Two FW as the master and slave, AR46 belongs to untrust zone, NE40 belongs to trust zone, which NE40 as PE, E300 as CE. Run OSPF protocol between AR46, E300 and E40. Through COST value of OSPF make the service flow pass AR46_1 - E300_1 - NE40_1.
Fault field: client host near NE40 ping slave firewall E300_2 packet loss.
1, check the configuration and find no problem.
2, ping directly and no packet loss phenomenon.
3.analysis the firewall session, when the ping packet send from the NE40_1 through E300_1, AR46_1, AR46_2 to E300_2, at this time the E300_1 make forward operation to the ping data flow session value, E300_2 due to data packet is arrived at itself, it is necessary to put the data flow to the CPU to make response operation, and now the data packet is passable. When the packet reach E300_2, the session of E300_1 backup to E300_2, because session make forward operation, the packet will no longer send to CPU to process, at this moment is impassable.
4, By the above analysis know that the packets pass around two layer firewall lead to session for the same data flow do different setting, so the data flow access the slave go the standby directly.
Solution: make policy in NE40, through the BGP attribute set high guide flow to the local value which access the slave, or in the NE40_1 point a static detailed routing next hop to slave.
1, configuration problem.
2, line problem.
3, firewall session problem.