NAT swithes unsuccessfully when dialer interface is down in multi-exit networking

Publication Date:  2012-09-17 Views:  189 Downloads:  0
Issue Description
There are three dialer interface to public network on USG2000 configuration, when the first Dialer2 interface is down, internal network can not access public network. Configuration as follow:
#
interface Vlanif2
pppoe-client dial-bundle-number 2      
#
interface Vlanif3
pppoe-client dial-bundle-number 3
#
interface Vlanif4
pppoe-client dial-bundle-number 4
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
pppoe-client dial-bundle-number 1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 0.0.0.0 0.0.0.0 Dialer4
ip route-static 0.0.0.0 0.0.0.0 Dialer2
ip route-static 0.0.0.0 0.0.0.0 Dialer3
#
policy-based-route 2 permit node 1
  if-match acl 2000
  apply output-interface Dialer2
policy-based-route 2 permit node 2
  if-match acl 2000
  apply output-interface Dialer3
policy-based-route 2 permit node 3
  if-match acl 2000
  apply output-interface Dialer4
#
nat-policy interzone trust untrust outbound
policy 0
  action source-nat
  policy source 192.168.1.0 mask 255.255.255.0
  easy-ip Dialer1
#
nat-policy interzone trust untrust1 outbound
policy 0
  action source-nat
  policy source 192.168.1.0 mask 255.255.255.0
  easy-ip Dialer2
#
nat-policy interzone trust untrust2 outbound
policy 0
  action source-nat
  policy source 192.168.1.0 mask 255.255.255.0
  easy-ip Dialer3
#
nat-policy interzone trust untrust3 outbound
policy 0
  action source-nat
  policy source 192.168.1.0 mask 255.255.255.0
  easy-ip Dialer4
Alarm Information
none
Handling Process
1. Use internal PC access public network and check conversation:
tcp  VPN:public --> public  Zone: trust--> untrust1  TTL: 00:00:05  Left: 00:00:00
  Interface: Dialer2  NextHop: 0.0.0.0  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:1 bytes:48
  192.168.1.248:53469[0.0.0.0:2143]-->112.95.240.11:443
http  VPN:public --> public
  Zone: trust--> untrust1  TTL: 00:00:05  Left: 00:00:00
  Interface: Dialer2  NextHop: 0.0.0.0  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:1 bytes:48
  192.168.1.248:53470[0.0.0.0:2174]-->112.95.240.11:80
  Packet still go out from dialer interface,  policy-based routing is also function, but the interface is down ,so switch address is 0.0.0.0.
And switch fail.
2. Physical interface is down but dialer interface is still up when it is multi-exit interface, policy-based routing is working. We must configure ip-link check to make sure interface switch successfully. Or change the  policy-based routing;
policy-based-route 2 permit node 1
  if-match acl 2000
  apply output-interface Dialer2
Root Cause
1. Configuration problem
2. Product characteristic
3. other
Suggestions
none

END