No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

An ME60 Web Pre-Authentication User Fails to Ping a DNS Server

Publication Date:  2019-03-27 Views:  200 Downloads:  0

Issue Description

The service type is Web+NAT. Users can properly go online from a pre-authentication domain but fail to ping a gateway.

Handling Process

Possible causes are as follows:

1. The configuration is incorrect.

2. The network is abnormal.

3. Other problems occur.

Implementation:

1. Check that the configurations of the NAT instance and traffic policy are correct.

nat instance SWUST-NAT id 12
vpn-nat enable
port-range 4096
service-instance-group SWUST-NAT
nat address-group SWUST-01 group-id 1
   section 0 175.155.58.0 mask 24
   section 1 175.155.59.0 mask 24
nat outbound 2004 address-group SWUST-01
nat alg all                             
nat filter mode full-cone
nat log session enable syslog


domain test
  authentication-scheme default0
  accounting-scheme default0
  ip-pool swust-04
  vpn-instance SWUST
  user-group swust-portal bind nat instance SWUST-NAT
  idle-cut 30 0
  web-server 66.183.0.2
  web-server url http://66.183.0.2:8088
  web-server url-parameter
  web-server redirect-key user-ip-address wlanuserip


traffic policy global
share-mode
statistics enable
classifier swust-portal-white behavior swust-nat   //ACL 8002 and a whitelist are configured, allowing DNS addresses to pass. The corresponding action is NAT.
classifier swust-portal-redirect behavior redirect
classifier swust-portal-deny behavior deny


acl number 8002
description SWUST-PORTAL-WHITE
rule 5 permit ip source user-group swust-portal destination ip-address 119.6.6.6 0
rule 10 permit ip source user-group swust-portal destination ip-address 123.125.99.0 0.0.0.255
rule 15 permit ip source user-group swust-portal destination ip-address 113.207.48.203 0
rule 20 permit ip source user-group swust-portal destination ip-address 221.10.255.230 0
traffic behavior swust-nat
nat bind instance SWUST-NAT

2. Check that the test on user service handover to another board is normal. The network fault is ruled out.

3. Check the board type. It is found that the faulty board is the LPUA and the board that works properly is the LPUN. The confirmation with R&D engineers shows that the processing mechanism of LPUA is different from that of other boards. Specifically, after the interface board on an ME60 receives private network user packets, the interface board searches for routes based on the VPN ID and destination IP address and then matches an ACL. After packets reach the interface board, the private IP address is not translated to a public IP address through NAT, and VPN ID is not 0. Therefore, public network DNS routes cannot be found, and the packets are discarded.

Configure static blackhole routes on the DNS server. User packets can be distributed to the NAT board and pinged through. An authentication page is displayed after the corresponding website address is entered.

ip route-staticvpn-instance SWUST 119.6.6.6 32 NULL 0

Root Cause

The processing mechanism of LPUA is different from that of other boards. After the interface board on an ME60 receives private network user packets, the interface board searches for routes based on the VPN ID and destination IP address and then matches an ACL. After packets reach the interface board, the private IP address is not translated to a public IP address through NAT, and VPN ID is not 0. Therefore, public network DNS routes cannot be found, and the packets are discarded.

Solution

Configure static blackhole routes for the DNS server so that user packets can be distributed to NAT boards and the DNS server can be pinged through.

END