Some NAT Users Cannot Access the Network Because Equal-cost Routes Are Configured on the USG

Publication Date:  2012-07-17 Views:  80 Downloads:  0
Issue Description
Networking:
192.168.0.1------trust                  untrust------100.100.100.1
                                      usg5300
192.168.1.1------trust1               untrust1-----200.200.200.1
The two intranet interfaces of the firewall are respectively connected to two network segments, which respectively belong to the Trust zone and Trust 1 zone. The two extranet interface are connected to two routers for public network access. According to the customer requirements, users in the Trust zone access the public network through the Untrust interface by using NAT. Users in the Trust 1 zone access the public network through Untrust 1 interface by using NAT. Two default routes to the public network are configured on the firewall. Symptom: Some users of both network segments fail to access the public network.
Alarm Information
None.
Handling Process
1.          For intranet users who can access the public network, the corresponding sessions can be viewed on the firewall. For users who cannot access the public network, the corresponding sessions cannot be viewed on the firewall.
2.          It can be determined that packets reach the firewall, so the firewall does not create sessions because it discards the packets due to rules.
3.          In one zone, addresses that fail to access the public network are even numbers. In the other zone, addresses that fail to access the public network are odd numbers. According to the configuration information, the firewall selects one from the two default routes according to the address hash algorithm.
Based on the previous three points, when addresses in the Trust zone access the public network, the packets need to query the routing table first, match the interzone route, and then match the interzone NAT rule. Because two equal-cost default routes are configured, addresses that match the Trust-to-Untrust interzone route can access the public network after NAT, while addresses that match the Trust 1-to-Untrust 1 interzone route cannot match the permit rule for the Trust segment. As a result, the firewall discards packets from these addresses. Routes are selected according to the hash algorithm. Therefore, addresses of odd numbers can access the public network while those of even numbers cannot. To rectify the problem, configure policy-based routing for the Trust zone and Trust 1 zone, specifying that users in the Trust zone can access the public network only through the Untrust zone and users in the Trust 1 zone can access the public network only through the Untrust 1 zone.
Root Cause
For intranet users who can access the public network, the corresponding sessions can be viewed on the firewall. For users who cannot access the public network, the corresponding sessions cannot be viewed on the firewall. If the firewall does not create a session, there are only two reasons:
1.          Packets fail to reach the firewall.
2.          The firewall discards the packets due to rules.
According to the network diagram, packets reach the firewall. Therefore, the reason is that the firewall discards the packets due to rules.
Suggestions
None.

END