目的ping端口
ping端口 时间:2021-05-01 阅读:()
知莘启跃2016-06-12发表PingV7防火墙本地大包不通,小包正常解决办法Ping防火墙本地大包不通,小包正常.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
TTcloud:日本独立服务器促销活动,价格$70/月起,季付送10Mbps带宽
ttcloud怎么样?ttcloud是一家海外服务器厂商,运营服务器已经有10年时间,公司注册地址在香港地区,业务范围包括服务器托管,机柜托管,独立服务器等在内的多种服务。我们后台工单支持英文和中文服务。TTcloud最近推出了新上架的日本独立服务器促销活动,价格 $70/月起,季付送10Mbps带宽。也可以跟进客户的需求进行各种DIY定制。点击进入:ttcloud官方网站地址TTcloud拥有自...
RAKsmart美国洛杉矶独立服务器 E3-1230 16GB内存 限时促销月$76
RAKsmart 商家我们应该较多的熟悉的,主营独立服务器和站群服务器业务。从去年开始有陆续的新增多个机房,包含韩国、日本、中国香港等。虽然他们家也有VPS主机,但是好像不是特别的重视,价格上特价的时候也是比较便宜的1.99美元月付(年中活动有促销)。不过他们的重点还是独立服务器,毕竟在这个产业中利润率较大。正如上面的Megalayer商家的美国服务器活动,这个同学有需要独立服务器,这里我一并整理...
香港 1核 1G 5M 22元/月 美国 1核 512M 15M 19.36元/月 轻云互联
轻云互联成立于2018年的国人商家,广州轻云互联网络科技有限公司旗下品牌,主要从事VPS、虚拟主机等云计算产品业务,适合建站、新手上车的值得选择,香港三网直连(电信CN2GIA联通移动CN2直连);美国圣何塞(回程三网CN2GIA)线路,所有产品均采用KVM虚拟技术架构,高效售后保障,稳定多年,高性能可用,网络优质,为您的业务保驾护航。官方网站:点击进入广州轻云网络科技有限公司活动规则:用户购买任...
ping端口为你推荐
-
searchaspphpweb破解wifi破解黑科技开启javascript怎么在浏览器中启用JavaScript?conn.aspconn.asp 在哪打开?应该怎样打开?outlookexpress家里电脑老是弹出“outlook express”这个东西,怎么除去啊?asp.net网页制作如何用ASP.NET做网站?filezilla_server如何用FileZilla Server新增FTP帐号结点cuteftp课程cuteftp开放平台众安开放平台是干什么的?上面的众推广是什么?