytes=56 Sequence=3 ttl=55 time=7 ms

    Reply from 95.X.86.9: bytes=56 Sequence=4 ttl=55 time=5 ms

    Reply from 95.X.86.9: bytes=56 Sequence=5 ttl=55 time=6 ms

[USG6330]ping 95.X.80.9

  PING 95.X.80.9: 56  data bytes, press CTRL_C to break

    Reply from 95.X.80.9: bytes=56 Sequence=1 ttl=56 time=3 ms

    Reply from 95.X.80.9: bytes=56 Sequence=2 ttl=56 time=2 ms

    Reply from 95.X.80.9: bytes=56 Sequence=3 ttl=56 time=3 ms

    Reply from 95.X.80.9: bytes=56 Sequence=4 ttl=56 time=3 ms

        Reply from 95.X.80.9: bytes=56 Sequence=5 ttl=56 time=3 ms

DNS is reachable.

6.      Check the zone for ports.

[USG6330]display zone

#

untrust

 priority is 5

 interface of the zone is (2):

    GigabitEthernet1/0/1

    GigabitEthernet1/0/2

    #

GE1/0/1 and GE1/0/2 belong to untrust zone.

7.      Check security policy from local to untrust. Make sure the action permit for http and ftp. The example should be just as below:

#

[HUAWEI] security-policy

[HUAWEI-policy-security] rule name update

[HUAWEI-policy-security-rule-update] source-zone local

[HUAWEI-policy-security-rule-update] destination-zone untrust

[HUAWEI-policy-security-rule-update] service http ftp

[HUAWEI-policy-security-rule-update] action permit

#

The current configuration just as below:

#

[USG6330] security-policy

[USG6330-policy-security]display this

#

security-policy

 default action permit

 default policy logging

 default session logging

#

Here “default action permit” mean setting the default packet filtering to permit poses security.

8.      Check update host source.

#

[USG6330]display update host source

2018-01-09 11:27:13.610 +05:00

----------------------------------------------------------------

Source IP Information:

        IP address                 : -

        vpn-instance               : -

Source Interface Information:

        interface name             : GigabitEthernet1/0/1

----------------------------------------------------------------

#

9.      Check the configuration of GE1/0/1.

#

interface GigabitEthernet1/0/1

 undo shutdown

 ip address 95.X.83.79 255.255.255.224

 ip address 95.X.83.81 255.255.255.224 sub

 ip address 95.X.83.80 255.255.255.224 sub

 ip address 95.X.83.77 255.255.255.224 sub

#

Since there is more than one ip address for GE1/0/1, change the update host source to IP address. Add the command as below:

#

[USG6330]update host source ip 95.X.83.79

#

10.  Ping sec.huawei.com from USG6330

<USG6330>ping sec.huawei.com

Error: Unknown host sec.huawei.com.

Ping sec.huawei.com from USG6330 with source IP address.

[USG6330]ping -a 95.X.83.79 sec.huawei.com

Error: Unknown host sec.huawei.com.

Ping IP address for sec.huawei.com

[USG6330]ping 45.X.212.170

  PING 45.X.212.170: 56  data bytes, press CTRL_C to break

    Reply from 45.X.212.170: bytes=56 Sequence=1 ttl=232 time=405 ms

    Reply from 45.X.212.170: bytes=56 Sequence=2 ttl=232 time=372 ms

 

11.  Since the firewall still can’t ping sec.huawei.com, check the firewall session table for DNS (port for DNS is 53).

[USG6330]display firewall session table verbose source-zone local destination-port global 53

2018-01-09 11:52:51.700 +05:00

 Current Total Sessions : 7

 dns  VPN: public --> public  ID: a48f39239b24818895a54ad0b

 Zone: local --> untrust  TTL: 00:00:30  Left: 00:00:21

 Recv Interface: InLoopBack0

 Interface: GigabitEthernet1/0/2  NextHop: 37.X.154.33  MAC: 000f-XXXX-9b7f

 <--packets: 0 bytes: 0 --> packets: 1 bytes: 45

 95.X.83.79:53788 +-> 95.X.86.9:53 PolicyName: default

 

 dns  VPN: public --> public  ID: a58f39239b3f82d40a5a54ad12

 Zone: local --> untrust  TTL: 00:00:30  Left: 00:00:28

 Recv Interface: InLoopBack0

 Interface: GigabitEthernet1/0/2  NextHop: 37.X.154.33  MAC: 000f-XXXX-9b7f

 <--packets: 0 bytes: 0 --> packets: 1 bytes: 60

 95.X.83.79:54632 +-> 95.X.86.9:53 PolicyName: default

By the way, you can also use the command as below to reset the firewall session. And then do the ping test. Finally you can only found the newest session record. But you must be careful. This command will affect the service due to the firewall recreate session again.

<HUAWEI>reset firewall session table source-zone local destination-port global 53

Warning:Reseting session table will affect the system's normal service.

