Symptom: An NE40E implements unidirectional TCP access.
Version information: V600R008
TCP access is allowed from R1 to R2 but is rejected from R2 to R1.
The address segment of R1 is X.X.X.X/24.
The address segment of R2 is Y.Y.Y.Y/24.
Configuration of the NE40E:
rule 10 permit tcp source Y.Y.Y.Y 0.0.0.255 destination X.X.X.X 0.0.0.255 tcp-flag established //Reference the inbound interface between R2 and the NE40E to allow TCP reply packets to pass.
rule 20 deny tcp source Y.Y.Y.Y 0.0.0.255 destination X.X.X.X 0.0.0.255
The ACK is 0 in the first TCP packet sent by R1, and ACK=1 in the second TCP packet replied by R2 to R1 matches the rule 10 statement on R1. The ACK in the packets replied by R1 to R2 now becomes 1. After that, the ACK in the TCP packets exchanged between R1 and R2 is always 1. The subsequent rules need to be configured to be rejected.