The USG as the export gateway of the internal network protects internal network users to access to Internet. When the USG configuration is completed, the internal network user can normal online for a minute, then all businesses are interrupted, can’t access to the Internet.
Step 1: check export line.
1. When failure occurs, execute “display interface [ interface-type [ interface-number ] ]” command in the USG to check out the interface state, found the port status is UP and has message sent and received.
2. use a PC replace the original interconnected external network equipment, at the same time configure the external network equipment and the interconnected address on the PC, then use ping command, it can ping each other.
Thus we can construct that export line is normal, ruled out the first reason.
Step 2: check the USG basic configuration.
1. Execute “display IP interface brief” command to check on the detail information of the USG’s all interface, display address configuration is right and port state is normal.
2. Execute “display zone interface” command and find USG all interfaces have joint safety area.
3. By checking configuration found it has already opened the filtering rules of each interface area.
4. Execute “display IP routing-table” command to check the routing table and find there are the all routings which can realize business interworking.
Through the above can eliminate the second reasons.
Step 3: check the configuration of the peer end equipment which connected with USG.
Because the peer end equipment connected with the USG may be other factory’s equipment, we can't direct view. We can use a PC replace, and configure the export address on the PC, check PC Internet situation, found that various business are normal, so can eliminate the third reason.
Step 4 check whether there is the ARP deception.
1. After business interrupted, execute “display arp” command, check the USG arp cache, it shows there is the peer end equipment arp address, and hasn’t any change, namely there is no the arp deception.
2. In the USG Ping peer end device address impassability, preliminary suspect the fault is related with peer end. In the initial of online implement “debugging arp packet” command, analysis debugging process as follows:
A. Send ARP request message to Peer end equipment.
B. The peer end equipment ARP responds response message.
C. Peer end equipment sends ARP request message once again. According to the normal ARP request cases, peer end equipment should not send ARP request message once again, because peer end has returned the ARP response message, namely peer end has already known the MAC address corresponding with this segment of interface IP address.
D. Hasn’t responded the ARP response message to peer end equipment
3. Through the above debugging process analysis, doubt peer end equipment may operated some mechanism to prevent the ARP deception. But due to peer end equipment can't do change, can modify the aging overtime time of the ARP entry on the outbound interface, executes “arp expire-timeexpire-time”, the expire-time value is 60 seconds. Because ARP entry will refresh every 60 seconds, at the same time also makes the peer end equipment ARP cache refresh, so as to avoid problems.
4. Through modify the aging overtime time of the ARP entry to 60 seconds on the outbound interface, discovered service returned to normal, at this time for sure that peer end equipment operated some mechanism which prevents the ARP deception causes business impassability.
• reason 1: export line problem
• reason 2: configuration problem
• reason 3: the connected peer equipment configuration problem
• reason 4: the ARP deception
The basic principle of the mechanism to prevent the ARP deception is as follows:
When this end equipment received an ARP request, record the peer end’s IP address and MAC address mapping and mark them for hasn’t been verified. Sent ARP response message to peer end, and then in turn sent ARP request message to peer end equipment again, if can receive ARP reply message, namely it does not exist the ARP deception, set the corresponding ARP entry to trusted state. If in the stipulated time (in this case is 1 minute) has not received response, set the corresponding entries to unbelievable state. In this period (1 minute), data message can be forwarded normally. If over the period, will due to the problem of ARP, resulting in the data message from peer end equipment back forwarding failure.