Shown as the picture, USG2220 connected with vender access switch, which connected 192.168.0.0/16 internal network. The internal network users through USG2220 access the ERP server of external network and internal network. The 192.168.5.2 in the picture is a testing user.
1.3 fault phenomenon description
The private users connected USG2220 access discretionary external network address normally, but can’t access the most important ERP server, namely the internal network user can’t open ERP server’s WEB interface.
1, first of all confirm the current configuration information, check whether USG2220 has configured packet filtering which prohibited the external network’s ERP server. After checking found all the inter-domain packet filtering are opened.
2, access to external ERP server on testing PC-192.168.5.2, and check the double-direction session information on USG2220
tcp VPN:public --> public
Zone: trust--> untrust TTL: 00:00:05 Left: 00:00:05
Interface: GigabitEthernet0/0/1 NextHop:X.X.1..89 MAC: XXXX-XXXX-XXXX
<--packets:0 bytes:0 -->packets:1 bytes:60
tcp VPN:public --> public
Zone: untrust--> trust TTL: 00:00:05 Left: 00:00:05
Interface: GigabitEthernet0/0/0 NextHop: 0.0.0.0 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:0 bytes:0
According to the session information, it is normal, at least the communication layer has no problem, namely the routing from USG2220 to external network ERP sever is normal.
3, consider that the data flow accessed the ERP server is large, for the received large packet, whether it has problem when USG2220 processes fragment message, adjusted the equipment’s big packet fragment detection field window value “firewall tcp-mss 1200”.
4, testing in person in external network, access to the external network ERP server designated by customer, found it can open the WEB login interface normally.
5, operating and analyzing based on the above four points, can eliminate the problem caused by USG2220, consider whether the external network ERP server has done some policy limiting which caused accessing failed, such as the external network ERP server prohibited the source IP address X.X.1.90 access. Adjust the configuration, through testing found the problem is solved, the internal network can access external network ERP server successfully, namely can open the WEB interface of ERP server normally, can access system normally through input the correct user name and password.
First of all thought it may be the problem of USG2220. Such as configured inter-domain packet filtering, limited internal network users access the address segment of the external network’s ERP server, or USG2220 hasn’t the routing to external network’s ERP server and so on. After eliminated the equipment fault, we should consider whether it is the problem of the ERP server or the ERP configured policy limiting, at last through changing the public network’s source IP address to access the external network ERP server, problem is solved, primarily doubt it is the ERP server configured access policy, which prohibited the source IP address X.X.1.90 access. At last through the customer confirmed in person, the external network ERP server really configured access control policy, prohibited all the source addresses whose last host bit is 90.
We should be familiar with the function and related configuring operation of the equipment and has the clear fault eliminating thoughts.