Log in

Sangfor Support Center

Table of Contents
< All Topics
Print

[AF] Network caused by incorrect configuration of the next hop of policy routing

Posted
Updated
Byadmin
Views3

Problem Description

The customer added a public network line. After configuration, it was found that the network of this line was not accessible and the data reached the firewall but was not forwarded.

Effective troubleshooting steps

  1. It is determined to be a device problem. The version is AF8.0.75. The gift package is not fully installed. The gift package is installed first. It has not been restored. It is not a known problem.

  2. Open direct/Whitelist analysis, no recovery, non-Policies interception;

  3. According to the above troubleshooting, it is judged that the problem may be at the Layer 3 level. Perform a Layer 3 matching test to confirm that it can match the Policies Layer 3 just configured, check that the NAT Policies can be Test Policy Match, and check that the public network port can also learn the gateway MAC;

  4. At this point, it is determined that the device is losing packets, but some simulation tools on the page cannot locate the problem. Use the packet-trace function to debug the data flow to determine the root cause: [AF] Introduction to the new architecture packet-trace command for message tracing, the debugging output results are as follows:

  5. According to the debugging results, it is judged that the MAC of the next hop is not learned. However, the MAC learning of the public network port is normal. There is a pitfall here: data matching is based on Policies routing, and the Policies hop configured by policy Layer 3 is also used. After checking the configuration, it is found that the customer has configured an incorrect next hop for the Policies Layer 3, which causes this Policies Layer 3 to be ineffective:

Root cause

When the customer configured Policies Layer 3, he misconfigured a next hop, which caused the Policies Layer 3 to fail to take effect.

solution

Correct the next hop that is incorrectly configured in the Policies

Original Link

https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=2435&isOpen=true