As shown before, the H3C router (PE) and H3C switche (CE) access transparent mode USG5310, two and two interconnected by Eth-Trunk, service vlan 930, PE and CE interconnected by 184.108.40.206/30, USG5310 configuration manage vlan30, and configured the default routing pointing to H3C switch manage ip address.
1.3 Fault phenomenon described
(1) USG5310 ping H3C router interface, ip address 220.127.116.11/30, unsuccessful. H3C Router ping USG5310 management ip address 18.104.22.168/24 also unsuccessful.
According to the configuration of the transparent mode USG5310, you can be sure the path of the USG5310 ping H3C router interface ip address is: USG5310 ------ H3C Switch (CE) ------- H3C Router (PE), with same reason H3C router ping USG531 management ip address path is: H3C Router (PE) ------ USG5310 ------ H3C Switch (CE) ------ USG5310. The H3C router pingUSG5310 data management ip address source address of the packet is: 22.214.171.124/30, destination address is: 126.96.36.199/24. For this packet full access process pass through the USG5310 two time. First from USG5310 Eth-Trunk 1 flow to H3C switches, second from H3C switch flow to USG5310. Due to the USG5310 firewall security features and mechanisms, access device 2 times would think as tools or error messages, resulting in the second time device packet is discarded, thus access failed. So the device configured virtual firewall vpn-instance vpn_e, logically device is divided into 2 sets USG5310 firewall, so as to avoid the entire access process data packets pass the same USG5310 twice.
Device security features and mechanisms leading to access failure.
Deal with similar failures, we must first confirm the device related configuration, check the configuration information whether there are problems, and then ensure that the related device configuration no problem. You can try a simple test means to locate the fault node, the other is the specific look characteristics and mechanism of the device.