No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


As Eudemon8000E configured black-hole route lead to NAT service exception

Publication Date:  2019-07-17 Views:  118 Downloads:  0

Issue Description

Connection user through Eudemon8000E to make NAT to go to the internet, appear service exception that cannot open a lot of website
Networking: NE5000E-------NE5000E

Alarm Information


Handling Process

1, Ping from the PC can not open the website address, always can't Ping pass
2, ping directly from Eudemon8000E can not open the website address, normal
3, Ping from the PC can not open the website:
A, check session in E8000E (display firewall session table), and confirm the firewall has set up the normal conversation
B, make flow Statistics in NE5000E at the same time, and confirm all message has given to NE5000E from E8000E, and NE5000E also forwarding the reply message to the E8000E
4, obtain packet in NE40, confirm reply message don’t forward to NE40 from E8000E
5,check E8000E packet loss statistics, find the packet loss statistics of five and six slot CPU increased
disp fire stat sys d
Discard statistic information on slot  5 primary   cpu:
  session miss:                                        3
Discard statistic information on slot  5 secondary cpu:
  unknown frame:                                      30
6, analyze the firewall NAT theory, find the device configure 32 bit mask black-hole routing for NAT address pool, lead to NAT address pool process message influenced by black-hole routing and appear abnormal service.
IP route - static X.X.2.99 NULL0
7, modify the black-hole routing mask to be 31 and problem solved
8, Eudemon8000E V100R001C01SPC001 and previous version all exist the problem

Root Cause

1, link packet loss
2, routing exception
3, FW forwarding exception


When Eudemon8000E do NAT service, ask NAT two directions of the message need to be sent to the CPU binding with this address pool to deal with, or service will appear exception.
NAT forward message choose the CPU mechanism in the interface board:
For the forward message from the client to extranet WEB server direction to access, will directly check inter-domain NAT policy (ACL) at the interface board of Eudemon8000E, if hit NAT policy, can directly get the CPU binding address pool from the policy, and send the message to the CPU to deal with.
In the fault, the CPU process selected by forward message is correct, usually forward select CPU is all correct.
NAT reverse message select CPU mechanism in interface board:
When Eudemon8000E deal with NAT service, to the reverse message come back from the server is rely on the special NAT routing (32 bit host routing)internal system automatically generated to realize. NAT service reverse message, can direct hit this special NAT routing, and then get the service board CPU Numbers information from the NAT routing information, send message to this service board CPU to deal with.
In the fault, because the reverse NAT special routing system automatically generated conflict to the static black-hole routing of configuration, lead to the special NAT routing do not generate. In such a case, interface board will according to message source IP and destination IP to make HASH calculation, according to the calculation results to choose CPU, so can't guarantee that consistent with CPU selected by forward message. when selecting is not consistent the service is impassable, and selecting consistent the service is normal.