No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The USG5300 cannot be logged in to remotely

Publication Date:  2012-07-17 Views:  250 Downloads:  0
Issue Description
A customer reports that the master device of the two USG5300 devices on the live network cannot be logged in to remotely. After the default packet filtering is enabled, the device can be logged in to remotely. However, if the default packet filtering is disabled while ACL packet filtering is enabled, the device cannot be logged in to remotely.
Alarm Information
None.
Handling Process
Check the previous causes. Check the ACL configuration first. The ACL configuration information is as follows:
ACL 3000
rule permit ip source 192.168.2.3 destination 172.16.1.2
The loopback address of the firewall is 172.16.1.2. The ACL rule is applied to the Untrust-to-Local interzone. The configuration is correct. Therefore, the ACL configuration problem is ruled out.
Run the tracert command on the host at 192.168.2.3 to trace the route to 172.16.1.2. The ping packets reach the USG5000 Untrust interface, go through the slave firewall, the Trust zone, and then reach the loopback address. The customer uses OSPF pathing. The optimal automatically calculated by OFPF goes through the firewall first. Ask the customer to configure ACL control for the Trust-to-Local interzone. Then, the master firewall can be logged in remotely after the default packet filtering is disabled.
Root Cause

1.          ACL rules are incorrectly configured.

2.          The route configuration is improper. As a result, the path is not from the Untrust zone to the Local zone.

3.       In this case, packets do not go through the interzone where ACL rules are configured due to improper route configuration.
Suggestions
None.

END