[IAG] After the bridge mode is deployed and connected to the network, the intranet cannot be connected to the Internet directly – the routing configuration of the egress device is wrong
Problem Description
The customer's IAG bridge is deployed and placed between the egress device and the Core Switch. After access, the intranet cannot access the Internet.
Process——
- I still cannot access the Internet after enabling direct pass-through on the IAG.
- The core can ping the egress firewall, and the intranet computer can ping the IAG but cannot ping the firewall.
- The intranet computer pings the firewall, and then the packet capture tool captures the packet and finds that the firewall has a reply packet on the IAG WAN port, but the IAG does not forward it to the LAN port.
- Analyze the destination MAC of the firewall reply packet, which is the MAC address of the IAG WAN port. It is inferred that the next hop of the route from the firewall to the intranet is the IAG bridge port address. Since the IAG is deployed as a bridge and does not perform routing forwarding, the network is not accessible.
solution
Modify the firewall to point the next hop of Core Switch
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=7265&isOpen=true