The servers can be pinged through from all clients, but some clients fail to access some servers over FTP.
1. FTP services. Clients are on MDCN, and servers are connected to the SE800.
1. All servers on the live network can be pinged through, while some FTP packets are not allowed through. Therefore, routing problems can be ruled out. The fault originates from networking.
2. Identify the difference between ping packets and FTP packets. Ping packets use the ICMP protocol. A ping session consists only a packet sending process and a packet response process. Ping packets contain no status information. However, an FTP service uses the TCP protocol. An FTP session requires three times of confirmation (handshake information). Therefore, it is suspected that the fault is relevant to status information.
3. Analyze the networking of the live network. Firewalls on the live network implement dual-system hot backup. According to preceding experience, the fault may be caused by the inconsistency between the inbound path and the outbound path. According to the network diagram, a server is connected to two switches. The two links are in active/active mode. Therefore, the inbound path may be inconsistent with the outbound path. Verify TCP services on a network with inconsistent inbound path and outbound path in the lab.
4. According to the verification result, FTP services may fail while ping services are normal on a network with inconsistent inbound path and outbound path.
To conclude, the FTP service on the live network becomes abnormal due to packet loss caused by inconsistent inbound path and outbound path.
To solve such a problem caused by inconsistent inbound path and outbound path, use any of the following methods:
1. Enable the firewall quick backup function to eliminate the latency of session backup.
[Eudemon]hrp mirror session enable
2. Disable the link status check function.
[Eudemon]undo firewall session link-state check