No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Internal Users Fail to Access the Public Network

Internal Users Fail to Access the Public Network

Common Causes

This fault is commonly caused by one of the following:
  • Inbound and outbound interfaces through which internal users access the public network go Down.
  • Outbound NAT is not properly configured on the outbound interface connected to the public network.
  • The configuration of an ACL bound to outbound NAT is incorrect.

Troubleshooting Flowchart

Figure 18-3 shows the troubleshooting flowchart.
Figure 18-3  Troubleshooting flowchart for outbound NAT

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide technical support personnel.

Procedure

  1. Check whether packets are received on the interface.

    Run the display interface interface-type interface-number command to view the value of the Input field.

    • If the value of the Input field is 0, the device has not received any packets. Check the configuration of the interface and ensure that packets can be received on the interface.
    • If the value of the Input field is not 0, go to step 2.
    NOTE:

    The device supports GE interfaces, FE interfaces, Eth-Trunk interfaces, and sub-interfaces. If an Eth-Trunk sub-interface is used to import traffic, run the display interface eth-trunk [ trunk-id [.subnumber ] ] command to check whether the Eth-Trunk sub-interface has received packets.

  2. Check that the ACL rule bound to outbound NAT allows service packets to pass through.

    Run the display nat outbound command on the device to check whether outbound NAT is correctly configured.

    [Huawei]display nat outbound 
      NAT Outbound Information:
     -----------------------------------------------------------------
     Interface                     Acl      Address-group/IP      Type
     -----------------------------------------------------------------
     GigabitEthernet0/0/0         2000                     1    no-pat
     -----------------------------------------------------------------
      Total : 1                                                                
    

    The preceding command output indicates that ACL 2000 has been bound to outbound NAT on GigabitEthernet0/0/0.

    Check whether the rule of ACL 2000 is configured correctly. If the IP address, port number, or protocol type in the rule of ACL 2000 is configured incorrectly, packets cannot be transmitted properly.

    Run the display acl 2000 command to view the configuration of outbound NAT bound to ACL 2000.
    [Huawei] display acl 2000 
    Basic ACL 2000, 1 rule                                                                                                              
    Acl's step is 5                                                                                                                     
     rule 5 permit source 192.168.1.0 0                                                                                                 
                                           

    The rule of ACL 2000 allows TCP packets with the source address of 192.168.1.100 to pass through.

    • If the ACL rule is configured incorrectly, reconfigure the ACL rule.
    • If the ACL rule is configured correctly but the fault persists, go to step 3.

  3. Check that NAT ALG is enabled .

    Run the display nat alg command on the device to check whether NAT ALG is enabled .

    • If NAT ALG is disabled, run the nat alg enable command to enable it.
    • If NAT ALG is enabled but the fault persists, go to step 4.

  4. Check that the address pool configuration is correct.

    Run the display nat address-group command on the device to check whether the address pool bound to outbound NAT on the outbound interface is correct.
    [Huawei] display nat address-group 1 
    NAT Address-Group Information: 
    -------------------------------------- 
    Index   Start-address      End-address 
    -------------------------------------- 
    1       10.0.0.100         10.0.0.110 
    -------------------------------------- 
    Total : 1     
    
    
    To view Easy IP information on the outbound interface, run the display nat outbound command on the device. For example:
    [Huawei] display nat outbound 
     NAT Outbound Information: 
     ----------------------------------------------------------------- 
     Interface                    Acl      Address-group/IP      Type 
     ----------------------------------------------------------------- 
     GigabitEthernet0/0/1        2000            30.30.30.1    easyip 
     ----------------------------------------------------------------- 
      Total : 1        
    
    The preceding command output indicates that Easy IP has been configured on GigabitEthernet0/0/1 and the address pool 30.30.30.1 bound to the interface is the address pool advertised on the interface.
    • If the bound IP address is the interface address, ensure that the interface address is valid.
    • Check whether the bound IP address is a VRRP virtual address. If it is a VRRP virtual address, ensure that the interface address exists and the VRRP status of the interface is master. The display vrrp command can be run in the interface view to check the VRRP status of the interface.

  5. Collect the following information and contact technical support personnel:
    • Results of the preceding troubleshooting procedure.

    • Configuration files, log files, and alarm files of the device.

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 454126

Downloads: 4316

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next