USG5300 double exit port default route leads to open up secondary link login frame failed when access the released site

Publication Date:  2013-05-02 Views:  362 Downloads:  0
Issue Description
Parts of page information which on the main page that customer released needs to secondary link address resolution for display. User network is double exit port link, mapping main site of internal server and secondary link site to public network through USG5350, only main site page displays on web page, login frame of secondary link site failed to display.
Topology and abnormal page as below:
Alarm Information
Handling Process
Default route leads to path difference back and forth, the handing process is:
1、 change the route to education network into exact route.
2、 Configure strategy route to forward message from server by GigabitEthernet0/0/2.
Root Cause
1、 Access secondary link page from external network and it displays normally, it shows that address releasing is fine.
2、 Access main page of website from external network, review firewall session and there is  no session to link address). Secondary connection message was dropped and session hasn’t constituted.
<USG5350>disp firewall session table destination inside
         DNS  VPN: public -> public>
         DNS  VPN: public -> public>
3、 Review critical configuration
Interface address:
           interface GigabitEthernet0/0/2
             ip address
           interface GigabitEthernet0/0/3
             ip address
address pool: nat address-group 21
address of mapping main page and secondary link address:
          nat server global inside
          nat server global inside
mapping public network address and exit port address are in the same network segment as we can see from configuration, access page message will forward from 0/0/2.
Review the configuration of default route:
      ip route-static GigabitEthernet0/0/2
           ip route-static GigabitEthernet0/0/3
one default route to internet, another default route to education network, it should be route that causes open up secondary link failed when access web page, path is not consistent when firewall forward message back and forth.
4、 shutdown the interface to education network, secondary link login frame could display normally on main page, change configuration into default route, making sure that the path of data packet forwarding back and forth to two default route is not consistent, so access failed, the session table for success access:
         <USG5350>disp firewall session table destination inside
 It suggests to don’t configure more than one default route when topology with double exit port if exist web operation and other businesses.