Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
AR 2200 the intranet user...

AR 2200 the intranet users can’t connect to internet.

Latest reply: Oct 31, 2018 01:25:19 1276 13 9 0 0
View the author 1#


Version AR2200 V200R006C10SPC300PWE

Issue Description The intranet users can’t connect to internet.

 

Problem Analysis :

1. The intranet terminal ping router AR2220 is normal, intranet terminal ping WAN gateway is not normal.

2. On the egress router AR2220 ping the WAN-side gateway is normal.

As a result, it may be speculated that the NAT table may be generated abnormally.

3. Check out the router's NAT session entry to 110,000, while viewing the memory, there is no memory available for establishing a NAT session.

4. View the contents of the NAT session, there are many port entries for the 445.

5. After the NAT session entry is reset, the number of NAT session entries rapidly increases. The entry with 445 port takes up a lot of resources.

From this we can conclude that the user's service does use port 445 or that the user does not use the port and that the port with the port 445 is sent by the uncontrollable terminal.

6. Configure the traffic policy on the egress router AR2220 to disable port 445

After communicating with the user, it is learned that the user does not use port 445. After the port policy is disabled on port 445 in the router's intranet port. Intranet terminal can be normal Internet access. Check the NAT entry is normal.

 

Root Cause: The NAT session table has many port 445 sessions that cost the most of forwarding resources, it lead to the forwarding resource is not enough and the new session do not be NAT transited.

 

Corrective Action : No prohibit port 445 may bring the following risks:

1.Port 445 is a mixed port with which users can easily access various shared folders or shared printers on a local area network, but it is precisely because of this that hackers have an advantage.

2. A large number of packets for the 445 port will quickly occupy a large number of items on the router resources, the router can’t be used in serious cases.

In order to avoid the harm caused by the packet whose port is 445, we suggest the following measures:

1. In the router's internal network port configuration flow policy prohibit the use of 445 ports. After the traffic policy is configured on the router device interface, the device no longer processes packets with destination port 445 and no NAT entries are generated.

The traffic policy configuration is below:

acl number 3333 

 rule 5 permit tcp destination-port eq 445

 rule 10 permit udp destination-port eq 445

#

traffic classifier virus operator or

if-match acl 3333

#

traffic behavior virus

deny

#

traffic policy virus

classifier virus behavior virus

traffic policy 3334

classifier 3334 behavior 3334

#

interface GigabitEthernet0/0/0

traffic-policy virus inbound

traffic-policy virus outbound

#

interface GigabitEthernet0/0/1

traffic-policy virus inbound

traffic-policy virus outbound

#

 

2. Troubleshooting network terminal poisoning

Although you can use the traffic policy on the router to circumvent this policy, such packets still occupy the intranet bandwidth, which may cause other unpredictable problems. It is recommended that the network terminal anti-virus and turn off port 445.

3. Upgrade the version of AR

The version of AR is V200R006 and no patch, so suggest update the patch or upgrade the version to V200R007C00SPCb00.

 If you have any problems, please post them in our Community. We are happy to solve them for you!

Like (9) Dislike (0) Favorite(0) Share Report
Previous: AR device IPsec Tunnel cannot up normally
Next: UN RECOGNIZED COMMAND
(1) (0)
2#
Torrent
Created Oct 18, 2018 09:05:01

The NAT session table has many port 445 sessions that cost the most of forwarding resources, it lead to the forwarding resource is not enough and the new session do not be NAT transited.

this is very important in our daily work, it help me a lot.

 I am very interested for this post, which is very helpful to our daily troubleshooting. I always have similar problems in my daily work, but I do not know how to deal with them. Now I have a clear idea. Thank you very much for your sharing. Hope you can update continue like this This post was last edited by Torrent at 2018-10-22 05:52.
View more
  • x
  • convention:
(0) (0)
3#
Finn92
Created Oct 18, 2018 09:09:49

in this post , not only learned  configuring  NAT , and learned 445 risk . very helpful. 

