No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


After NAT Outbound is Enabled on the USG5300, UT And Cattle Field King Games Cannot be Accessed

Publication Date:  2012-07-17 Views:  308 Downloads:  0
Issue Description
1.        Networking
2.        Description
Firewalls are between two routers. The firewalls use independent network segment, and do not implement dual-system hot backup. Packets from intranet go from router 2 through firewall 1 or firewall 2 to the public network egress.
The two firewalls have different NAT address pools. Firewalls perform NAT on service packets and then send the packets to the public network.
3.        Symptom:
After a player logs in to the UT, the room is opened very slowly or the player is kicked out.
After a player logs in to the Battle Field King game, the same occurs.
Alarm Information
Handling Process
1.      Because the firewalls are deployed between two routers and the firewalls are configured with different NAT address pools. It is firstly suspected that the problem is caused by inconsistent inbound path and outbound path. Perform a debugging test. No inconsistency between the inbound path and the outbound path is detected. Then it is suspected that the extranet proactively initiates a session. However, captured packets indicate that this occurs no matter the network is normal or abnormal. So, this cause is ruled out.
2.      Simulate the onsite environment in the lab. Log in to the UT game for multiple times. Some login attempts fail, but then succeed after waiting a while. When NAT is not configured or nat server is configured, login attempts also fail sometimes. Capture packets at the intranet and extranet network interfaces. The result indicates that the firewalls do not discard packets. Compare the result with the packet capturing result when nat server is configured on the firewalls, nothing is found.
3.      When NAT outbound is configured on the firewalls, log in to the Battle Field King game for multiple times with the North China CNC server selected. Each login attempt succeeds. Log in to the game for multiple times with the East China server of China Telecom. Almost all attempts fail. This indicates that the fault is relevant to the selected server. Capture and analyze packets. The specific cause is still not found. When nat server or no pat is configured on firewalls, the fault is rectified.
This indicates that UT and Battle Field King programs may verify the source port of packets. When the source port is not the expected value, the previous fault occurs.  
Root Cause
This fault is relevant to the implementation principle of the two games. The firewalls translate the source port of packets going out from the intranet. Probably, the game server verifies the source port of packets. Because the source port has been translated, the game runs abnormally. If the application on the live network changes to nat server or not pat, that is, the firewalls do not translate the source port. Then the games run normally.
When you encounter such a application-related fault, it is difficult to locate the cause. The number of captured packets is large, making the analysis difficult. You are advised to use the ruling out method. For example, change the configuration. In this case, you can find that the fault does not originate from the firewall by disabling NAT or changing the NAT configuration to no pat or nat server.