目的ping端口
ping端口 时间:2021-05-01 阅读:()
知莘启跃2016-06-12发表PingV7防火墙本地大包不通,小包正常解决办法Ping防火墙本地大包不通,小包正常.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
ParkinHost:俄罗斯离岸主机,抗投诉VPS,200Mbps带宽/莫斯科CN2线路/不限流量/无视DMCA/55折促销26.4欧元 /年起
外贸主机哪家好?抗投诉VPS哪家好?无视DMCA。ParkinHost今年还没有搞过促销,这次parkinhost俄罗斯机房上新服务器,母机采用2个E5-2680v3处理器、128G内存、RAID10硬盘、2Gbps上行线路。具体到VPS全部200Mbps带宽,除了最便宜的套餐限制流量之外,其他的全部是无限流量VPS。ParkinHost,成立于 2013 年,印度主机商,隶属于 DiggDigi...
OneTechCloud(31元),美国CN2 GIA高防VPS月
OneTechCloud发布了本月促销信息,全场VPS主机月付9折,季付8折,优惠后香港VPS月付25.2元起,美国CN2 GIA线路高防VPS月付31.5元起。这是一家2019年成立的国人主机商,提供VPS主机和独立服务器租用,产品数据中心包括美国洛杉矶和中国香港,Cera的机器,VPS基于KVM架构,采用SSD硬盘,其中美国洛杉矶回程CN2 GIA,可选高防。下面列出部分套餐配置信息。美国CN...
提速啦:美国多IP站群云服务器 8核8G 10M带宽 7IP 88元/月
提速啦(www.tisula.com)是赣州王成璟网络科技有限公司旗下云服务器品牌,目前拥有在籍员工40人左右,社保在籍员工30人+,是正规的国内拥有IDC ICP ISP CDN 云牌照资质商家,2018-2021年连续4年获得CTG机房顶级金牌代理商荣誉 2021年赣州市于都县创业大赛三等奖,2020年于都电子商务示范企业,2021年于都县电子商务融合推广大使。资源优势介绍:Ceranetwo...
ping端口为你推荐
-
操作http支付宝调整还款日蚂蚁借呗还款日能改吗重庆400年老树穿楼生长重庆的树为什么都长胡须?申请支付宝账户我要申请支付宝账户曲目ios文档下载请问手机版wps如何把云文档下载到手机上的本地文档?银花珠树晓来看谜语白色花无人栽一夜北风遍地开。旡根无叶又无枝不知是谁送花来。谜底是什么厦门三五互联科技股份有限公司厦门三五互联科技股份有限公司怎么样?qq头像上传失败QQ头像上传失败是怎么回事zencart模板zen cart套用模板后,外观控制显示红色打不开,为什么?