USG5300 use NAT Outbound can’t normal access UT and field king game

Publication Date:  2012-10-09 Views:  227 Downloads:  0
Issue Description
1,Firewall is between two routers, independent segment, don't run two-node cluster hot backup . The internal network from the R2 pass through FW1 or FW2 to public network exports,
   2 sets of firewall’s NAT address pool are not the same, business message will be sent out after do NAT in the firewall.
2, Fault phenomenon 
After landing UT, can’t entered the room normally, open slowly, sometimes tips be kicked out.
Operate the king of field game found in the against room is also unable to enter the game.
Alarm Information
Handling Process
1. Because the firewall is between two router and the two table firewall do different NAT, just began to think back and forth is the path to inconsistent. Then through the “debug” debugging, and found no message back and forth path inconsistent phenomenon. Consider whether there is the network active launch situation, through the caught normal and abnormal has this kind of situation, so the cause is ruled out.
2. Build environment in the laboratory verification, found using UT landing, exist sometimes can't landing phenomenon, but waiting for a moment and also can go in. By not doing NAT or configuration NAT server, there are also sometimes landing in phenomenon. In the internal and external WangKou caught, and found no firewall packet loss. Contrast NAT server's caught, also did not find anything special.
3. Landing field king game, when doing “NAT outbound”, in north China netcom is basic every time can enter, but choose east China telecom, the basic all can’t login. This shows it is relevant with the server. Analysis through capture, still have not found a reason. Change to “NAT server” or “no pat” way, the question can be solved.
This shows that the UT and the king of field application is likely to have corresponding judgement to source port, when the far port is not expected value, may cause abnormal.
Root Cause
It is relevant with the two software’s realizatio, to the message out from the internal network the firewall convert the source port, it is possible the server have checked the port, cause the port conversion can’t run normally. Now network application change to NAT server mode or not pat approach, that is, not convert the source port, the operation is normal.
This problem which is relevant with applications has no special good method to position, through capture the packages the message is too much to analysis, only through the exclusive method, such as through the change configuration to rule out firewall problem