No prohibit port 445 may bring the following risks:

1.Port 445 is a mixed port with which users can easily access various shared folders or shared printers on a local area network, but it is precisely because of this that hackers have an advantage.

2. A large number of packets for the 445 port will quickly occupy a large number of items on the router resources, the router can’t be used in serious cases.

This post was last edited by Finn92 at 2018-10-31 08:33.
View more
  • x
  • convention:
(0) (0)
4#
SupperRobin
Created Oct 18, 2018 09:16:05

Generally, users within a VPN can only communicate with other users in the same VPN. They cannot communicate with users on the Internet or connect to the Internet. However, VPN sites may need to access the Internet. To implement interconnection between a VPN and the Internet, the following conditions must be met:
    The devices in the VPN that need to access the Internet have reachable routes to the Internet.
    Routes are available from the Internet to the devices in the VPN.
    Similar to interconnection between non-VPN users and the Internet, security mechanisms such as firewalls must be used.

This post was last edited by SupperRobin at 2018-10-31 07:02.
View more
  • x
  • convention:
(0) (0)
5#
littlestone
Created Oct 18, 2018 10:58:12

its so great
This post is novel in concept, with unique ingenuity, clear passages, different plots, ups and downs, distinct lines, fascinating and fascinating literary skills. It can be described as a word and a classic sentence, which is a model that my generation should learn.
I was already disappointed with this community. I feel that this community has no future, and my heart is full of sorrow. But after reading this post, I made hope for the community. It is you who let my heart rekindle the fire of hope. It is you who have revived my heart. You saved me a cool and cool heart!
Originally, I decided not to return any posts in the community, but after reading your post, I told myself that this post must be returned! This is a rare sticker that has been rare for a hundred years! Heaven has eyes, let me see such a wonderful post in the eugenic year.
View more
  • x
  • convention:
(0) (0)
6#
faysalji
Author Created Oct 18, 2018 11:18:07

Good Case, thanks
View more
  • x
  • convention:
(0) (0)
7#
No.9527
Created Oct 19, 2018 03:29:19

The default value of the CollectorMaxDelay field in LACPDUs sent by the device of different versions to the connected non-Huawei device is different. This may cause high CPU usage. You can run the lacp collector delay command to set the value of the CollectorMaxDelay field in LACPDUs. This post was last edited by No.9527 at 2018-10-31 06:58.
View more
  • x
  • convention:
(0) (0)
8#
lizhi94
Created Oct 19, 2018 09:28:51

I have required a lot of knowledge,which encourages me to gohead for excellent level .
The post also is useful and practical to me and then take the knowledge of Network technology to us .
AT same time,this post offers a nice reference of the AR 2200 the intranet users can’t connect to internet. This is a rare sticker that has been rare for a hundred years! Heaven has eyes, let me see such a wonderful post in the eugenic year.
Thank you very much for your sharing. Hope you can update continue like this
View more
  • x
  • convention:
(0) (0)
9#
yangyong
Created Oct 19, 2018 09:37:45

From your case I learn a easy way to fix my same issue. Thank you so much! But I still have some question about your sharing. Can you explain more detail about "The NAT session table has many port 445 sessions that cost the most of forwarding resources, it lead to the forwarding resource is not enough and the new session do not be NAT transited."?  This post was last edited by yangyong at 2018-10-30 13:15.
View more
  • x
  • convention:
(0) (0)
10#
johncarter2679
Created Oct 23, 2018 10:13:11

If your router is not working and you are not able to connect to the internet connection follow Dlink Support for help. It also provides the solution about the following errors and the problem with Router such as Low bandwidth, Unable to connect to the device, Slow connection, Set up / configuration issues, Firmware attack, Forget the password, Unable to find the right device IP, DNS setting problem. This post was last edited by johncarter2679 at 2018-10-23 10:18.
View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.