目的ping端口
ping端口 时间:2021-05-01 阅读:()
知莘启跃2016-06-12发表PingV7防火墙本地大包不通,小包正常解决办法Ping防火墙本地大包不通,小包正常.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
轻云互联,香港云服务器折后22元/月 美国云服务器 1核 512M内存 15M带宽 折后19.36元/月
轻云互联成立于2018年的国人商家,广州轻云互联网络科技有限公司旗下品牌,主要从事VPS、虚拟主机等云计算产品业务,适合建站、新手上车的值得选择,香港三网直连(电信CN2GIA联通移动CN2直连);美国圣何塞(回程三网CN2GIA)线路,所有产品均采用KVM虚拟技术架构,高效售后保障,稳定多年,高性能可用,网络优质,为您的业务保驾护航。官方网站:点击进入广州轻云网络科技有限公司活动规则:1.用户购...
Hostodo(年付12美元),美西斯波坎机房Linux VPS主机66折
Hostodo 商家是比较小众的国外VPS主机商,这不看到商家有推送促销优惠在美国西岸的斯波坎机房还有少部分库存准备通过低价格促销,年付低至12美元Linux VPS主机,且如果是1GB内存方案的可以享受六六折优惠,均是采用KVM架构,且可以支付宝付款。第一、商家优惠码优惠码:spokanessd 1GB+内存方案才可以用到优惠码,其他都是固定的优惠低至年12美元。第二、商家促销这里,我们可以看到...
RackNerd:特价美国服务器促销,高配低价,美国多机房可选择,双E526**+AMD3700+NVMe
racknerd怎么样?racknerd今天发布了几款美国特价独立服务器的促销,本次商家主推高配置的服务器,各个配置给的都比较高,有Intel和AMD两种,硬盘也有NVMe和SSD等多咱组合可以选择,机房目前有夏洛特、洛杉矶、犹他州可以选择,性价比很高,有需要独服的朋友可以看看。点击进入:racknerd官方网站RackNerd暑假独服促销:CPU:双E5-2680v3 (24核心,48线程)内存...
ping端口为你推荐
-
phpwindphpwind怎么用?免费么?请详细说明phpwindPHPWind 都有什么功能phpadmin下载求张艺兴《莲》mp3下载centos6.5centos 6.5 无法启动了,不知道是哪里的问题。360邮箱lin.long.an@360.com是什么邮箱瑞东集团道恩集团的集团简介三五互联股票三五互联是什么股票3g手机有哪些电信3g手机有哪些?如何发帖子怎么发帖子啊?什么是seo学习SEO的好处是什么?