The NMS Fails to Manage the USG5300 in Transparent Mode (Example)

Publication Date:  2012-07-17 Views:  69 Downloads:  0
Issue Description
Service description: The NMS at 10.0.32.113 manages USG5300-A at 10.0.32.137 through S93-A and S53-A.
It cannot manage or ping through USG5300-A.
Alarm Information
None.
Handling Process
The NMS sends 30 ICMP packets. The firewall receives 60 packets when collecting the statistics on obverse sessions, which indicates that the ICMP request packets pass through the firewall twice. The firewall forwards 30 packets and discards 30 packets. The packet loss is caused by the failure in finding the ARP entry.

According to the networking and packet direction, the ICMP request packet passes along the following link to the firewall:
                       VLAN703             VLAN703             VLAN410
32.113-------S93-A--------------USG5300-A--------------S53-A--------------USG5300-A 32.137
 
A. When the packet is sent from S93-A to S53-A, USG5300-A implements the Layer-2 forwarding. The next-hop IP address recorded in the session table is the destination IP address (10.0.32.137) of the packet.
B. When the packet is sent from S53-A to USG5300-A, as the destination MAC address is the MAC address of the interface, and USG5300-A implements the Layer-3 forwarding, the next-hop IP address (10.0.32.137, which is the IP address of the firewall) cached in the session table is directly adopted to search for the ARP entry instead of searching for routes. As the ARP entry cannot be found, the packet is lost.
 
On this network, the packet passes through the firewall in the Layer-2 forwarding process for the first time, and in the Layer-3 forwarding process for the second time. The USG5300 does not support this special application.
Root Cause
10.0.32.137 is pinged from 10.0.32.113. The ICMP request packet goes to the firewall through the following link:
                       VLAN703             VLAN703             VLAN410
32.113-------S93-A--------------USG5300-A--------------S53-A--------------USG5300-A 32.137
1.                    When the packet is sent from S93-A to S53-A, USG5300-A implements the Layer-2 forwarding. The next-hop IP address recorded in the session table is the destination IP address (10.0.32.137) of the packet.
2.                    When the packet is sent from S53-A to USG5300-A, as the destination MAC address is the MAC address of the interface, and USG5300-A implements the Layer-3 forwarding, the next-hop IP address (10.0.32.137) cached in the session table is directly used to search for the ARP entry instead of searching for routes. As the ARP entry cannot be found, the packet is lost.
 
On this network, the packet passes through the firewall in the Layer-2 forwarding process for the first time, and in the Layer-3 forwarding process for the second time. The USG5300 does not support this special application.
Suggestions

1.        In transparent and composite modes, to improve forwarding performance, the USG5300 session table records the information about the MAC forwarding table. In normal cases, the firewall queries the MAC forwarding table when receiving the first obverse or reverse packet to identify the egress, and then caches the information about the egress in the session table. The firewall checks whether the destination MAC address of the subsequent packet is different from that recorded in the session table, or the VLAN of the ingress is different from that recorded in the session table. If yes, the firewall queries the MAC forwarding table again. If no, the firewall does not query the MAC forwarding table, and forwards the packet according to the egress information cached in the session table. In this way, the firewall supports the same packet passing through the firewall twice, but both are of the Layer-2 forwarding process.

2.        In transparent and composite modes, a packet passes through the firewall twice, in the Layer-2 forwarding process first and then in the Layer-3 forwarding process. The USG5300 does not support this special application. This type of applications may include that other hosts or NEs access the Vlanif interface on the firewall. The applications need to be avoided through the networking change.

END