Host ---- Switch1 ---- (vlan2)USG2260(vlan7) -- Switch1 --- Switch2 --- Server
2. Problem description:
Customer found that he cannot ping Server from Host. On USG2260, the ARP can MAC table is correct and can ping both sides.
1. Network issue
2. Route issue.
3. Configuration issue.
1. Check the configuration on USG. There is no policy to deny the packets. And vlanif 2 and vlanif 7 are in same trust firewall zone.
2. Makes traffic statistics on USG to check the packets are arrived or not.
[USG2200-diagnose]display firewall statistics acl
Current Show sessions count: 1
Protocol(ICMP) SourceIp(X.X.X.X) DestinationIp(Y.Y.Y.Y)
SourcePort(43989) DestinationPort(43989) VpnIndex(public)
Receive Forward Discard
Obverse : 5 pkt(s) 5 pkt(s) 0 pkt(s)
Reverse : 0 pkt(s) 0 pkt(s) 0 pkt(s)
USG received and forwarded the packets. And there is no drop. At same time, made traffic statistics on Switch and did not received any pakcets from USG. It seems USG2260 dropped them.
3. Check firewall session table on USG2260 and found there is no global table but it existed in inside table
[USG2200]display firewall session table verbose source inside X.X.X.X
icmp VPN:public --> public
Zone: trust--> trust TTL: 00:00:20 Left: 00:00:19
Interface: Vlanif2 NextHop: Y.Y.Y.Y MAC: 00-19-99-83-79-a0
<--packets:0 bytes:0 -->packets:140 bytes:8400
The ICMP packets is nated by USG2260. Check the configuration on USG2260 and found customer configured NAT server.
nat server 17 protocol tcp global interface GigabitEthernet0/0/1 3394 inside Y.Y.Y.Y 3389
Nat Server, any -> Z.Z.Z.Z:3394[X.X.X.X:3389], Zone: ---
Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---
VPN: public -> public
4. Let customer add "no-reverse" parameter for NAT server command. And test it is ok and problem is solved.
Let customer add "no-reverse" parameter for NAT server command. And test it is ok and problem is solved.