Customer network has two exports, all make NAT translation to provide Internet for intranet. The user feedback the intranet users can't open some websites.
Check the firewall configuration, do not find the obvious configuration error. Try to execute the command:
[USG5100] load - balance flow
And check again, intranet users can get to internet normally.
1, the line problem lead to packet loss (replace physical line cannot solve the problem, eliminate the reason)
2, the intranet has loop, attack and so on. (check the intranet do not have loop, switch configuration is correct, Ping from intranet to FW intranet interface do not loss package, including big packet, modify the intranet interface MTU value still cannot solve the problem)
3, check the firewall configuration
From the test results to see the firewall load sharing mode is per-packet (but configuration do not display), this lead to TCP session establishment appear problem, causing packet loss.
Then summary between per-flow load sharing and per-packet load sharing:
1) when the data flow reach a destination IP address has more than one link, the same data flow message send from the same link, the different data flow according to certain algorithm to select link, there are two kinds the link algorithm as follows:
Hash algorithm: according to the source/destination IP address, the source/destination port number to calculate a value, and according to the value to select a link to make message forwarding.
Polling algorithm: select free link in turn to make message forwarding.
By default, the device use Hash algorithm to select the link.
2) when enable per-packet load sharing, the same data flow message not always send from the same link, but equably distribute to different links.
In per-packet load sharing, the device use polling algorithm to select link.