The solution of the problem that double exports announcement server and L2TP dial-up communication at the same time.

Publication Date:  2012-09-14 Views:  154 Downloads:  0
Issue Description
The USG2220 device configure double exports. Internal network 2 servers do announcement, let the 2 servers go from different exports to communication. At the same time external network using L2TP client dials into the internal network, and make communication with servers.
The client-server published configurations, but found that the double exports data stream to a different server was unrealized, while only one server can be published.
Client to configure L2TP, single link can dial-up success, and do communication with internal network, and use another link to do LNS server address, and unable to dial-up success always.
Client topology is as follows:
Alarm Information
None
Handling Process
Modified client configuration is as follows:

17:55:33 11/23/2010
#
acl number 3000
rule 5 permit ip
acl number 3001
rule 0 permit ip
acl number 3011
rule 0 deny ip source 192.168.102.0 0.0.0.255
rule 1 permit ip source 192.168.102.2 0
acl number 3012
rule 6 permit ip source 192.168.102.3 0
#
sysname USG2220
#
web-manager enable
#
l2tp enable
#
info-center timestamp debugging date
#
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local dmz direction inbound
firewall packet-filter default permit interzone local dmz direction outbound
firewall packet-filter default permit interzone local untrust2 direction inbound
firewall packet-filter default permit interzone local untrust2 direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust untrust2 direction inbound
firewall packet-filter default permit interzone trust untrust2 direction outboundoutbound
firewall packet-filter default permit interzone untrust2 untrust direction inbound
firewall packet-filter default permit interzone untrust2 untrust direction outbound
nat server protocol tcp global 124.67.49.174 www inside 192.168.102.2 www
nat server protocol tcp global 123.178.192.194 www inside 192.168.102.3 www
#
firewall statistic system enable
#
vlan 1
#
vlan 2
#
traffic classifier class2
if-match acl 3012
traffic classifier class1
if-match acl 3011
#
traffic behavior behavior1
remark ip-nexthop 124.67.49.173 output-interface GigabitEthernet0/0/0
traffic behavior behavior2
remark ip-nexthop 123.178.192.193 output-interface GigabitEthernet0/0/1
#
qos policy mypolicy1
classifier class1 behavior behavior1
qos policy mypolicy2
classifier class1 behavior behavior2
#
interface Cellular0/1/0
link-protocol ppp
#
interface Vlanif2
ip address 192.168.102.1 255.255.255.0
#
interface Ethernet1/0/0
port link-type access
port access vlan 2
#
interface Ethernet1/0/1
port link-type access
#
interface Ethernet1/0/2
port link-type access
#
interface Ethernet1/0/3
port link-type access
#
interface Ethernet1/0/4
port link-type access
#
interface Virtual-Template0
ppp authentication-mode pap
ip address 172.19.20.1 255.255.255.0
remote address pool 1
#
interface GigabitEthernet0/0/0
ip address 124.67.49.174 255.255.255.252
qos apply policy mypolicy1 outbound
#
interface GigabitEthernet0/0/1
ip address 123.178.192.194 255.255.255.252
qos apply policy mypolicy2 outbound
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface Vlanif2
add interface Virtual-Template0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/0
#
firewall zone dmz
set priority 50
#
firewall zone vzone
set priority 0
#
firewall zone name untrust2
set priority 6
add interface GigabitEthernet0/0/1
#
firewall interzone trust untrust
nat outbound 3000 interface GigabitEthernet0/0/0
#
firewall interzone trust untrust2
nat outbound 3001 interface GigabitEthernet0/0/1
#
l2tp-group 1
undo tunnel authentication
mandatory-lcp
allow l2tp virtual-template 0
#
aaa
local-user webadmin password simple webadmin2000
local-user webadmin service-type web telnet
local-user webadmin level 3
local-user dlvpn password simple 7777777
local-user dlvpn service-type ppp
local-user dlvpn level 3
ip pool 1 172.19.20.2 172.19.20.100
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
#
Dright-manager server-group
#
slb
#
ip route-static 0.0.0.0 0.0.0.0 124.67.49.173
ip route-static 0.0.0.0 0.0.0.0 123.178.192.193 preference 61
ip route-static 172.19.20.0 255.255.255.0 Virtual-Template0
#
user-interface con 0
user-interface tty 9
authentication-mode none
modem both
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
#
return
Root Cause
1. The policy routing that configured by the client has some problems. The policy routing applied on the internal network interface, according to policy routing configuration does not take effect.
2. The client configured a number of equivalent default routes at one time, hasn’t configured default route. All the data flow can only match to the first default route.
3. The client configured ACL in wrong way.
Suggestions
None

END