The USG5300 cannot be logged in to remotely

Publication Date:  2012-07-17 Views:  83 Downloads:  0
Issue Description
A customer reports that the master device of the two USG5300 devices on the live network cannot be logged in to remotely. After the default packet filtering is enabled, the device can be logged in to remotely. However, if the default packet filtering is disabled while ACL packet filtering is enabled, the device cannot be logged in to remotely.
Alarm Information
None.
Handling Process
Check the previous causes. Check the ACL configuration first. The ACL configuration information is as follows:
ACL 3000
rule permit ip source 192.168.2.3 destination 172.16.1.2
The loopback address of the firewall is 172.16.1.2. The ACL rule is applied to the Untrust-to-Local interzone. The configuration is correct. Therefore, the ACL configuration problem is ruled out.
Run the tracert command on the host at 192.168.2.3 to trace the route to 172.16.1.2. The ping packets reach the USG5000 Untrust interface, go through the slave firewall, the Trust zone, and then reach the loopback address. The customer uses OSPF pathing. The optimal automatically calculated by OFPF goes through the firewall first. Ask the customer to configure ACL control for the Trust-to-Local interzone. Then, the master firewall can be logged in remotely after the default packet filtering is disabled.
Root Cause

1.          ACL rules are incorrectly configured.

2.          The route configuration is improper. As a result, the path is not from the Untrust zone to the Local zone.

3.       In this case, packets do not go through the interzone where ACL rules are configured due to improper route configuration.
Suggestions
None.

END