USG6650下连交换机管理地址跨防火墙不通

发布时间:  2016-06-19 浏览次数:  98 下载次数:  0
问题描述

大致拓扑结构如下:两台USG6650工作在路由模式,没有配置HRP;两台S9700以及一台S7700交换机工作在三层模式,全网通过OSPF路由互通。现在出现的故障现象如下:HXC ping 10.0.0.86不通,其他的业务访问正常。

处理过程

1. 分析网络结构,经过逐台设备查看路由表,设备经过的路径为:HXC----USG6650-2-----S9700-2-----S7700,数据包返回路由也一致,路由学习正常;

2. 从HXC交换机ping 10.0.0.86,在防火墙上查看会话,显示如下:

[USG6650-02-diagnose]display firewall session table verbose-hide both-direction source global 10.0.0.118 destination global 10.0.0.86
11:09:12  2016/06/19
Current Total Sessions : 1
  icmp  VPN:public --> public  ID: a58f6703b84306ed1757667d54
  Zone: trust--> dmz  TTL: 00:00:20  Left: 00:00:19     Input-interface: GigabitEthernet3/0/8
  Output-interface: GigabitEthernet1/0/8  NextHop: 10.0.0.10  MAC: 9c-37-f4-7b-9a-9e
  <--packets:0 bytes:0   -->packets:2 bytes:168
  10.0.0.118:190-->10.0.0.86:2048

  icmp  VPN:public --> public  ID: a58f6703b84306ed1757667d54
  Zone: dmz--> trust  TTL: 00:00:20  Left: 00:00:19 
  Output-interface: GigabitEthernet3/0/8  NextHop: 0.0.0.0  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:0 bytes:0
  10.0.0.86:2048-->10.0.0.118:190

从以上的信息可以看到正向的请求报文已经从出口发给了S9700交换机,但是没有收到任何回包;

3. 在S9700交换机上配置流量统计,结果显示如下:

[S9706-02]ping      display  traffic policy  statistics interface XGigabitEthernet 1/0/0 inbound  verbose  rule-base 

Interface: XGigabitEthernet1/0/0
Traffic policy inbound: tongji
Rule number: 2
Current status: OK!
Statistics interval: 300
---------------------------------------------------------------------
Classifier: tongji operator or
Behavior: tongji
Board : 1
rule 5 permit icmp source 10.0.0.118 0 destination 10.0.0.86 0 (match-counter 0) 
---------------------------------------------------------------------
Passed           |      Packets:                             4                   //入方向上统计到了报文。
                  |      Bytes:                             408
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
Dropped          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------

[S9706-02]display  traffic policy  statistics interface  XGiga bitEthernet 1/0/0 outbound verbose rule-base

Interface: XGigabitEthernet1/0/0
Traffic policy outbound: tongji
Rule number: 2
Current status: OK!
Statistics interval: 300
---------------------------------------------------------------------
Classifier: tongji operator or
Behavior: tongji
Board : 1
rule 5 permit icmp source 10.0.0.118 0 destination 10.0.0.86 0 (match-counter 0)
---------------------------------------------------------------------
Passed           |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
Dropped          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
rule 10 permit icmp source 10.0.0.86 0 destination 10.0.0.118 0 (match-counter 0)
---------------------------------------------------------------------
Passed           |      Packets:                             5             
       
                  |      Bytes:                             510
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
Dropped          |      Packets:                             0
                  |      Bytes:                               0
                  |      Rate(pps):                           0
                  |      Rate(bps):                           0
---------------------------------------------------------------------
以上信息表明S9700交换机的XGE1/0/0收到了源发起的icmp request报文,并且也从XGE1/0/0接口发送出去了icmp reply报文。但是为什么在防火墙上看不到回包命中会话呢?

4. 在防火墙上进一步做流量统计,结果显示如下:

[GWKFTJ-FN-FWL-A1-B1-USG6650-02-diagnose]display firewall statistic acl
11:30:08  2016/06/19

Current Show sessions count: 2
  
Protocol(ICMP) SourceIp(10.0.0.118) DestinationIp(10.0.0.86)  
SourcePort(199) DestinationPort(2048) VpnIndex(public)  
                 RcvnFrag    RcvFrag     Forward     DisnFrag    DisFrag  
Obverse(pkts) : 5           0           5           0           0            
Reverse(pkts) : 0           0           0           0           0         
  
Discard detail information:


  
Protocol(ICMP) SourceIp(10.0.0.118) DestinationIp(10.0.0.86)  
SourcePort(200) DestinationPort(2048) VpnIndex(public)  
                 RcvnFrag    RcvFrag     Forward     DisnFrag    DisFrag  
Obverse(pkts) : 5           0           5           0           0            
Reverse(pkts) : 0           0           0           0           0         
  
Discard detail information:

多次做流量统计发现没有reverse的反向报文,怀疑报文仍然没有收到。

5. 由于防火墙与交换机S9700通过光纤直连,交换机已经发出了reply报文,而防火墙会话又看不到,因此只能通过防火墙抓包进行查看。在防火墙上配置五元组抓包,发现在防火墙的GE1/0/8(连接交换机)上收到了reply报文,而在GE3/0/5(连接HXC)上没有看到reply报文发出。

   说明:本步骤没有进行截图。

6. 综合以上分析怀疑报文被被防火墙丢掉了,进一步分析报文转发流程,在反向报文没有命中会话前可能会进行MAC过滤以及IP/MAC绑定检查,再仔细核对配置发现防火墙中存在一行firewall mac-binding 10.0.0.86 3400-a34e-9b33的配置。而 3400-a34e-9b33MAC地址为S7700的MAC,但是报文在转发过程中MAC地址在每个网段会被修改,因此在转发中修改为了S9700的MAC地址。删除此行配置后从10.0.0.118 ping 10.0.0.86正常。

根因

由于在网络运维过程中,为了方便管理IP地址和MAC地址,在防火墙上配置了跨三层的MAC识别功能,并且后来勾选了 IP+MAC绑定功能。由于该功能生效导致IP+MAC绑定功能将报文过滤掉而不通。

解决方案
去掉该错误的绑定表项后网络恢复正常。

END