USG5300 double exit port default route leads to open up secondary link login frame failed when access the released site

Publication Date:  2013-05-02 Views:  208 Downloads:  0
Issue Description
Parts of page information which on the main page that customer released needs to secondary link address resolution for display. User network is double exit port link, mapping main site of internal server and secondary link site to public network through USG5350, only main site page displays on web page, login frame of secondary link site failed to display.
Topology and abnormal page as below:
Alarm Information
NULL
Handling Process
Default route leads to path difference back and forth, the handing process is:
1、 change the route to education network into exact route.
2、 Configure strategy route to forward message from server by GigabitEthernet0/0/2.
Root Cause
1、 Access secondary link page from external network and it displays normally, it shows that address releasing is fine.
2、 Access main page of website from external network, review firewall session and there is  no session to 10.18.110.3(secondary link address). Secondary connection message was dropped and session hasn’t constituted.
<USG5350>disp firewall session table destination inside  10.18.110.3
         DNS  VPN: public -> public 172.23.38.20:24268-->10.18.110.3:53
         DNS  VPN: public -> public 172.23.38.20:24201-->10.18.110.3:53
3、 Review critical configuration
Interface address:
           interface GigabitEthernet0/0/2
             ip address 61.155.66.222 255.255.255.240
           interface GigabitEthernet0/0/3
             ip address 218.91.159.58 255.255.255.252
address pool: nat address-group 21 61.155.66.222 61.155.66.222
address of mapping main page and secondary link address:
          nat server global 61.155.66.215 inside 10.18.110.3
          nat server global 61.155.66.216 inside 10.18.110.4
mapping public network address and exit port address are in the same network segment as we can see from configuration, access page message will forward from 0/0/2.
Review the configuration of default route:
      ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/2 61.155.66.209
           ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet0/0/3 218.91.159.57
one default route to internet, another default route to education network, it should be route that causes open up secondary link failed when access web page, path is not consistent when firewall forward message back and forth.
4、 shutdown the interface to education network, secondary link login frame could display normally on main page, change configuration into default route, making sure that the path of data packet forwarding back and forth to two default route is not consistent, so access failed, the session table for success access:
         <USG5350>disp firewall session table destination inside 10.18.110.3
           10.18.110.4:4323[61.155.66.216:4323]-->61.155.66.215:8000[10.18.110.3:8000]
Suggestions
 It suggests to don’t configure more than one default route when topology with double exit port if exist web operation and other businesses.

END