No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR2200 internat user can't access internet

Publication Date:  2018-02-24 Views:  237 Downloads:  0
Issue Description

The AR2200 as a gateway of a network, it configured nat in the port that connect to ISP. Customer found that the internat users can't access to internet.

Alarm Information

None

Handling Process

1. Ping the internet 8.8.8.8 from end terminal, it is unreachable;

2. Ping the gateway from end terminal, it is reachable;

3. Ping the internet 8.8.8.8 from AR, it is reachable;

4. Check the nat acl configuration, the end terminal address has contained in the nat acl;Check the nat session and do not found the session "display nat session source x.x.x.x destination 8.8.8.8"

5. Check the nat session number and find more than 100,000 sessions "display nat session number";

6. Check the nat session detail information and found many port 445 sessions "display nat session all";

7. Confirm with customer, they do not use the port 445 as service port, and agree block this port sessions;

8. Configure  a traffic policy blocked the traffic for 445 port. Service recovered.

Root Cause

Unknown reason lead to AR generate many port 445 sessions, the port 445 session use out the forwarding resource, the new session can't be generated.

Solution

1.   Create a acl 3000 for the port 445

acl number 3000 

 rule 5 permit tcp  destination-port eq  445

2.   Create a traffic policy

traffic classifier virus operator or
 if-match acl 3000

traffic behavior virus

 deny

traffic policy virus

 classifier virus behavior virus 

3.    Apply the traffic policy on the internat port outbound

 interface VlanifXXX     

    traffic-policy virus outbound   

interface GigabitEthernetX/X/X  
  traffic-policy virus outbound     

if have serval internat ports, all the ports need to apply the traffic policy.


 

Suggestions

When we network maintain, need to care about the high risk ports, like 135,137,139 and 445. If donot use the service port, we can block it use traffic policy.

END