A customer's web server is unable to access, ping the server address did not passed.
We can use the packet tracing check the firewall transit failed reason, first config a ACL, defined the source and destination address that needed to trace, the scope is smaller is better. in this case we defined a destination address 126.96.36.199 .
<USG2200>disp acl 3300
15:04: 04 2012/12/13
Advanced ACL 3300, 1 rule, not binding with vpn-instance
Acl's step is 5
rule 5 permit ip destination 188.8.131.52 0 (47908 times matched)
Then in the user view, turns on the packet tracing debugging switch.
<USG2200>debug ip packet-t acl 3300
The information is as follows, it is may see that which connection text receives this text from, and saw was discarded because of any reason text.
*0.112840720 USG2200 DEBUG/7/Debug_trace:
Debug type: CPU debug trace.
45b5: 184.108.40.206: 43989--> 220.127.116.11: 2048,1, EthType:0x800, Len:84, MF:0, Offset:0.
packet passed valid check.
receive from G0/0/0 zone:trust VFW<public>
packet filter error, packet dropped.
In this example , because the package filtration reason discards the packet, because the package filtration of new issued is the policy form, when the filtration strategys are very many, it is difficult to investigates a concrete policys, use this method may the fast localization whether is the package of filtration problem.
There were many reasons that the service did not functioned, any network node's breakdown possibly will cause the service does not function, the investigation of only a node cannot find the root reasone, packet tracing would be able to exclude the failure node. The packet tracing may play important role in troubleshooting network problom.
Using packet tracing can inspect the packet drop reason in equipment, it is suggested to use when troubleshooting the transmitting failed breakdown.