[IAG] Enabling direct pass does not take effect, and there is no direct pass log issue
Problem Description
A customer's website is inaccessible. The direct access enabled for the test IP is ineffective and there is no direct access log.
Process——
- First, enable direct access for the test IP, and find that the webpage cannot be accessed and there is no direct access log.
- Open the denied page and find that it is an application that matches the Internet policy application control. Find the user in the online user management to check which policies are matched and allow the corresponding denied applications. It is found that the webpage can be accessed normally.
- The LAN port captured data packets and checked that the traffic to access the webpage did not pass through this IAG. It was determined that the customer might have another IAG, and the user's data flow did not pass through this IAG device. The network configuration was checked for high availability. It was found that the customer had another IAG configured with the master-master mode with this IAG. Log in to the console of another IAG and enable direct pass for the test IP. It was found that it was effective and there was a direct pass log.
Root cause
Master-master mode deployment, test the data flow of the computer accessing the web page to go through another IAG
solution
Use different IAGs to control the data flow direction of different users.
Suggestions and Conclusion
By capturing packets and analyzing the direction of data flow, we can better help locate the cause of the problem.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=22&type=1&category_id=5963&isOpen=true