[AF] IPv6 reply packet does not match the Sessions – Advanced settings affect
Problem Description
AF8045sp1 Virtual wire used to implement application control Policies v6 to achieve control effect. After configuring a line to allow all from inside to outside, it is found that the Internet is still not available. You need to configure a line to allow all from outside to inside to allow the Internet.
Effective troubleshooting steps
- When pinging, capture the packet to confirm that the data packet is forwarded normally and Zones is not reversed:
When direct ping is enabled, packets are captured normally, and dual stack is enabled.
2. The direct display shows that the return packet is intercepted
3. Close the direct packet capture and find that the realy packet is intercepted. 45sp1 has been merged into the ipv6 package:
- Check the ipv6 Sessions and find that there is no recorded Sessions:
cat /proc/net/nf_conntrack_v6
And the Sessions table is not full:
Root cause
Finally, I found that it was caused by turning on the advanced settings, which would cause mismatching of Sessions:
solution
[High operation]
Turn off the advanced settings function. Turning off this function will Restart console and may fluctuate packet forwarding. Requires non-business hours operation;
Suggestions and Conclusion
As of AF8045, it is not recommended to enable advanced configuration in [System] – [General Configuration] – [Network Parameters] in any NGAF scenario.
When troubleshooting the problem later, it is less likely that you need to check whether the advanced settings are turned on;
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1442&isOpen=true