1. The 100 Mbit/s O/E converter is of bad quality. A 100 Mbit/s O/E converter may cause the previous phenomenon if it is connected to a GE interface. In this case, the phenomenon persists after a switch is deployed between the converter and the firewall. Moreover, the next-hop public IP address can be pinged through from the public IP address of the switch during a firewall network disconnection. Therefore, the phenomenon is not caused by the bad quality of the 100 Mbit/s O/E converter.
2. According to the onsite check, the network connection resumes immediately after the ARP entries are cleared. Therefore, the phenomenon is relevant to ARP. According to the analysis of captured packets, the destination address of the ARP request packets sent by the public network gateway for the first time is the correct broadcast address, and the USG5300 responds to these packet. Then the gateway sends unicast ARP request packets, and the USG5300 does not respond.The USG5300 does not respond to the unicast ARP packets because it considers these packets as attack packets. 10 minutes later, the network connection breaks because the USG5300 ARP entries have aged. When the gateway sends broadcast ARP packets, the network connection resumes again.