Continue? [Y/N]:y

12.  The session for DNS is from GE1/0/1 (95.X.83.79). But There is no packets back to 95.X.83.79. NextHop is 37.X.154.33, this ip segment is totally different with GE1/0/1. Run the command “display ip interface brief” to check the ip address for ports.

[USG6330]display ip interface brief

2018-01-09 12:11:54.510 +05:00

*down: administratively down

^down: standby

(l): loopback

(s): spoofing

(d): Dampening Suppressed

(E): E-Trunk down

The number of interface that is UP in Physical is 5

The number of interface that is DOWN in Physical is 5

The number of interface that is UP in Protocol is 5

The number of interface that is DOWN in Protocol is 5

 

Interface                         IP Address/Mask      Physical   Protocol 

Cellular0/0/0                     unassigned           down       down     

GigabitEthernet0/0/0              10.X.10.1/24        down       down     

GigabitEthernet1/0/0              10.X.117.3/27      up         up       

GigabitEthernet1/0/1              95.X.83.79/27      up         up        

GigabitEthernet1/0/2              37.X.154.35/28      up         up

13.  Check the ip routing table.

[USG6330]display ip routing table

2018-01-09 11:25:45.040 +05:00

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 28       Routes : 30      

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

        0.0.0.0/0   Static  60   0          RD   95.X.83.65    GigabitEthernet1/0/1

                   Static  60   0          RD   37.X.154.33    GigabitEthernet1/0/2

       10.0.0.0/8   Static  60   0          RD   10.X.117.1    GigabitEthernet1/0/0

   10.X.117.0/27  Direct  0    0           D   10.X.117.3    GigabitEthernet1/0/0

   10.X.117.3/32  Direct  0    0           D   127.0.0.1       GigabitEthernet1/0/0

There are 2 static default routing with the same Cost & Pre.

14.  Check the configuration of DNS server.

[USG6330]display current-configuration | include dns

dns resolve

dns-transparent-policy

  action tpdns

 dns server bind interface GigabitEthernet1/0/1 preferred 95.X.86.9 alternate 95.X.80.9

 dns server bind interface GigabitEthernet1/0/2 preferred 193.X.11.2 alternate 217.X.190.2

The “dns server bind interface” command sets the IP address of the DNS server bound to the interface.

15.  The DNS packets with source IP of GE1/0/1 transferred by GE1/0/2. GE1/0/1 & GE1/0/2 were connected with different ISP. That is mean DNS packets with IP of ISP1 transferred to ISP2 but no packets are sent back to USG6330. It may be due to the policy of ISP (Block the DNS packet of other ISP).

16.  Check NAT policy.

[USG6330]nat-policy

[USG6330-policy-nat]display this

#

nat-policy

 rule name "NAT Access Policy"

  description NAT Access Group Policy

  source-zone trust

  destination-zone untrust

  source-address address-set "NAT Source Group"

  action nat easy-ip

 rule name "Nat Access Policy 2"

  source-zone trust

  destination-zone untrust

  source-address address-set "Nat Source Group 2"

  action nat easy-ip

#

Check the zone for ports by the command “display zone”.

#

[USG6330]display zone

2018-01-09 12:13:22.280 +05:00

local

 priority is 100

 interface of the zone is (0):

#

trust

 priority is 85

 interface of the zone is (2):

    GigabitEthernet0/0/0

    GigabitEthernet1/0/0

#

untrust

 priority is 5

 interface of the zone is (2):

    GigabitEthernet1/0/1

    GigabitEthernet1/0/2

#

There is no nat policy for local to untrust.

17.  Set NAT (easy IP) for GE1/0/1 and GE1/0/2. And even the DNS packets of GE1/0/1 (ISP1) transfer to ISP2, the source IP will be NAT as IP of ISP2.

#

nat-policy

rule nat test

source-zone local

destination-zone untrust

 action nat easy-ip

#

18.  Ping sec.huawei.com

[USG6330]ping sec.huawei.com

  PING sec.huawei.com.cdngtm.com (45.X.212.170): 56  data bytes, press CTRL_C to break

    Reply from 45.X.212.170: bytes=56 Sequence=1 ttl=232 time=391 ms

    Reply from 45.X.212.170: bytes=56 Sequence=2 ttl=232 time=384 ms

sec.huawei.com is reachable. Soon the customer feedback USG6330 can update the signature database by https://sec.huawei.com.

Root Cause

The DNS packets with source IP of GE1/0/1 transferred by GE1/0/2. GE1/0/1 & GE1/0/2 were connected with different ISP. That is mean DNS packets with IP of ISP1 transferred to ISP2 but no packets are sent back to USG6330. It may be due to the policy of ISP (Block the DNS packet of other ISP).

Solution

1.      Set NAT (easy IP) for GE1/0/1 and GE1/0/2. And even the DNS packets of GE1/0/1 (ISP1) transfer to ISP2, the source IP will be NAT as IP of ISP2.

#

nat-policy

rule nat test

source-zone local

destination-zone untrust

 action nat easy-ip

#

Suggestions

During the Troubleshooting, using different way to reduce the arrange of  possible root cause. That will be helpful for the work.

END