There are four routes on the firewall. The next hops of three routes are 126.96.36.199. The next hop of the default route is 192.168.17.1. The gateway of the PC is 192.168.17.4. The QQ, MSN, and Alitalk accounts on the PC become offline.
Two solutions are available:
1. Disable the session detection function of the firewall. (This solution is not recommended. If the session detection function is disabled, the security performance of the firewall is deteriorated.)
2. Change the route. The gateway of the PC is 192.168.17.1. Add three routes (next hop: 192.168.17.4) of the firewall to the switch. Configure a default route destined for 188.8.131.52 on the firewall.
If you log in to QQ from a PC, the traffic passes through the switch. When the first session arrives at the firewall, the firewall sends the route to the Layer-3 switch. The second route returns from the Layer-3 switch and is directly sent to the PC. The PC sends the third route to the firewall. As a result, users become offline.
Note: The firewall provides the session detection function, but the SW does not.