No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Eth-trunk sub-interface was not a member of the security domain, that caused it can not ping

Publication Date:  2012-11-27 Views:  531 Downloads:  0

Issue Description


The subinterface address from the S9300 on pingSACG device can not ping.

Alarm Information


Handling Process

1, Address on S9300 can ping NE40-E address. It proved that between s9300 and NE40-E is no problem;

2, NE40-E cannot ping SACG subinterface address. Check the route on NE40, the S9300, sacg, there was no problem; it proved that the problem is on NE40-E sacg.

3, View arp learning on NE40-E and sacg, it can learn, it  proved that the link between the two devices is no problem.

4, Delete the subinterface configuration on NE40-E and sacg, directly use the main interface configuration. who can communicate with each other.

5, Checks the configuration found sub-eth-trunk interface on SACG is not added to the security domain, leading to the problem.

6, Add the handle interface to the security domain, the problem is solved.

Root Cause

1 Link problem;

2, The routing problem;

3, Device problems;

4, The configuration problem;


When the firewall is enabled subinterface, Do not forget add the interface that actual participation packet forwarding to the security domain.