Got it
Huawei Enterprise Support Community
Community Forums Security
Due to the TSM Policy-bas...

Due to the TSM Policy-based Routing, the Slave Firewall Cannot be Pinged Through

Latest reply: Apr 5, 2016 22:54:35 1328 1 0 0 0
View the author 1#
The following network diagram shows a standard TSM dual system off-line deployment. The symptom described as follows is discovered during a simulation test.
All traffic is directed to the master firewall FW1 based on policy-based routing on the switch SW1. If the core switch SW1 is down, switch SW2 takes over the work of SW1. Because both firewalls have ports in the down state, the master/slave firewall switchover is not performed. A PC at the access layer sends ping packets to communicate with the slave firewall. In this case, tracert packets are through, but only the first one or two ping packets are through. Every time the session table on the firewall is reset, ping packets are through for a while, but becomes not through soon.
Alarm Information
None.

Like (0) Dislike (0) Favorite(0) Share Report
Previous: PBX license cannot be activated on AR1200VW
Next: Analysis about agent reports contravention data after some site stopped illegal
(0) (0)
2#
jack_6
Created Apr 5, 2016 22:54:35

Handling Process
You do not need to ping the slave firewall. The master and slave firewalls communicate with the server if policy-based routing does not direct server traffic. Root Cause
Packets are discarded after they go through both firewalls that implement dual-system hot backup. This occurs at the management address of the TSM dual-system off-line deployment, interrupting the communication between the slave firewall and the server.
Cause: After SW1 is down, ping packets reach SW2 first, and then go to FW1 due to policy-based routing. Then they go back to SW2, and finally go to FW2. That is, one packet goes through both the master and slave firewalls. Because the two firewalls perform session table synchronization, this packet will be discard. Every time the session table is cleared, the ping packets are through for a while. After the two firewalls performs session table synchronization, ping packets are discarded again. Solution
Suggestions
When you encounter the problem that traffic goes through both the master and slave firewalls, check the traffic import configuration.
If you fail to directly log in to the slave firewall, log in to the slave firewall from the master firewall. (The slave firewall can definitely be logged in after a master/slave switchover.)
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.