No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.

Knowledge Base

Two USG6600 can't ping each other caused by some default configuration case

Publication Date:  2014-07-30  |   Views:  392  |   Downloads:  0  |   Author:  w00490185  |   Document ID:  EKB1000047536


Issue Description

The customer uses two USG6600 firewalls connect to each other directly, but always can't ping each other.

Alarm Information


Handling Process

The customer sends us the firewall configuration, after check, i find that the interface which used is added to the zone, and the default security policy is permit, as following:

firewall zone dmz                                                              
set priority 50                                                               
add interface GigabitEthernet1/0/9 

default action permit 

And then, check the physical interface and cable, after confirmed, they are normal.

Finally, i check some default configuration for the new firewall USG6600,I find that on USG6600 current version, the service-manage function is enable by default,but at the same time, all the protocols are deny by default, except the management interface GigabitEthernet0/0/0.

So, on the USG6600 version, need to permit the protocol which want to use, or disable the service-manage function under the interface. As following:

interface GigabitEthernet1/0/9                                                 
description To_USG6650_02_XG1/0/9 
ip address 
undo service-manage enable

interface GigabitEthernet1/0/9                                                 
description To_USG6650_02_XG1/0/9 
ip address 
service-manage ping permit

After change the configuration like the above, the firewalls can ping each other now.

Root Cause

According to the problem description customer feedback, the possible reason maybe:
(1) The basic firewall configuration is incomplete (such as the interface wasn't added to the zone).
(2) The security policy deny the packets.
(3) There are some physical problem with the interface or cable.


For firewall USG6600, the default value of service-manage function is different from the old firewalls(such as USG5500,USG2200). In the new firewall USG6600, this function is enable by default,meanwhile all the protocols are deny except management interface GigabitEthernet0/0/0. But in the old firewalls,this function is disable by default.

So we need to pay attention to the service-manage function between different firewalls.