The problem which the usg2200 internal network PC cannot access some Website

Publication Date:  2012-10-17 Views:  227 Downloads:  0
Issue Description
Network:
Pc----usg2200----internet
1、 the network is common, the internal network pc access internet,but it cannot access some website.(http://219.142.42.17:8010/ESCM/account/login.do )
2、 connect pc to export after withdrawing the usg2200, it can access normally
3、 it cannot access in our laboratory, but it can access in working area.
Alarm Information
None.
Handling Process
Capturing packet to analyse:

There has only the data of syn for the capturing packet information. The server doesn’t process the data which has been send by us
Why doesn’t process the data of our equipment?
We can analyse the capturing packet information in the normal situation and find the source port(the port of hundred thousand)of request is bigger than the source port (the port of thousand) of sending
We try to modify the port of source nat range:
hrp nat ports-segment  secondary    //the cost range of port number is 33768~65535.
Then we have a test, the problem has been solved, it can access normally
Root Cause
1、 We consider the mtu or network has the fragment situation(adjust the tcp mss cost), the failure has been existed by command of firewall tcp-mss 1200
2、 View the session:
Interface: Dialer0  NextHop: 220.181.125.95  MAC: 00-00-00-00-00-00
  <--packets:0  bytes:  -->packets:4 bytes:889
  192.168.0.31:4115[180.175.60.56:2179]-->219.142.42.17:8010
We can find the data has been send out ,but the server has no response.
3、 We doubt if there is processing mechanism collision between usg and this server
Suggestions
The limit of the receiving port range from server isn’t common, when we deal with this problem ,we need pay attention to it, we can try modify source port hrp nat ports-segment, if it is usg5300 v1r3 version, the configuration is different with low configuration, it is nat port range

END