No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Internal Host with a Conflicting IP Address Fails to Access an External Server

Internal Host with a Conflicting IP Address Fails to Access an External Server

Common Causes

This fault is commonly caused by one of the following:
  • Inbound and outbound interfaces through which internal users access the public network go Down.
  • Outbound NAT is incorrectly configured on the outbound interface.
  • NAT ALG is disabled for the DNS protocol.
  • The DNS mapping entry is configured incorrectly. For example, the corresponding public address is different from the IP address of an external server.
  • The route between the temporary address pool and the outbound interface is not configured.

Troubleshooting Flowchart

Figure 18-5 shows the troubleshooting flowchart.
Figure 18-5  Troubleshooting flowchart for twice NAT

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide technical support personnel.

Procedure

  1. Check that outbound NAT is configured correctly.

    Run the display nat outbound command on the device to check whether outbound NAT is configured correctly.
    [Huawei]display  nat outbound 
     NAT Outbound Information: 
     --------------------------------------------------------------------------------------------- 
     Interface                     Acl      Address-group/IP      Type 
     --------------------------------------------------------------------------------------------- 
     GigabitEthernet0/0/1         3180                     1       pat 
     --------------------------------------------------------------------------------------------- 
      Total : 1   
    
    The preceding command output indicates that ACL 3180 has been bound to outbound NAT and the address pool index is 1. Check that outbound NAT uses a correct address pool. When configuring an address pool, ensure that the destination address on the external network is different from any address in the address pool. Run the display nat address-group command to view the configuration of the address pool.
    [Huawei]display nat address-group 1 
    NAT Address-Group Information: 
    -------------------------------------- 
    Index   Start-address      End-address 
    -------------------------------------- 
    1       202.10.10.10     202.10.10.100 
    -------------------------------------- 
    Total : 1     
    

    Check that ACL rules bound to outbound NAT are correct. The common problems of ACL rules include incorrect settings of IP addresses, protocol types, or port numbers. When an ACL problem occurs, packets on the internal network cannot be sent out or packets on the external network cannot be sent to the internal network.

    Run the display acl 3180 command to view the ACL bound to outbound NAT.
    [Huawei]display acl 3180 
    Advanced ACL 3180, 1 rule 
    Acl's step is 5 
    rule 5 permit tcp source 1.1.1.1 0 
    
    NOTE:

    The ACL strictly controls permitted address segments, protocol types, and port numbers according to networking requirements. If some protocol packets are rejected by the NAT gateway, check whether this type of protocol packets is permitted by the ACL.

    • If outbound NAT is configured incorrectly, correct the configuration.
    • If outbound NAT is configured correctly but the fault persists, go to step 2.

  2. Check that the DNS mapping entry is configured correctly.

    Run the display nat dns-map command on the device to check that the NAT DNS Map is configured on the correct outbound interface, and the correct protocol type, port number, and IP address are configured.

    • If the DNS mapping entry is configured incorrectly, run the nat dns-map command in the system view to configure a DNS mapping entry correctly.
    • If the DNS mapping entry is configured correctly but the fault persists, go to step 3.

  3. Check that NAT ALG is enabled for the DNS protocol.

    Run the display nat alg command on the device to check whether NAT ALG is enabled for the DNS protocol.

    • If NAT ALG is disabled, run the nat alg enable command to enable it.
    • If NAT ALG is enabled but the fault persists, go to step 4.

  4. Check that the mappings between overlapped address pools and temporary address pools are correct.

    Run the display nat overlap-address command on the device to check whether all the mappings between overlapped address pools and temporary address pools are correct.
    [Huawei]display nat overlap-address all 
    Nat Overlap Address Pool To Temp Address Pool Map Information: 
     ---------------------------------------------------------------------------------------------------------------- 
     Id  Overlap-Address  Temp-Address    Pool-Length       Inside-VPN-Instance-Name 
     ---------------------------------------------------------------------------------------------------------------- 
     1   1.1.1.1          20.20.20.20     34 
    ---------------------------------------------------------------------------------------------------------------- 
      Total : 1        
    
    NOTE:

    The temporary address pool contains available IP addresses on the device. The IP addresses in the address pool cannot conflict with any interface address, VRRP address, or NAT address. Inside-VPN-Instance-Name in the command output specifies the VPN instance of the internal interface connected to the host.

    • If the mappings are incorrect, reconfigure the mappings.
    • If the mappings are correct but the fault persists, go to step 5.

  5. Check that the route between the temporary address pool and the outbound interface is configured.

    Run the display ip routing-table command on the device to view all the routes on the public network.
    [Huawei]display ip routing-table 
    Route Flags: R - relay, D - download to fib 
    ------------------------------------------------------------------------------ 
    Routing Tables: Public 
             Destinations : 99       Routes : 99 
     
    Destination/Mask    Proto  Pre  Cost       Flags NextHop         Interface 
     
        10.0.0.0/8      Static 60   0            D   10.164.50.1     Ethernet0/0/0 
     10.10.10.10/32     Direct 64   0            D   127.0.0.1       InLoopBack0 
    
    NOTE:

    If the name of the VPN instance to which the internal interface belongs has been configured, run the display ip routing-table vpn-instance vpn-name command to view the routes.

    • If there is no correct route, reconfigure a route.
    • If the route is correct but the fault persists, go to step 6.

  6. Collect the following information and contact technical support personnel:
    • Results of the preceding troubleshooting procedure

    • Configuration files, log files, and alarm files of the device

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 447349

Downloads: 4305

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next