AR 2200 the intranet users can’t connect to internet.

Latest reply: Oct 31, 2018 01:25:19 763 13 9 0

Version AR2200 V200R006C10SPC300PWE

Issue Description The intranet users can’t connect to internet.

 

Problem Analysis :

1. The intranet terminal ping router AR2220 is normal, intranet terminal ping WAN gateway is not normal.

2. On the egress router AR2220 ping the WAN-side gateway is normal.

As a result, it may be speculated that the NAT table may be generated abnormally.

3. Check out the router's NAT session entry to 110,000, while viewing the memory, there is no memory available for establishing a NAT session.

4. View the contents of the NAT session, there are many port entries for the 445.

5. After the NAT session entry is reset, the number of NAT session entries rapidly increases. The entry with 445 port takes up a lot of resources.

From this we can conclude that the user's service does use port 445 or that the user does not use the port and that the port with the port 445 is sent by the uncontrollable terminal.

6. Configure the traffic policy on the egress router AR2220 to disable port 445

After communicating with the user, it is learned that the user does not use port 445. After the port policy is disabled on port 445 in the router's intranet port. Intranet terminal can be normal Internet access. Check the NAT entry is normal.

 

Root Cause: The NAT session table has many port 445 sessions that cost the most of forwarding resources, it lead to the forwarding resource is not enough and the new session do not be NAT transited.

 

Corrective Action : No prohibit port 445 may bring the following risks:

1.Port 445 is a mixed port with which users can easily access various shared folders or shared printers on a local area network, but it is precisely because of this that hackers have an advantage.

2. A large number of packets for the 445 port will quickly occupy a large number of items on the router resources, the router can’t be used in serious cases.

In order to avoid the harm caused by the packet whose port is 445, we suggest the following measures:

1. In the router's internal network port configuration flow policy prohibit the use of 445 ports. After the traffic policy is configured on the router device interface, the device no longer processes packets with destination port 445 and no NAT entries are generated.

The traffic policy configuration is below:

acl number 3333 

 rule 5 permit tcp destination-port eq 445

 rule 10 permit udp destination-port eq 445

#

traffic classifier virus operator or

if-match acl 3333

#

traffic behavior virus

deny

#

traffic policy virus

classifier virus behavior virus

traffic policy 3334

classifier 3334 behavior 3334

#

interface GigabitEthernet0/0/0

traffic-policy virus inbound

traffic-policy virus outbound

#

interface GigabitEthernet0/0/1

traffic-policy virus inbound

traffic-policy virus outbound

#

 

2. Troubleshooting network terminal poisoning

Although you can use the traffic policy on the router to circumvent this policy, such packets still occupy the intranet bandwidth, which may cause other unpredictable problems. It is recommended that the network terminal anti-virus and turn off port 445.

3. Upgrade the version of AR

The version of AR is V200R006 and no patch, so suggest update the patch or upgrade the version to V200R007C00SPCb00.

 

  • x
  • convention:

littlestone
Created Oct 24, 2018 01:02:45 Helpful(0) Helpful(0)

This is a great article, I am interested in this article, which is very helpful for our daily troubleshooting. I always have similar problems in my daily work, but I don't know how to deal with them. Now I have a definite idea. Thank you very much for sharing. Hopefully you can update to continue like this
  • x
  • convention:

w1
Created Oct 28, 2018 14:53:05 Helpful(0) Helpful(0)

Good case, but haow many NAT sessiones do the AR device support ?
  • x
  • convention:

limgsc
Created Oct 30, 2018 11:08:18 Helpful(0) Helpful(0)

your document is work for me , i get the point , fix my issue by your doc thanks you very much ,
also hope you public more doc that levle like this .
would you please also mention where from the technical detail , i can found it from orignial part .
from orignial part i can found more correct parameter
  • x
  • convention:

limgsc
Created Oct 31, 2018 01:25:19 Helpful(0) Helpful(0)

your document is work for me , i get the point , fix my issue by your doc thanks you very much ,
also hope you public more doc that levle like this .
would you please also mention where from the technical detail , i can found it from orignial part .
from orignial part i can found more correct parameter
  • x
  • convention:

12
Back to list

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login