目的ping端口
ping端口 时间:2021-05-01 阅读:()
知莘启跃2016-06-12发表PingV7防火墙本地大包不通,小包正常解决办法Ping防火墙本地大包不通,小包正常.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
#推荐# cmivps:全场7折,香港不限流量VPS,支持Windows系统
cmivps香港VPS带来了3个新消息:(1)双向流量改为单向流量,相当于流量间接扩大一倍;(2)Hong Kong 2T、Hong Kong 3T、Hong Kong 无限流量,这三款VPS开始支持Windows系统,如果需要中文版Windows系统请下单付款完成之后发ticket要求官方更改即可;(3)全场7折年付、8折月付优惠,优惠码有效期一个月!官方网站:https://www.cmivp...
萤光云(20元/月),香港CN2国庆特惠
可以看到这次国庆萤光云搞了一个不错的折扣,香港CN2产品6.5折促销,还送50的国庆红包。萤光云是2002年创立的商家,本次国庆活动主推的是香港CN2优化的机器,其另外还有国内BGP和高防服务器。本次活动力度较大,CN2优化套餐低至20/月(需买三个月,用上折扣+代金券组合),有需求的可以看看。官方网站:https://www.lightnode.cn/地区CPU内存SSDIP带宽/流量价格备注购...
Megalayer(月599元)限时8月香港和美国大带宽服务器
第一、香港服务器机房这里我们可以看到有提供四个大带宽方案,是全向带宽和国际带宽,前者适合除了中国大陆地区的全网地区用户可以用,后者国际带宽适合欧美地区业务。如果我们是需要大陆地区速度CN2优化的,那就需要选择常规的优化带宽方案,参考这里。CPU内存硬盘带宽流量价格选择E3-12308GB240GB SSD50M全向带宽不限999元/月方案选择E3-12308GB240GB SSD100M国际带宽不...
ping端口为你推荐
-
internalservererrorinternal server errorlinux防火墙设置怎么更改linux的防火墙设置?conn.aspconn.asp 在哪打开?应该怎样打开?瑞东集团海澜集团有限公司怎么样?帝国cms教程如何使用帝国CMS模板无忧团购网团购导航网、团购网站大全哪个好?团购拉手,高朋。糯米。美团好吗如何显示隐藏文件怎么把隐藏的文件显示出来网站漏洞修复知道网站的SQL漏洞,怎样修补?浙江电信谁知道浙江电信的DNS是多少?礼品服务“增值服务”到底是什么意思?