NE5000E: V200R003C02B609+SPH012; NE40E: V300R003C02B697
Network topology and description:
See the attachment.
Fault symptoms:Some users served by the NE40Es successfully accessed some websites but failed to open application links on the websites. Packets from the websites were directed to the third-party egress.
Possible causes of the fault are as follows:
1. The third-party egress was problematic.
2. The firewalls were problematic.
3. Routes were incorrectly configured on the NE5000Es.
To address the issue, Huawei performed the following operations and observed the following information:
1. Checked whether both public and private network users served by NE40E-1 had the same problem.
Only private network users encountered the problem.
2. Checked whether both public and private network users served by NE40E-2 had the same problem.
Neither public nor private network users encountered the problem. Therefore, third-party firewall-2 and the third-party egress did not have an error.
3. Checked whether third-party firewall-1 was problematic.
A user successfully opened the application links. Therefore, third-party firewall-1 was normal.
4. Checked return routes available for the NAT network segment (an address pool was configured on third-party firewall-1) on NE5000E-2.
There were three next-hops: the route between NE5000E-1 and NE5000E-2, the route to NE40E-1, and the route to NE40E-2. Multiple next-hops were resulted from OSPF-iterated IBGP routes.
When the next-hop was NE5000E-1, private network users could open the application links. When the next-hop was NE40E-1 or NE40E-2, the default route was used, because OSPF did not advertise routes in the NAT address pool. As a result, packets were sent back to NE5000E-2 and a loop formed.
5. Checked cost values of all OSPF routes on the entire network.The sum of the cost (4) of the route between NE5000E-2 and NE40E-2 and the cost (6) of the route between NE40E-2 and NE5000E-1 is equal to 10. The cost of the route between NE5000-2 and NE5000E-1 is also 10.
1. Plan appropriate costs for IGP routes.
2. If static routes are configured for load sharing, import the static routes to OSPF when advertising NAT addresses.3. By default, a BGP sets the next-hop to its IP address when advertising routes to its EBGP peers. However, when advertising routes to its IBGP peers, a BGP does not change the next-hop.