Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[AF] New architecture secondary penetration environment causes packet forwarding errors

Posted
Updated
Byadmin
Views2

Problem Description

AF is deployed in a two-in, two-out Layer 2 mode
The voice telephone gateway cannot dial the city or state telephone gateway

Effective troubleshooting steps

  1. First clarify the data flow: the telephone's voice gateway 218.193 needs to access the city's voice gateway 198.1
    Phone–eth1 of AF–eth2 of AF–HW–vlan4001 of switch 7506–address 182 of switch 7506–HW–eth4 of AF–eth3 of AF–switch 6608–city and state voice gateway
  2. Configure eth1–eth2 on AF as access ports belonging to vlan 4001, eth3–eth4 belong to vlan1, the Interfaces are Layer 2, and no address is configured for vlan, Layer 2 forwarding
  3. The access is still unavailable even if Layer 2 and Layer 3 direct access are enabled on AF.
  4. Comparing the Interfaces captured on the four interfaces of AF, we found that the phone calls would go to port 1720 of Lianshizhou;

    It was found that the syn request of 1720, the data packet entered from port 1 and exited from port 2, and was forwarded by the gateway and entered from port 4 and was sent from port 2, but did not go out from port 3, resulting in a failure.
  5. After entering the Interfaces eth4 for the second time and configuring multiple traversals, everything will be normal.

Root cause

The data packet passed through the device twice, causing the connection tracking to match the first connection and go through the Interfaces. After configuring multiple traversals, the data packet can be forwarded normally without checking the connection tracking.
PS:
The differences between multiple traversal of the new architecture and direct pass-through on Layer 2 are as follows:
Multiple traversal: After the second packet reaches af, it does not check link tracking, but checks Layer 3 or Layer 2 fdb for forwarding.
Enable Layer 2 direct connection: Check link tracking and focus only on key points, such as NAT and outbound Interfaces. Other modules are ignored or skipped.

solution

Configure multiple traversals for the second data, and forward it normally without checking the connection tracking.

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1980&isOpen=true