Unidirectional Ping illogical problems inspection case

Publication Date:  2012-12-18 Views:  333 Downloads:  0
Issue Description
PC1----------FW1==================FW2----------PC2

FW1:                                              FW2:
ethe0/0/0 99.1.1.3/24                 ethe0/0/0 99.1.1.2/24
ethe1/0/7 100.1.1.11/24            ethe0/0/1 100.1.1.1/24

From the firewall, two ends of Ping to end interface address, it is failed ping the 100.1.1.11 from FW2, but ping 100.1.1.1 is OK from FW1.
Alarm Information
None.
Handling Process
Because it is directly connected network, does not need to configure routing, check out the ends of the interface address and interface to join the  security area, in the interzone there was not special packet filtering rules to filter Ping , the basic configuration should be no problem.Further examination of the ARP table, that can learn to end IP MAC address.
[USG2100]disp arp          
16:51:02  2012/12/12     
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE       VLAN/PVC 
------------------------------------------------------------------------------ 
100.1.1.11      0022-a100-f2f3                        I            Vlanif1   
100.1.1.1        0018-8277-12a8       13         D           Eth1/0/7 
99.1.1.3          0022-a100-f2f2                         I           Eth0/0/0  
99.1.1.2          0018-8277-12a7        20         D           Eth0/0/0    
------------------------------------------------------------------------------ 
Total:4         Dynamic:2       Static:0    Interface:2   
[USG2100]    
Check interface state, it is found no packet sent, only two of the broadcast packet is issued, no packet is received.
<USG2100> disp inter ethe 1/0/7             
14:33:42  2012/12/12   
Ethernet1/0/7 current state : UP 

Line protocol current state : UP
Ethernet1/0/7 current firewall zone : trust  
Description : Huawei Symantec, USG2100 serials, Ethernet1/0/7 Interface, Lan Swi
tch Port    
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)  
PVID:1       
Port link-type:access    
  VLAN ID:1     
Media type is twisted pair, loopback is not set, promiscuous mode not set      
100Mb/s-speed mode, Full-duplex mode, link type is auto negotiation            
flow control is disable       
    Last 300 seconds input rate 0 bits/s, 0 packets/s        
    Last 300 seconds output rate 0 bits/s, 0 packets/s    
    Input: 0 packets, 0 bytes        
           0 broadcasts, 0 multicasts        
           0 errors, 0 runts, 0 giants, 0 FCS     
           0 length error, 0 code error, 0 align errors
    Output:2 packets, 128 bytes  
           2 broadcasts, 0 multicasts 
           0 errors, 0 collisions, 0 late collisions 
           0 ex. collisions, 0 FCS error  
           0 deferred, 0 runts, 0 giants   
Check the routing table, it is ound that in addition to the default route and direct routing, there is also a host route to a pair of end interface address.
[USG2100]disp ip rout  
17:10:54  2012/12/12
Route Flags: R - relay, D - download to fib  
------------------------------------------------------------------------------ 
Routing Tables: Public   
        Destinations : 8        Routes : 8
Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface       
        0.0.0.0/0   Static 60        0          RD  100.1.1.1       Ethernet0/0/0   
       99.1.1.0/24  Direct 0       0           D    99.1.1.3         Ethernet0/0/0   
       99.1.1.3/32  Direct 0       0           D   127.0.0.1       InLoopBack0     
      100.1.1.0/24  Direct 0      0           D  100.1.1.11      Vlanif1         
      100.1.1.1/32  Static 60    0          RD  99.1.1.1         Ethernet0/0/0   
     100.1.1.11/32  Direct 0    0           D   127.0.0.1        InLoopBack0     
      127.0.0.0/8   Direct 0       0           D   127.0.0.1        InLoopBack0     
      127.0.0.1/32  Direct 0     0            D   127.0.0.1        InLoopBack0     
                   
[USG2100]         
Check the routing configuration, and a static route to the 99.1.1.1, and this address does not exist.
<USG2100>disp cur | inc ip rout        
16:49:04  2012/12/12       
ip route-static 0.0.0.0 0.0.0.0 192.168.1.11    
ip route-static 0.0.0.0 0.0.0.0 100.1.1.1      
ip route-static 20.1.1.0 255.255.255.0 Virtual-Template0     
ip route-static 100.1.1.1 255.255.255.255 99.1.1.1         
<USG2100>               
So far found the reasons, because the configuration of a host route, and the next hop is not to end interface address, since the host routing is a 32 bit mask, host routing priority, resulting in forward learning not to MAC address ( even learning to MAC, the message will be forwarded to the wrong place and Ping. )Delete the wrong route after the problem is solved.
Root Cause
Ping failure usually  due to the following reason:
1) network connectivity  ( including cable, link negotiation etc. )
2) packet filtering strategy;
3) basic configuration ( address, security area etc).
Suggestions
In the investigation of directconnected network segment problem should not be overlooked the exact routing.

END