Unidirectional Ping illogical problems inspection case

Publication Date:  2012-12-18 Views:  284 Downloads:  0
Issue Description

FW1:                                              FW2:
ethe0/0/0                 ethe0/0/0
ethe1/0/7            ethe0/0/1

From the firewall, two ends of Ping to end interface address, it is failed ping the from FW2, but ping is OK from FW1.
Alarm Information
Handling Process
Because it is directly connected network, does not need to configure routing, check out the ends of the interface address and interface to join the  security area, in the interzone there was not special packet filtering rules to filter Ping , the basic configuration should be no problem.Further examination of the ARP table, that can learn to end IP MAC address.
[USG2100]disp arp          
16:51:02  2012/12/12     
------------------------------------------------------------------------------      0022-a100-f2f3                        I            Vlanif1        0018-8277-12a8       13         D           Eth1/0/7          0022-a100-f2f2                         I           Eth0/0/0          0018-8277-12a7        20         D           Eth0/0/0    
Total:4         Dynamic:2       Static:0    Interface:2   
Check interface state, it is found no packet sent, only two of the broadcast packet is issued, no packet is received.
<USG2100> disp inter ethe 1/0/7             
14:33:42  2012/12/12   
Ethernet1/0/7 current state : UP 

Line protocol current state : UP
Ethernet1/0/7 current firewall zone : trust  
Description : Huawei Symantec, USG2100 serials, Ethernet1/0/7 Interface, Lan Swi
tch Port    
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)  
Port link-type:access    
  VLAN ID:1     
Media type is twisted pair, loopback is not set, promiscuous mode not set      
100Mb/s-speed mode, Full-duplex mode, link type is auto negotiation            
flow control is disable       
    Last 300 seconds input rate 0 bits/s, 0 packets/s        
    Last 300 seconds output rate 0 bits/s, 0 packets/s    
    Input: 0 packets, 0 bytes        
           0 broadcasts, 0 multicasts        
           0 errors, 0 runts, 0 giants, 0 FCS     
           0 length error, 0 code error, 0 align errors
    Output:2 packets, 128 bytes  
           2 broadcasts, 0 multicasts 
           0 errors, 0 collisions, 0 late collisions 
           0 ex. collisions, 0 FCS error  
           0 deferred, 0 runts, 0 giants   
Check the routing table, it is ound that in addition to the default route and direct routing, there is also a host route to a pair of end interface address.
[USG2100]disp ip rout  
17:10:54  2012/12/12
Route Flags: R - relay, D - download to fib  
Routing Tables: Public   
        Destinations : 8        Routes : 8
Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface         Static 60        0          RD       Ethernet0/0/0   Direct 0       0           D         Ethernet0/0/0   Direct 0       0           D       InLoopBack0    Direct 0      0           D      Vlanif1        Static 60    0          RD         Ethernet0/0/0  Direct 0    0           D        InLoopBack0     Direct 0       0           D        InLoopBack0    Direct 0     0            D        InLoopBack0     
Check the routing configuration, and a static route to the, and this address does not exist.
<USG2100>disp cur | inc ip rout        
16:49:04  2012/12/12       
ip route-static    
ip route-static      
ip route-static Virtual-Template0     
ip route-static         
So far found the reasons, because the configuration of a host route, and the next hop is not to end interface address, since the host routing is a 32 bit mask, host routing priority, resulting in forward learning not to MAC address ( even learning to MAC, the message will be forwarded to the wrong place and Ping. )Delete the wrong route after the problem is solved.
Root Cause
Ping failure usually  due to the following reason:
1) network connectivity  ( including cable, link negotiation etc. )
2) packet filtering strategy;
3) basic configuration ( address, security area etc).
In the investigation of directconnected network segment problem should not be overlooked the exact routing.