[AF] After acl is enabled lan->wan, the intranet host still cannot access the Internet
Problem Description
Easy to search keywords: Intranet host cannot access the Internet, acl, open
Phenomenon
After enabling lan->wan through acl on AF, the intranet host still cannot access the Internet (ping 114)
The Network topology is shown below
Effective troubleshooting steps
- Packet capture shows that data passes through AF normally, but no response packet is received
-
After ACL is enabled, wan->lan or all ACLs are enabled, the intranet host can access the Internet normally. Therefore, it can be inferred that the upper device has a Layer 3 and the problem is not with Layer 3.
-
After enabling directional direct access, the intranet host still cannot access the Internet
-
After enabling global direct access, the intranet host can access the Internet normally, and in the interception Medium it can be found that many AD ping Critical switch traffic is intercepted. It is speculated that the upper-level device AD is configured with link detection, but AF intercepts these link detection links, causing AD to think that the Critical switch is down and thus does not forward the return packet. Therefore, the return packet cannot be seen when capturing packets on AF.
-
After acl allows the link detection traffic of AD ping Critical switch, the intranet host can access the Internet normally
Root cause
There is a link detection between AD and Critical switch, but AF does not allow it to pass, causing AD to think that Critical switch is down, which in turn causes AD to not forward the return packet to the Critical switch.
solution
Add an acl on AF to allow link detection traffic from AD->Critical switch to pass
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1835&isOpen=true