Cannot ping one server IP because of wrong configuration on USG2260

Publication Date:  2014-09-29 Views:  311 Downloads:  0
Issue Description
1. Topology:
Host ---- Switch1 ---- (vlan2)USG2260(vlan7) -- Switch1 --- Switch2 --- Server

2. Problem description:
Customer found that he cannot ping Server from Host. On USG2260, the ARP can MAC table is correct and can ping both sides.
Alarm Information
1. Network issue
2. Route issue.
3. Configuration issue.
Handling Process
1. Check the configuration on USG. There is no policy to deny the packets. And vlanif 2 and vlanif 7 are in same trust firewall zone.
2. Makes traffic statistics on USG to check the packets are arrived or not.
[USG2200-diagnose]display firewall statistics acl                                                                                                                                             
Current Show sessions count: 1                                                                                                                                
Protocol(ICMP) SourceIp(X.X.X.X) DestinationIp(Y.Y.Y.Y)                     
SourcePort(43989) DestinationPort(43989) VpnIndex(public)                     
           Receive           Forward           Discard                         
Obverse : 5          pkt(s) 5          pkt(s) 0          pkt(s)               
Reverse : 0          pkt(s) 0          pkt(s) 0          pkt(s)               

USG received and forwarded the packets. And there is no drop. At same time, made traffic statistics on Switch and did not received any pakcets from USG. It seems USG2260 dropped them.
3. Check firewall session table on USG2260 and found there is no global table but it existed in inside table
[USG2200]display firewall session table verbose source inside X.X.X.X
  icmp  VPN:public --> public
  Zone: trust--> trust  TTL: 00:00:20  Left: 00:00:19
  Interface: Vlanif2  NextHop: Y.Y.Y.Y  MAC: 00-19-99-83-79-a0
  <--packets:0 bytes:0   -->packets:140 bytes:8400

The ICMP packets is nated by USG2260. Check the configuration on USG2260 and found customer configured NAT server.
 nat server 17 protocol tcp global interface GigabitEthernet0/0/1 3394 inside Y.Y.Y.Y 3389

 Nat Server, any -> Z.Z.Z.Z:3394[X.X.X.X:3389], Zone: ---
   Protocol: tcp(Appro: unknown), Left-Time: --:--:--, Addr-Pool: ---
   VPN: public -> public

4. Let customer add "no-reverse" parameter for NAT server command. And test it is ok and problem is solved.
Let customer add "no-reverse" parameter for NAT server command. And test it is ok and problem is solved.