[AF] In a multi-exit environment, Policies specifies that a certain Network Segment only uses a certain Interfaces. If the Interfaces line is unplugged, it will switch to other exits.
Problem Description
The customer is in a multi-export line environment. The source address Policies Layer 3 is configured to specify that the 192.168.1.0/24 Network Segment only goes through the eth3 Interfaces, and the 192.168.3.0/24 Network Segment only goes through the eth1 outbound Interfaces. However, after unplugging the eth3 line, it is found that the 192.168.1.0/24 Network Segment will switch to the eth1 port to access the Internet. The Policies configuration is as follows:
525095d397a63ba771.png (143.48 KB)
Process——
- [Network] – [Interfaces/Zones] Check that the WAN attribute of the device are all dial-up ports, as shown below:
947745d397b3614e16.png (421.91 KB) - [Network] – [Layer 3] All Routes and confirm that the dial-up port has generated a default Layer 3, as shown below:
431765d397c4f3db81.png (152.36 KB) - Find the corresponding Interfaces-up port in [Network]-[Interface/Zones], and uncheck the option to add a default route in the dial-up Layer 3, as shown below:
154795d397d53c9713.png (101.48 KB)
Root cause
The outlet is an ADSL dial-up line, and adding a default route is Layer 3. Even if a dial-up line is unplugged, making the corresponding Policies Layer 3 invalid, the intranet Network Segment can still match the default route of other dial-up ports to access Layer 3 Internet.
solution
Find the corresponding Interfaces-up port in [Network] – [Zones], and uncheck the option to add a default route in the dial-up Layer 3.
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=705&isOpen=true