The accessing service is exception after USG5310 doing NAT

Publication Date:  2012-09-24 Views:  173 Downloads:  0
Issue Description
System server exception ,the client cannot connect remote server
The configuration of network:
trust            untrust
        client ------------ USG5310 -------- Internet ------- server
192.168.1.156    G0/0/2       G0/0/3                     218.94.92.150
fault phenomena:
USG5310 does the NAT transition ,client install the client of system, it can ping server and telnet 7001 port of server .Client has a consultation with the system software businessman,they say if it can connect 7001 port of server,it can interview server,but the client cannoe connect it(when we open the client ,it will pop a registering box of input the user name and password in normal situation ,opposite is when we click the client,it won’t pop the registering box and lock fixedly),It can interview the server if we change the USG5310  to DLINK router.
Alarm Information
None.
Handling Process
1. when we analyse the exception we need to capture packet at the client,we can find the data message TCP checksum of server response is wrong,lead client TCP protocol stack is missing and the service is exception.when we use DLINK Router ,we capture packet and find the data message TCP checksum of server response is right.

2. Client has received the TCP checksum wrong data message of server ,maybe TCP computes checksum by error when it does the firewall NAT transition,and also maybe the TCP checksum has been wrong when the firewall received the server data message.We can capture mirror packet on the internal and external network interface of firewall,ensure that the TCP checksum has been wrong when the firewall received the server data message.

3. Why does we use DLINK Router,there are no problems.We can contrast the data of DLINK internal and external network packet capturing and USG5310 internal and external network packet capturing and find after the message doing NAT transiton ,the source port of DLINK Router has no change ,is also 4 port ,but the source port of USG5310 has changed 4 port to 5 port.Maybe the difference lead the server or center network equipment compute TCP checksum by error.
4. We configure global NAT Server at the client and have aq test,the service is normal and the data message TCP checksum of service response is right.

5. For more ensure the reason is source port changing or the source 5 port ,using small tool on the frontline computer to test,ensure if the source port after transiton is more than 61170 and the data message TCP checksum of server response is wrong and less than it is normal,it explains is no business with NAT transition source port changing.
6. Configuring the command of nat port range 12288 61100 on the firewall ,the problem will be solved by configuring NAT port range after transition.
Root Cause
If the source port is more than 61170 after USG5310 does the NAT transition,it will make the data message of the server response TCP verification and computing go wrong,Maybe the server computes TCP checksum by error or center NAT equipment computes TCP checksum by error lead the service to be exception
Suggestions
When we go to problem to analyse the packet capturing data,we need notice the correctness of TCP/UDP checksum and IP/TCP/UDP the head each field.

END