No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


After configure policy-based routing in USG550 not into effect

Publication Date:  2012-09-19 Views:  72 Downloads:  0
Issue Description

network environment as follows
Firewall do a mapping like this:
nat server  protocol  tcp  global www inside www no-reverse
nat server  protocol  tcp  global www inside www no-reverse
access in in public network is very slow or can not access in at all
Alarm Information
Handling Process
1 Network Market Makers 80 interface checking,change mapping interface to 81,but also can not accessing,at this time firewall use 80 interface have no problems
2 Router forwarding problems,put extranets pc route in route list of USG5500,do policy-based routing as follows
Interface GigabitEthernet0/0/0 ip policy-based-route test
acl number 3098
rule 5 permit ip source 0
policy-based-route test permit node 1
  if-match acl 3098
  apply ip-address next-hop
Check policy-based routing invalidation reason:
1 interface of next-hop is DOWN,after check no problems
2 stat of ip-link is DOWN result in policy-based routing invalidation
Intranet communication is no problems,but can not ping next-hop,check equipment configuration find out configured attack preparations firewalldefend  icmp-flood   base-session  max-rate 
3 threshold set too low,misidentify detect message as attack message and drop it,result in stat of ip-link is DOWN   

Root Cause
Set configure attack preparations:firewall defend icmp-flood base-session max-rate 5 results in IP-LINK check next-hop sent ICMP message miss identify as attack message,then left it. IP-LINK state become DOWN,at this time policy-based routing can not work,messages sent from server check route and go out from interface,configure dialog check function,result in can not accessing