after the users underlying MA5801 acquire the addresses of private network, on NE40, do NAT to Internet and force WEB authentication.
NE40 and C12000 enable OSPF.
the users feedback that they cannot connect Internet, after locale test we know MA5200 can acquire the address of private network and communicate with the gateway, but it cannot access Portal server to authenticate.
The MA5200 WEB authentication users NE40 underlying MA5200 can acquire the addresses, but it cannot arrive at the authentication page to authenticate.
1.contact the site, after configuring one returning route on C12000, the malfunction disappears,the users underlying 5200 can go on line normally.
2.but the site explain that they never configure the returning route on C12000, before malfunction, they can do NAT normally, so we can know the reason is as simple as considered.
3.continue checking the configuration of NE40 and logs, detect there is modification on NE40.check the configuration carefully and detect one policy route has been established on NE40 to filter out the private network route on NE40.
The relative configuration is:
route-policy deny_private deny node 10
if-match acl 113
route-policy deny_private permit node 20
import-route direct route-policy deny_private
import-route static route-policy deny_private
But NE40 has no ACL 113. As applying the route policy, NE40 is configured to filter out all the direct connecting route and static route.
Before configuration, the reason that the NAT succeeds is because the configured black hole route is allocated onto the peer C12000 successfully, to solve the problem that the network segment has no returning route. After doing this error route policy, the uplilnk C12000 cannot learn the route of this network segment, so NAT cannot find the return route after traveling out, and the users cannot go on line.
Till now, the malfunction source is found out. Configure NE40 correctly and the malfunction is solved.