No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Failure in Accessing the Server Due to Incorrect MAC Address Binding on the USG2200

Publication Date:  2019-07-18 Views:  1297 Downloads:  0

Issue Description

As shown in the preceding figure, the USG2200 connects to two Internet service provider (carrier) networks through two links. Intranet users can access the server with IP address 40.x.x.69 through carrier1. Intranet users can also access the network through carrier2, but fail to access the server with IP address 40.x.x.69.

Alarm Information


Handling Process

1. Check the inter-zone policy configuration for the two carrier networks on the USG2200. No filtering policy is configured for the 40.x.x.x network segment.
2. Check the route configuration on the USG2200. Two default routes exist, respectively destined for CARRIER1 and CARRIER2 interfaces. When either of the links goes Down, packets are forwarded through the other link. Therefore, the routes are correct.
ip route-static 39.x.x.49
ip route-static 41.x.x.65
3. Shut down the link between the USG2200 and CARRIER1, and tracert the route from the USG2200 to the server. The following figure shows the result. According to the tracert records, packets have reached CARRIER1. The route between CARRIER networks is reachable.

4. Based on steps 1 to 3, the public network is working properly. Check other configurations on the USG2200. The following incorrect configuration is found:
firewall mac-binding 41.x.x.69 0006-xxxx-fc97
IP address 41.x.x.69 is bound to a MAC address on the firewall (USG2200). The configuration is incorrect regardless of whether the MAC address is the next-hop MAC address of carrier1 or the server's MAC address. If the response packets are returned from the carrier2 interface, the source MAC address of the packets is the MAC address of the carrier2 interface. Once the IP address and MAC address is bound on the firewall, the source MAC address is different from the static MAC address bound to 41.x.x.69 on the firewall. Therefore, the firewall discards the packets.
5. Talk with the customer, and find that the MAC address binding is a configuration on the former network. However, the configuration is retained when the network structure is greatly changed. To rectify the fault, delete the MAC address binding configuration.

Root Cause

1. The inter-zone policy configuration is incorrect on the USG2200.
2. The routes between the USG2200 and the server are incorrectly configured.
3. The route between two carrier networks is incorrectly configured.
4. Other configurations on the USG2200 are incorrect.


1. On a network with dual egresses, pay attention to the MAC address binding configuration on intranet devices.
2. When the network is changed, check whether configurations also need to be changed, and delete unnecessary configurations.