The Problem Elicited by Firewall Session Check

Publication Date:  2012-09-14 Views:  131 Downloads:  0
Issue Description

Make 4 routes in the firewall, 3 routes’ next hop point to 192.24.0.254, another one is the default route whose next hop is 192.168.17.1, network of PC is 192.168.17.4.Now QQ and msn is offline. 
Alarm Information
NULL
Handling Process
2 ways to solve the problem
1. Shutdown the firewall session check(shutdown is not suggested that will reduce the safe index )
2. Change the route, make PC network point to 192.168.17.1, add 3 route on 3 layer switch whose next hop is 192.168.17.4, add a default route point to 192.24.0.254.
Root Cause
The traffic will pass SW path when PC login QQ, fist session reached to firewall who sent route to the 3 layer switch, the second route came from the 3 layer switch is sent to PC, and PC sends the third route to firewall. That is the reason why bring the offline problem. 
Suggestions
Notes: Firewall has the session check, but SW not. 

END