| flow analysis Server |---|SW|---| X |---|ne40e|-----
The data message of netstraem flow analysis need to pass usg5320, and deploy a flow analysis Server under FW to make flow analysis to the ne80 and one ne40, usg5320 and ne80 make VRRP. Flow Server can receive the message from two ne80, but can not receive ne40e message, whether in SW or FW can not obtain the packet from ne40e, only having the message from two ne80. If obtain packet on the ne80, can receive the message from ne40e.
1. To verify user description phenomenon, remote obtain packet in the firewall, but fail to catch ne40e packet. in ne80 can obtain ne40e packets, the same as the user description;
2, check VRRP configuration, no problem; Recommend that users do not do VRRP temporarily, only access a firewall, respectively obtain packet in firewall and ne80,but the problem still exist.
3, compared with the ne80 packet in firewall and ne40e packet in the ne80 and find that: the length and size of packet from ne80 is right and fixed, but the total length of packet from ne40e is inconsistent with the actual length, after the data message pass the IP protocol encapsulation and udp protocol encapsulation, the message length become exception. If one of the packet displaying the total length is: 1496, minus the header length, actually is 1476, but the actually captured length is only 152, and the actual length of each packet from ne40e all a have very big difference.
1, whether the configuration is correct such as packet filtering, acl;
2, maybe users obtain packets in the slave, so could not capture,
3, maybe Ne40e packets do not arrive at or pass usg5320 firewall;
4, maybe firewall discard the packets from ne40e.
Because the packets total length from ne40e is different to the actual length, usg5320 firewall think the packet from ne40e is anomaly message, and discard it, whether in the firewall or firewall upstream device all can not obtain ne40 packet, suggest search and positioning the downstream devices.