Use the session information positioning whether is because firewall lead to the failure

Publication Date:  2012-11-05 Views:  107 Downloads:  0
Issue Description
At a USG5330 V100R002C01SPC200 networking, USG5330 is export gateway. Now users can access the extranet server port 80, but unable to access port 5900.
Alarm Information
none
Handling Process
According to the step to deal with the problem:
1, check the firewall configuration, and don't find suspicious policy Settings
2, take off firewall, configure the public network address access to computer, but still unable to access the extranet server port 5900
3, doubt it is the carrier problem, and make the test:
Telnet the extranet server address port 5900 in a computer of intranet. find that there are only sending packets without receiving packet, and the relevant session information is as follows:
HRP_S[USG5330D]dis firewall session table verbose destination global 58.252.5.160 destination-port 5900
17:02:49 2012/03/23
Current total sessions : 0
HRP_S[USG5330D]dis firewall session table verbose destination global 58.252.5.160 destination-port 5900
17:02:59 2012/03/23
Current total sessions : 1
tcp VPN: public -> public
Zone: trust -> untrust TTL: 00:00:30 Left: 00:00:28
Interface: G2/0/0 Nexthop: 192.168.1.9 MAC: 00-1c-b0-b7-dd-c0
<-- packets:0 bytes:0 --> packets:2 bytes:96
159.226.13.177:2242-->58.252.5.160:5900

But Telnet port 80 in a intranet computer,  the sending and receiving packets all exist, session information is as follows:
HRP_S[USG5330D]dis firewall session table verbose destination global 58.252.5.160 destination-port 80
17:03:55 2012/03/23
Current total sessions : 0
HRP_S[USG5330D]dis firewall session table verbose destination global 58.252.5.160 destination-port 80
17:04:06 2012/03/23
Current total sessions : 1
HTTP VPN: public -> public
Zone: trust -> untrust TTL: 00:00:30 Left: 00:00:26
Interface: G2/0/0 Nexthop: 192.168.1.9 MAC: 00-1c-b0-b7-dd-c0
<-- packets:1 bytes:48 --> packets:2 bytes:88
159.226.13.177:2246-->58.252.5.160:80

Finally, the customer contact to the carrier, confirm that the policy filter the port 5900 set by carrier. Coordinate with carrier, and permit the policy, the problem solved.
Root Cause
1, firewall policy deny the access of port 5900.
2, server configuration problem
3, the carrier filtered the port 5900
Suggestions
none

END