Got it
Huawei Enterprise Support Community
Community Forums Security
NAT swithes unsuccessfull...

NAT swithes unsuccessfully when dialer interface is down in multi-exit networkin

Latest reply: Apr 1, 2016 01:00:08 1517 1 0 0 0
View the author 1#
There are three dialer interface to public network on USG2000 configuration, when the first Dialer2 interface is down, internal network can not access public network. Configuration as follow:
#
interface Vlanif2
pppoe-client dial-bundle-number 2     
#
interface Vlanif3
pppoe-client dial-bundle-number 3
#
interface Vlanif4
pppoe-client dial-bundle-number 4
#
interface Cellular5/0/0
link-protocol ppp
#
interface Ethernet0/0/0
pppoe-client dial-bundle-number 1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer1
ip route-static 0.0.0.0 0.0.0.0 Dialer4
ip route-static 0.0.0.0 0.0.0.0 Dialer2
ip route-static 0.0.0.0 0.0.0.0 Dialer3
#
policy-based-route 2 permit node 1
  if-match acl 2000
  apply output-interface Dialer2
policy-based-route 2 permit node 2
  if-match acl 2000
  apply output-interface Dialer3
policy-based-route 2 permit node 3
  if-match acl 2000
  apply output-interface Dialer4
#
nat-policy interzone trust untrust outbound
policy 0
  action source-nat
  policy source 192.168.1.0 mask 255.255.255.0
  easy-ip Dialer1
#
nat-policy interzone trust untrust1 outbound
policy 0
  action source-nat
  policy source 192.168.1.0 mask 255.255.255.0
  easy-ip Dialer2
#
nat-policy interzone trust untrust2 outbound
policy 0
  action source-nat
  policy source 192.168.1.0 mask 255.255.255.0
  easy-ip Dialer3
#
nat-policy interzone trust untrust3 outbound
policy 0
  action source-nat
  policy source 192.168.1.0 mask 255.255.255.0
  easy-ip Dialer4
Alarm Information
none

Like (0) Dislike (0) Favorite(0) Share Report
Previous: What Does the Format of Binary Session Logs on Low-end and Mid-range Firewall V3
Next: Why Are Web Proxy Resources of the Domain Name Type Inaccessible on the Windows
(0) (0)
2#
TomJ
Created Apr 1, 2016 01:00:08

Handling Process
1. Use internal PC access public network and check conversation:
tcp  VPN:public --> public  Zone: trust--> untrust1  TTL: 00:00:05  Left: 00:00:00
  Interface: Dialer2  NextHop: 0.0.0.0  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:1 bytes:48
  192.168.1.248:53469[0.0.0.0:2143]-->112.95.240.11:443
http  VPN:public --> public
  Zone: trust--> untrust1  TTL: 00:00:05  Left: 00:00:00
  Interface: Dialer2  NextHop: 0.0.0.0  MAC: 00-00-00-00-00-00
  <--packets:0 bytes:0   -->packets:1 bytes:48
  192.168.1.248:53470[0.0.0.0:2174]-->112.95.240.11:80
  Packet still go out from dialer interface,  policy-based routing is also function, but the interface is down ,so switch address is 0.0.0.0.
And switch fail.
2. Physical interface is down but dialer interface is still up when it is multi-exit interface, policy-based routing is working. We must configure ip-link check to make sure interface switch successfully. Or change the  policy-based routing;
policy-based-route 2 permit node 1
  if-match acl 2000
  apply output-interface Dialer2
Root Cause
1. Configuration problem
2. Product characteristic
3. other
Solution
Suggestions
none
View more
  • x
  • convention:
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.