[AF] Application control Policies does not take effect when GRE protocol encapsulation
Problem Description
AF Virtual wire deployment, bidirectional application control has been enabled, but the service is still inaccessible, and the ping test fails. It works normally when direct access is enabled
Effective troubleshooting steps
- By capturing packets from the server or client IP, no data can be captured, whether with or without VLAN.
- Finally, the problem was confirmed by pinging the special packet length. The application control policy was not effective because the data had a layer of GRE Policies.
Root cause
Application control does not take effect due to GRE header encapsulation
solution
Add GRE protocol after the original basis to make it pass
Suggestions and Conclusion
Summary of the problem of not being able to capture data packets:
- The data packet cannot be captured due to the VLAN tag. You need to capture the packet with VLAN tag; for example, tcpdump -i ethx vlan and host IP -nn
- SNAT Sensitive Medium the environment, which causes the source IP to be unable to capture data packets
- Sensitive OSPF protocol exists Medium the environment. When the direct connection is enabled, Layer 3 is reachable and the data is normal. However, when the OSPF protocol is not enabled, Layer 3 cannot be learned, resulting in the inability to capture data and data failure.
- The environment Sensitive protocol encapsulation that causes data to not be captured, such as GRE, qinq data, etc.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=943&isOpen=true