No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


The business impassability after USG9310 side connected load balance equipment

Publication Date:  2019-07-18 Views:  87 Downloads:  0

Issue Description

A customer network uses USG9310 which has three different ISP exports, because the bandwidth provided by each ISP is different, need to increase the load balance equipment F5 for flow share.
The network segments of USG9310 and the connected user are more, use OSPF learn routing, but load balance equipment F5 is not able to use OSPF, so only can side connected with USG9310 firewall. Network is as the chart, USG9310 and F5 use a 10GE interface and three GE interfaces:
The demand of the data flow direction is as follows:
data upstream:downstream SR8808→USG9310→F5→USG9310→Internet
data downstream:Internet→USG9310→F5→USG9310→downstream router
According to the demand,the configuration is as follows:
data upstream:A. the default router points to the 10GE interface which interconnected with load balance equipment F5;
                    B. configure policy-based routing on the interface which interconnected USG9310 and F5, force to direct the flow to ISP export.
data downstream:A. configure policy-based routing on the bottom interface from USG9310 to each ISP, force to direct the backhaul data flow to the CE interface which interconnected with F5.
                    B. F5 receives the data flow back from 10GE interface; USG9310 according to the routing learnt from OSPF sends it again to the downstream equipment.
The key configurations of the firewall are as follows:
ip route-static   // default routing pointed to the 10GE interface which can reach to F5
traffic classifier ZZ-out
if-match acl 3001
traffic behavior ZZ-out
redirect ip-nexthop interface GigabitEthernet 1/0/1
qos policy ZZ-out
classifier ZZ-out behavior ZZ-out    // Build policy-based routing ZZ-out, point the data entered from the interface to the Internet export 1.

interface GigabitEthernet1/0/0        
description TO_F5_Gi-1
ip address
qos apply policy ZZ-out                 //apply policy-based routing ZZ-out on the GE interface 1

traffic classifier ZZ-in
if-match acl 3001
traffic behavior ZZ-in
redirect ip-nexthop interface GigabitEthernet 1/0/0
qos policy ZZ-in
classifier ZZ-in behavior ZZ-in        // Build policy-based routing ZZ-in, point the data flow returned from the Internet to F5’s GE interface 1

interface GigabitEthernet1/0/1        
description TO_ZZ-out
ip address
qos apply policy ZZ-in                   //apply policy-based routing ZZ-in on interface 1

After completed the configuration, testing, business impassability, the connected users can’t access to the Internet.

Alarm Information


Handling Process

Under the networking the data flow will pass through the firewall twice, in order to avoid the above situation, must increase to configure virtual firewall to make sure the data flow is in the different virtual firewall when entering into the firewall twice, then the data packet can be forwarded according to the anticipation.
The correct configuration plan:
1. Configure the 10GE interface from downstream to router and to F5 in the same firewall.
2. Delimit the first GE interface from F5 to USG9310 and the first interface from USG 9310 to Internet to virtual firewall VPN_A.
3. Delimit the second GE interface from F5 to USG9310 and the second interface from USG 9310 to Internet to virtual firewall VPN_B.
4. Delimit the third GE interface from F5 to USG9310 and the third interface from USG 9310 to Internet to virtual firewall VPN_C. 
5. The default routing of the root firewall points to the F5’s 10GE interface.
6. Separately configure policy-based routing on the interfaces of the three virtual firewalls to realize data diversion.
In firewall need to increase the following configuration, delimit the interface to corresponding virtual wall:
ip vpn-instance VPN_A                //create VPN_A
route-distinguisher 1:100         
interface GigabitEthernet1/0/0
ip binding vpn-instance VPN_A      
interface GigabitEthernet1/0/1
ip binding vpn-instance VPN_A     

The configurations of virtual firewall VPN_B and VPN_C are the same.

Root Cause

 After the first packet of a data flow entered into the firewall, firewall will according to the routing table lookup routing and then forwarding, and then establish a session entry, the follow-up when the data packets with the same quintuple entered into again, the firewall will forward it according to the session table and won't lookup the route table again.
During the networking and configuring, data enters into the firewall and will be forwarded:
1. When data from downstream router SR8808 entered into USG9310, it will generate session table, send the same quintuple’s packets to F5’s 10GE interface.
2. When F5 shunted the data and sent is to USG9310, data flow’s quintuple did not change, the packet will be forwarded according to the former generated session table, send the packet to F5 again through 10GE interface.
Firewall will forward first priority according to the session, so the policy-based routing configured in each GE interface does not come into effect at this time. But the data flow formed loop, cannot be sent to Internet according to the anticipation.


Our company’s firewalls all established session table, the subsequent package according to the session to forward, so in planning configuration, need to pay more attention to whether the same data flow will pass through firewall twice, and if there is, it must configure virtual firewall, otherwise it will lead to business can't forward normally.