The different ways of going and return date lead to the disablement of communications

Publication Date:  2012-09-10 Views:  211 Downloads:  0
Issue Description
Router——USG——SW——pc1

                                      |

                                     pc2

1. USG made the transparent mode 

2. Make pc1 and internal interface of router in the same network segment,the network points to router(the switch has the address of this network segment)

3.pc1 and pc2 are not in the same network segment,the network points to SW

symptom:1. pc2 cannot ping pc1

                     2. pc1 can ping router

                     3. pc2 can ping router

Alarm Information
NULL
Handling Process
Shut down session link-state check of firewall in the overall mode:
undo firewall session link-state check
Root Cause
Analysis
Send: PC2 sends date to network SW before to PC1, then SW sends it to PC1 when it found the direct route.
Back: PC1 sends date to network router SW before to PC2, because of the different network, router looks up the routing table and sends it to SW, SW sent the date to PC2 directly.
It is evident that ways of going and coming date are different.
The firewall opens link-state check by default. When the return date came to firewall, firewall will discard t it. That is reason why pc2 cannot ping pc1.
Suggestions
The link-state check is opened by default either in the routing mode or the transparent mode when the ways of going and coming date are different. Shut down session link-state check to solve the problem.
i.e.
undo firewall session link-state check

END