1. when we analyse the exception we need to capture packet at the client,we can find the data message TCP checksum of server response is wrong,lead client TCP protocol stack is missing and the service is exception.when we use DLINK Router ,we capture packet and find the data message TCP checksum of server response is right.
2. Client has received the TCP checksum wrong data message of server ,maybe TCP computes checksum by error when it does the firewall NAT transition,and also maybe the TCP checksum has been wrong when the firewall received the server data message.We can capture mirror packet on the internal and external network interface of firewall,ensure that the TCP checksum has been wrong when the firewall received the server data message.
3. Why does we use DLINK Router,there are no problems.We can contrast the data of DLINK internal and external network packet capturing and USG5310 internal and external network packet capturing and find after the message doing NAT transiton ,the source port of DLINK Router has no change ,is also 4 port ,but the source port of USG5310 has changed 4 port to 5 port.Maybe the difference lead the server or center network equipment compute TCP checksum by error.
4. We configure global NAT Server at the client and have aq test,the service is normal and the data message TCP checksum of service response is right.
5. For more ensure the reason is source port changing or the source 5 port ,using small tool on the frontline computer to test,ensure if the source port after transiton is more than 61170 and the data message TCP checksum of server response is wrong and less than it is normal,it explains is no business with NAT transition source port changing.
6. Configuring the command of nat port range 12288 61100 on the firewall ,the problem will be solved by configuring NAT port range after transition.