Issue Description
There are three dialer interface to public network on USG2000 configuration, when the first Dialer2 interface is down, internal network can not access public network. Configuration as follow:
#
interface Vlanif2
pppoe-client dial-bundle-number 2
#
interface Vlanif3
pppoe-client dial-bundle-number 3
#
interface Vlanif4
pppoe-client dial-bundle-number 4
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
pppoe-client dial-bundle-number 1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 0.0.0.0 0.0.0.0 Dialer4
ip route-static 0.0.0.0 0.0.0.0 Dialer2
ip route-static 0.0.0.0 0.0.0.0 Dialer3
#
policy-based-route 2 permit node 1
if-match acl 2000
apply output-interface Dialer2
policy-based-route 2 permit node 2
if-match acl 2000
apply output-interface Dialer3
policy-based-route 2 permit node 3
if-match acl 2000
apply output-interface Dialer4
#
nat-policy interzone trust untrust outbound
policy 0
action source-nat
policy source 192.168.1.0 mask 255.255.255.0
easy-ip Dialer1
#
nat-policy interzone trust untrust1 outbound
policy 0
action source-nat
policy source 192.168.1.0 mask 255.255.255.0
easy-ip Dialer2
#
nat-policy interzone trust untrust2 outbound
policy 0
action source-nat
policy source 192.168.1.0 mask 255.255.255.0
easy-ip Dialer3
#
nat-policy interzone trust untrust3 outbound
policy 0
action source-nat
policy source 192.168.1.0 mask 255.255.255.0
easy-ip Dialer4
Handling Process
1. Use internal PC access public network and check conversation:
tcp VPN:public --> public Zone: trust--> untrust1 TTL: 00:00:05 Left: 00:00:00
Interface: Dialer2 NextHop: 0.0.0.0 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:1 bytes:48
192.168.1.248:53469[0.0.0.0:2143]-->112.95.240.11:443
http VPN:public --> public
Zone: trust--> untrust1 TTL: 00:00:05 Left: 00:00:00
Interface: Dialer2 NextHop: 0.0.0.0 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:1 bytes:48
192.168.1.248:53470[0.0.0.0:2174]-->112.95.240.11:80
Packet still go out from dialer interface, policy-based routing is also function, but the interface is down ,so switch address is 0.0.0.0.
And switch fail.
2. Physical interface is down but dialer interface is still up when it is multi-exit interface, policy-based routing is working. We must configure ip-link check to make sure interface switch successfully. Or change the policy-based routing;
policy-based-route 2 permit node 1
if-match acl 2000
apply output-interface Dialer2
Root Cause
1. Configuration problem
2. Product characteristic
3. other