USG5300 PBR forwarding problem.

Publication Date:  2012-10-27 Views:  169 Downloads:  0
Issue Description

FW is USG5360
Realize the function:
Normally, NAT translate to the address of from the export, NAT translate to the address of form the export

Detail in the accessories.

Alarm Information
Handling Process
After find that reason, cooperated with our IP - link function can solve this problem, because the IP - link can by sending ARP or ICMP message to detect the peer end gateway, if the peer end gateway inaccessible can realize switch, i add the following configuration n USG5360to solve the problem.
ip-link check enable
ip-link 1 destination interface GigabitEthernet 0/2  mode icmp
ip-link 1 destination interface GigabitEthernet 0/3  mode icmp
Root Cause
According to the principle of NAT translation, NAT should according to the routing export to decide using which a NAT translation pool, then the above configuration should be no problem. But if a line go down it can not switch, this problem is caused by our 5360 designing principle, because whether PBR become failure is based on the next hop address, but due to the 5360 configured with two default route, although one route is failure, but the other one is effective. So policy was mistaken the default route can reach next hop address that has been failure, leading to fail to switch.
Generally speaking, the multiple export NAT environment, suggest that add IP - link detection function, so that can realize dynamic link switching.