After a USG2220 replaces a Juniper device on a site, the services provided by servers on the network become unavailable.
Device model: USG2220
firewall packet-filter default permit interzone local trust direction inbound
firewall packet-filter default permit interzone local trust direction outbound
firewall packet-filter default permit interzone local untrust direction outbound
firewall packet-filter default permit interzone local untrust direction inbound
firewall packet-filter default permit interzone trust untrust direction outbound
firewall packet-filter default permit interzone trust untrust direction inbound
nat server 0 global 118.140.X.A inside 192.168.30.20
nat server 1 global 118.140.X.B inside 192.168.30.22
alias TO intenet
ip address 118.140.X.C 255.255.255.240
The IP address used by NAT Server and the IP address of GE5/0/0 are on the same network segment.
Internet users can access 118.140.X.C but cannot access 118.140.X.A/B.
The intranet server at 192.168.30.20/22 cannot access the Internet.
Step 1 Check the session table.
Ping 118.140.X.A from a PC on the Internet. Run the display firewall session table destination global 118.140.X.A command to view the session table. No session is generated.
Ping 118.140.X.C (address of the interface connecting to the Internet) from a PC on the Internet. Run the display firewall session table destination global 118.140.X.C command to view the session table. A session entry is generated, and the communications are allowed.
Either of the following conditions may be met if no session is generated:
1. The firewall has an access control policy that blocks the access.
2. The firewall does not receive the access data.
Step 2 Check the access control policies on the firewall. No specific policy is set, and the default policy permits access between Trust and Untrust zones. The first condition is not met.
Step 3 Check whether the firewall receives the access data.
The analysis is as follows:
1. Before being replaced by the USG2220, the Juniper device worked properly. This means that the route for the network segment 118.140.X.C/28 has already been advertised on the Internet.
2. 118.140.X.C assigned to the interface connecting the USG2220 to the Internet can be used as the NAT Server address.
3. Initiate an access request from the intranet server at 192.168.30.20/22 to the Internet. A session entry is generated on the firewall, but there are only outgoing packets. This means that the peer ISP device does not send packets in reply to the firewall.
Based on the previous analysis, it is suspect that the peer ISP device does not learn the ARP information about the NAT Server public IP address configured on the USG2220.
Step 4 Enable the debugging function to view information about sent and received ARP packets.
*0.4106031130 TaiYang-FW ARP/7/arp_rcv:Receive an ARP Packet, operation : 1, sender_eth_addr : ac9c-e4cc-aee7, sender_ip_addr : 0.0.0.0, target_eth_addr : 0000-0000-0000, target_ip_addr : 118.140.X.A*0.4106031380 TaiYang-FW ETH/7/eth_error:-ARP Request- Board:0,IF:GigabitEthernet5/0/0,dstIP:118.140.X.A,srcMAC:ac9c-e4cc-aee7,dstMAC:0000-0000-0000 ##arp drop packet,because:source ip is not valid ip address!
The source IP address of the ARP request initiated from the peer ISP device is 0.0.0.0. The USG2220 considers the packet abnormal and discards it. As a result, the peer device does not learn the ARP entry and therefore cannot respond to packets sent from the USG2220.
As the peer ISP device cannot be configured, the problem must be resolved on the USG2220. Configure the USG2220 to send gratuitous ARP packets.
Configure the WAN interface GE5/0/0 on the USG2220.
nat arp-gratuitous send //Send gratuitous ARP packets for NAT-related IP addresses
gratuitous-arp send enable //Send gratuitous ARP packets for the IP address of the interface.