No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


The User Cannot Access the Public Network Due to Policy-based Routing

Publication Date:  2012-07-23 Views:  88 Downloads:  0

Issue Description

The customer configured three egresses on a USG5360 V100R003C01SPC007 device: two fixed public IP address egresses and an ADSL dialer egress. The customer also configured a routing policy for the egresses. After performing a test, the user discovered that all intranet network segments included in the ACL 3002 cannot access the public network. Users that use the other two egresses can access the public network normally.

Alarm Information


Handling Process

route-policy 1 permit node 2
  if-match acl 3002
 apply output-interface GigabitEthernet0/0
 apply ip-address next-hop
route-policy 1 permit node 10
 if-match acl 3003
 apply output-interface Dialer1
route-policy 2 permit node 20
The check on the routing policy indicates that an interface and next hop IP address is used on node 2. After the customer deletes apply output-Internet GigabitEthernet0/0 and keeps only the next hop IP address setting, users of the ACL3002 can normally access the public network.

Root Cause

The check on the ACL3002 reveals that the ACL also has several hits. After the routing policy 1 is deleted and when one dialer egress and one fixed public IP address egress are used, users of the ACL 3002 can access the public network normally. This indicates that the basic route configurations on the Layer-3 switch and the firewall are normal. The problem originates from the routing policy.


In a routing policy, if both an interface and next hop IP address are configured for an egress, the interface is prior to the next hop IP address. However, before an interface serves as the egress, the interface must be configured in not only the routing policy but also the next hop of the static route on the firewall. If an interface is configured as the egress in the routing policy while the next hop of the static route on the firewall is an IP address, this problem occurs. The egress configuration in the routing policy and the static route must be the same.
Suggestion: You are advised to configure next hop IP address rather than an interface for an egress, because the large quantity of ARP requests sent by an interface bring down the device performance.