No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The QQ Blacklist and Whitelist Function of the ASG Does Not Take Effect

Publication Date:  2019-01-22 Views:  77 Downloads:  0
Issue Description

Networking: Intranet --- ASG --- Internet

Version: ASG2100 V100R001C10SPC100

Fault description: QQ whitelist is configured. QQ number 5874xxxx is not in the whitelist, but the login is successful.

Handling Process

1. Check the QQ configuration on the live-network device. No problem is found.

2. When the problem occurs, other QQ numbers that are not in the whitelist also can log in. This indicates that the problem is common. It is suspected that the QQ signature does not meet the requirement.

3. Analyze the captured packets on the live network and replay the packets in the lab. It is found that the packets can be correctly identified and blocked. This indicates that the problem is not caused by incorrect QQ signatures.


[ASG2800]display user-manage online-user verbose qq-login

17:17:472014/03/12

Current Total Number: 1

--------------------------------------------------------------------------------

IP Address: 100.100.100.2VPN Instance: Public

Login Time: 2014-03-12 17:17:29Online Time: 00:00:18

State: Actived TTL: 00:30:00Left Time: 00:29:42

Authentication Mode: None (Temporary user)

<--packets: 3 bytes: 253-->packets: 4 bytes: 321//Subsequent packets are blocked.

QQ-login Info:

Index:1 QQ:58748645 RcvMsg:0 SndMsg:0

User Name: 100.100.100.2Superior Department: root

Group Name:

--------------------------------------------------------------------------------


4. Analyze the configuration on the live network. It is found that the destination IP address of the captured packets exists in the configuration file of the device and is the IP address resolved from the global excluded address that is configured as a domain name.


rule 26

destination 120.196.211.227 0

destination 120.196.212.74 0

destination 120.196.212.86 0

Destination 120.196.212.87 0//This address is resolved from the domain name tcpconn4.tencent.com.

destination 120.196.212.94 0

description qq/1/dns

domain tcpconn4.tencent.com


5. The problem is very clear. The packets match the global excluded address, so the device directly forwards the packets, not applying user and Internet access policies to the packets. If the global excluded address is configured as a domain name, all IP addresses corresponding to the domain name are resolved. If the public IP address used for QQ login is just within the global excluded address range, packets are directly forwarded by the ASG.


----End

Root Cause

The packets match the global excluded address, so the device directly forwards the packets, not applying user and Internet access policies to the packets. If the global excluded address is configured as a domain name, all IP addresses corresponding to the domain name are resolved. If the public IP address used for QQ login is just within the global excluded address range, packets are directly forwarded by the ASG.

Solution

Change the global excluded address setting to ensure that the public IP address used for QQ login is not in the address range.

Suggestions

1. The problem is simple. However, the global excluded address is seldom configured as a domain name on the ASG. The IP address resolved from the domain name cannot be viewed on the web UI. Instead, you need to view and analyze the IP address in the configuration file.

 

2. When the global excluded address is configured as a domain name, the device first parses all IP addresses corresponding to the domain name and saves the IP addresses. If packets that should be blocked by the device are permitted, check this configuration.

END