Ping Packets Are Discarded After IP-Link Is Configured on the USG6330

Publication Date:  2015-11-20 Views:  672 Downloads:  0
Issue Description
As shown in the figure, the USG6330 (V100R001) is connected to the upstream LSW2 (no VLAN is configured), and LSW2 is connected to two upstream routers, AR1 and AR2. The LAN interface IP addresses of AR1 and AR2 are repectively 192.168.2.4 and 192.168.2.5. The WAN interface (dedicated line) IP addresses of them are respectively 172.1.1.1 and 172.2.2.1.

AR1 and AR2 connect to LSW1 on the other end. LSW1 and AR1 are added to VLAN2, and the Vlanif2 IP address is 172.1.1.2. LSW1 and AR2 are added to VLAN3, and the Vlanif3 IP address is 172.2.2.2. LSW1 and the intranet PC are added to VLAN1, and the Vlanif1 IP address is 1.1.3.1. The IP address of the intranet PC is 1.1.3.10, and the gateway address is 1.1.3.1.



The customer requires that the following requirements be satisfied:

1. In normal cases, traffic passing through FW1 is forwarded by AR1 at 192.168.2.4 to access the PC at 1.1.3.10.

2. When the FW1-AR1-LSW1 link is disconnected, traffic can be switched to the FW1-AR2-LSW1 link.

The FW1 configuration is as follows:

interface GigabitEthernet0/0/0 
alias GE0/MGMT 
ip address 192.168.2.1 255.255.255.0
 
ip-link 1 destination 1.1.3.10 mode icmp 


ip route-static 0.0.0.0 0.0.0.0 192.168.2.4 track ip-link 1 
ip route-static 0.0.0.0 0.0.0.0 192.168.2.5 preference 61
 
firewall packet-filter default permit interzone local untrust direction inbound 
firewall packet-filter default permit interzone local untrust direction outbound

Symptom:

1. If IP-link is not configured and FW1 connects only to AR1 (AR2 is disconnected), the ping connection to 1.1.3.10 is reachable.
2. If IP-link is not configured and FW1 connects only to AR2 (AR1 is disconnected), the ping connection to 1.1.3.10 is reachable.
3. After IP-link is configured on the firewall, the IP-link status alternates between UP and DOWN, and ping packets to 1.1.3.10 are discarded.
4. The route 0.0.0.0/0  Static 60  0  RD  192.168.2.4 is intermittently unavailable in the routing table.
Handling Process
Step 1 Run the ip-link 1 destination 1.1.3.10 timer 2 mode icmp command. The IP-link status changes rapidly.

Step 2 Run the ip-link 1 destination 1.1.3.10 timer 10 mode icmp command. The IP-link status changes slowly.

After the preceding commands are executed, the IP-link status still changes. Therefore, the status changes are irrelevant to link quality. Then restore the timer to the default setting (3 seconds).

----End
Root Cause
According to the test result, the ICMP packets sent by IP-link pass through AR2 to 1.1.3.10; therefore, the IP-link status becomes UP, but the follow-up packets are preferentially forwarded by AR1 at 192.168.2.4. Therefore, ping apckets are discarded, and the IP-link status becomes DOWN. Then the follow-up packets are forwarded by AR2 at 192.168.2.5.
Solution
If FW1 has only one uplink, use subinterfaces to connect AR1 and AR2 and add them to differnet VLANs. Then specify the next-hop address when configuring a route to track the IP-link.

   ip-link 1 destination 1.1.3.10 mode icmp next-hop 192.168.2.4

Use differnet Layer-3 interfaces to connect the upstream routers, remove LSW2, and configure an outbound interface for the IP-link.

   ip-link 1 destination 1.1.3.10 interface g0/0/1 (for example, g0/0/1 is connected to AR1)
Suggestions
If the firewall has only one uplink, you are not advised to configure IP-link. If the firewall has two uplinks, use two different interfaces and specify the IP-link outbound interface for ICMP packets. Then the two links will not interfere each other in packet forwarding.

In normal cases, if the IP-link status changes repeatedly between UP and DOWN, the IP-link timer may be set to a small value (the link quality is bad, casuing route flapping).

END