Problem and solution when the heartbeat interfaces of the firewalls fail to be directly connected

1

Troubleshoot as follows:
1. Check whether the cable is properly connected.
2. Check whether the interface has been added to the security zone.
3. Check whether service-manage ping permit is configured under the interface.

Other related questions:
Whether the heartbeat interfaces of the firewall must be directly connected
It depends. The heartbeat interface can be directly connected or connected through an intermediate device, such as a switch or router. Direct connection is recommended. When the heartbeat interface is connected through an intermediate device, you need to configure the remote parameter to specify the peer heartbeat interface IP address. This is because: If you do not configure the remote parameter, the heartbeat packet sent from the NGFW is encapsulated with VRRP. VRRP packets are multicast packets, and certain switches and routers send packets of this type to themselves for processing, occupying their CPU resources. Heartbeat packets on the NGFW increase as services increase, overloading the switch and router CPUs and affecting their processing of other multicast packets (such as OSPF packets). The restrictions of the switch and router on VRRP packets also cause NGFW heartbeat packets to be discarded, causing the NGFW status to be unstable. After you configure the remote parameter, the NGFW encapsulates heartbeat packets into UDP packets. The switch and router do not send UDP packets to themselves for processing. Therefore, the switch and router performance and network services are not affected.

Must the heartbeat interfaces be directly connected
No. The heartbeat interfaces can be connected either directly or through intermediate devices, such as switches or routers. Directly connection between the heartbeat interfaces is recommended.

Problem and solution when a KVM fails
Possible cause: The problem occurs when the power supply is unstable and has transient breaks after the reconstruction of the UPS. Solution: 1. Reinsert the USB cable. 2. If the problem persists, restart the KVM. 3. Replace the faulty keyboard and mouse or the KVM. 4. If the problem persists, restart the SVP.

Problem and solution when the URL category query server fails to be connected
To locate and rectify the fault that the URL category query server fails to be connected, perform the following steps: 1. Check whether there is a URL remote query license. Check whether the URL remote query license is enabled and valid on the CLI or web UI. 2.Check whether the networking and the configuration is correct. a.Run the display url-filter global-configuration command to check whether the server state is Connected. If the state is another value, the server is not connected. b. Check whether the DNS server is correctly configured and test the connectivity between the device and the website sec.huawei.com. This website is Huawei security upgrade and authentication center. To connect to a URL remote query server, the device must pass authentication on this website. If the device cannot access the website, it cannot connect to the URL remote query server. c. Check the URL filtering profile.Run the display url-filter global-configuration command to check whether a country name is configured. If no country name is configured for the firewall, it cannot connect to the URL remote query server. d. Check related configurations on the device.View IPsec and tunnel configurations and check whether connection request packets enter IPsec tunnels. If so, analyze the networking and configuration and ensure that the packets can be correctly sent to the authentication center, scheduling server, and query server. e. View security policies and check whether security policies have blocked connection request packets.Several special IP addresses and port numbers are involved for URL server connections. Ensure that the packets sent to the URL servers can pass the check of security policies. f. Check whether the update host source command is configured.This command has an influence on the source address used to connect to the URL remote query server. If this command is configured, the specified interface address serves as the source address of query packets sent to the URL remote query server.If this command is configured, ensure that the packets in response to the packets sent from the specified address to the URL server can be properly forwarded to the device.

Problem and solution when a firewall cannot be added to the NMS
To solve the problem that a firewall cannot be added to the NMS (NMS workstation), perform the following steps: 1. Check whether the SNMP settings on the firewall are correct. For example, check whether the SNMP version matches the NMS. 2. Check whether the NMS is reachable to the firewall. 3. Check whether access management in SNMP mode is enabled on the interface connecting the firewall to the NMS. That is, you need to run the service-manage snmp enable command on the interface to allow the peer device to access the firewall in SNMP mode. By default, the SNMP permission of the interface is disabled. In this case, even if the security policy for the interzone between the zone where the interface resides and the Local zone is enabled, you cannot access the device through the interface. This is because that the service-manage function has a higher priority than the security policy. For details, see USG6350 can't add to the NMS server.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top