AR 2200 the intranet users can’t connect to internet.

Created: Oct 18, 2018 17:03:51Latest reply: Oct 31, 2018 09:25:19 691 13 9 0

Version AR2200 V200R006C10SPC300PWE

Issue Description The intranet users can’t connect to internet.

 

Problem Analysis :

1. The intranet terminal ping router AR2220 is normal, intranet terminal ping WAN gateway is not normal.

2. On the egress router AR2220 ping the WAN-side gateway is normal.

As a result, it may be speculated that the NAT table may be generated abnormally.

3. Check out the router's NAT session entry to 110,000, while viewing the memory, there is no memory available for establishing a NAT session.

4. View the contents of the NAT session, there are many port entries for the 445.

5. After the NAT session entry is reset, the number of NAT session entries rapidly increases. The entry with 445 port takes up a lot of resources.

From this we can conclude that the user's service does use port 445 or that the user does not use the port and that the port with the port 445 is sent by the uncontrollable terminal.

6. Configure the traffic policy on the egress router AR2220 to disable port 445

After communicating with the user, it is learned that the user does not use port 445. After the port policy is disabled on port 445 in the router's intranet port. Intranet terminal can be normal Internet access. Check the NAT entry is normal.

 

Root Cause: The NAT session table has many port 445 sessions that cost the most of forwarding resources, it lead to the forwarding resource is not enough and the new session do not be NAT transited.

 

Corrective Action : No prohibit port 445 may bring the following risks:

1.Port 445 is a mixed port with which users can easily access various shared folders or shared printers on a local area network, but it is precisely because of this that hackers have an advantage.

2. A large number of packets for the 445 port will quickly occupy a large number of items on the router resources, the router can’t be used in serious cases.

In order to avoid the harm caused by the packet whose port is 445, we suggest the following measures:

1. In the router's internal network port configuration flow policy prohibit the use of 445 ports. After the traffic policy is configured on the router device interface, the device no longer processes packets with destination port 445 and no NAT entries are generated.

The traffic policy configuration is below:

acl number 3333 

 rule 5 permit tcp destination-port eq 445

 rule 10 permit udp destination-port eq 445

#

traffic classifier virus operator or

if-match acl 3333

#

traffic behavior virus

deny

#

traffic policy virus

classifier virus behavior virus

traffic policy 3334

classifier 3334 behavior 3334

#

interface GigabitEthernet0/0/0

traffic-policy virus inbound

traffic-policy virus outbound

#

interface GigabitEthernet0/0/1

traffic-policy virus inbound

traffic-policy virus outbound

#

 

2. Troubleshooting network terminal poisoning

Although you can use the traffic policy on the router to circumvent this policy, such packets still occupy the intranet bandwidth, which may cause other unpredictable problems. It is recommended that the network terminal anti-virus and turn off port 445.

3. Upgrade the version of AR

The version of AR is V200R006 and no patch, so suggest update the patch or upgrade the version to V200R007C00SPCb00.

 

  • x
  • convention:

Torrent     Created Oct 18, 2018 17:05:01 Helpful(1) Helpful(1)

The NAT session table has many port 445 sessions that cost the most of forwarding resources, it lead to the forwarding resource is not enough and the new session do not be NAT transited.

this is very important in our daily work, it help me a lot.

 I am very interested for this post, which is very helpful to our daily troubleshooting. I always have similar problems in my daily work, but I do not know how to deal with them. Now I have a clear idea. Thank you very much for your sharing. Hope you can update continue like this This post was last edited by Torrent at 2018-10-22 13:52.
  • x
  • convention:

Finn92  Visitor   Created Oct 18, 2018 17:09:49 Helpful(0) Helpful(0)

in this post , not only learned  configuring  NAT , and learned 445 risk . very helpful. 

No prohibit port 445 may bring the following risks:

1.Port 445 is a mixed port with which users can easily access various shared folders or shared printers on a local area network, but it is precisely because of this that hackers have an advantage.

2. A large number of packets for the 445 port will quickly occupy a large number of items on the router resources, the router can’t be used in serious cases.

This post was last edited by Finn92 at 2018-10-31 16:33.
  • x
  • convention:

SupperRobin     Created Oct 18, 2018 17:16:05 Helpful(0) Helpful(0)

Generally, users within a VPN can only communicate with other users in the same VPN. They cannot communicate with users on the Internet or connect to the Internet. However, VPN sites may need to access the Internet. To implement interconnection between a VPN and the Internet, the following conditions must be met:
    The devices in the VPN that need to access the Internet have reachable routes to the Internet.
    Routes are available from the Internet to the devices in the VPN.
    Similar to interconnection between non-VPN users and the Internet, security mechanisms such as firewalls must be used.

This post was last edited by SupperRobin at 2018-10-31 15:02.
  • x
  • convention:

littlestone     Created Oct 18, 2018 18:58:12 Helpful(0) Helpful(0)

its so great
This post is novel in concept, with unique ingenuity, clear passages, different plots, ups and downs, distinct lines, fascinating and fascinating literary skills. It can be described as a word and a classic sentence, which is a model that my generation should learn.
I was already disappointed with this community. I feel that this community has no future, and my heart is full of sorrow. But after reading this post, I made hope for the community. It is you who let my heart rekindle the fire of hope. It is you who have revived my heart. You saved me a cool and cool heart!
Originally, I decided not to return any posts in the community, but after reading your post, I told myself that this post must be returned! This is a rare sticker that has been rare for a hundred years! Heaven has eyes, let me see such a wonderful post in the eugenic year.
  • x
  • convention:

faysalji  Visitor   Created Oct 18, 2018 19:18:07 Helpful(0) Helpful(0)

Good Case, thanks
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
No.9527  Visitor   Created Oct 19, 2018 11:29:19 Helpful(0) Helpful(0)

The default value of the CollectorMaxDelay field in LACPDUs sent by the device of different versions to the connected non-Huawei device is different. This may cause high CPU usage. You can run the lacp collector delay command to set the value of the CollectorMaxDelay field in LACPDUs. This post was last edited by No.9527 at 2018-10-31 14:58.
  • x
  • convention:

lizhi94     Created Oct 19, 2018 17:28:51 Helpful(0) Helpful(0)

I have required a lot of knowledge,which encourages me to gohead for excellent level .
The post also is useful and practical to me and then take the knowledge of Network technology to us .
AT same time,this post offers a nice reference of the AR 2200 the intranet users can’t connect to internet. This is a rare sticker that has been rare for a hundred years! Heaven has eyes, let me see such a wonderful post in the eugenic year.
Thank you very much for your sharing. Hope you can update continue like this
  • x
  • convention:

yangyong  Visitor   Created Oct 19, 2018 17:37:45 Helpful(0) Helpful(0)

From your case I learn a easy way to fix my same issue. Thank you so much! But I still have some question about your sharing. Can you explain more detail about "The NAT session table has many port 445 sessions that cost the most of forwarding resources, it lead to the forwarding resource is not enough and the new session do not be NAT transited."?  This post was last edited by yangyong at 2018-10-30 21:15.
  • x
  • convention:

johncarter2679     Created Oct 23, 2018 18:13:11 Helpful(0) Helpful(0)

If your router is not working and you are not able to connect to the internet connection follow Dlink Support for help. It also provides the solution about the following errors and the problem with Router such as Low bandwidth, Unable to connect to the device, Slow connection, Set up / configuration issues, Firmware attack, Forget the password, Unable to find the right device IP, DNS setting problem. This post was last edited by johncarter2679 at 2018-10-23 18:18.
  • x
  • convention:

12
Back to list

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top