Why is service (such as voice) interrupted after being configured with NAT or firewall


The aging time of session table is shorter than the aging time of the service. The session table is aged out, while the service is not. The service packets sent after session table aging are discarded, so the service is interrupted. Run the firewall-nat session aging-time command to increase the TCP/UDP timeout interval.

Other related questions:
The voice VLAN is configured in auto mode. Why voice services are interrupted after the timer expires
From V100R005 to V200R002, when the voice VLAN on the switch interface is configured to work in auto mode and the aging time is reached, voice flows are sent to the switch itself. Then the switch delivers entries about packet priority change. As a result, packets sent to the switch are not forwarded, and packet loss occurs. When this occurs, change the auto mode to manual mode and add the interface to the voice VLAN.

Why are services interrupted after the original active firewall preempts
Services are normal after the active/standby switchover, but services are interrupted after the active firewall preempts. The possible cause is that the network has not converged or sessions are not completely backed up. Besides, if a switch fails, its interfaces may go up and down repeatedly when the switch restarts. If the firewall preempts during the process, services may be interrupted. In this case, adjust the preemption delay of the original active firewall.

Why does service interruption occur on some applications after the NAT or firewall function is configured on an AR router
The default timeout duration value of the session table may be smaller than the timeout duration of corresponding application (for example, voice service). As a result, the session table has timed out and aged before the application times out, and application packets transmitted after the session table has timed out are discarded. Run the firewall-nat session aging-time command to prolong the TCP/UDP timeout duration.

Some services are interrupted after IPSG is configured on an S series switch. Why
If some services are interrupted after IPSG is configured on an S series switch (except the S1700), possible causes include the following: 1. DHCP snooping is not enabled on a DHCP terminal or the DHCP terminal does not obtain an IP address again after DHCP snooping is enabled. As a result, the dynamic binding table does not contain correct information about the terminal. IP packets sent by the terminal are discarded, and the terminal cannot communicate with the network. Solution: Enable DHCP snooping on the terminal and make the terminal obtain an IP address again to generate a dynamic binding entry in the binding table. 2. No static binding entry corresponding to a static user is generated. As a result, the user cannot go online. Solution: Create a static binding entry for each authorized user connected to the switch. Note: After the ip source check user-bind enable command is configured on an interface or in a VLAN. The interface or VLAN matches all received IP packets against a binding table and discards those not matching the binding table.

Cause for the interruption of the USG5000 after the NAT is configured
Check whether the interzone policy is enabled on the firewall.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top