Country/Region

Experience case of handling SSLVPN service failure due to FW traffic hitting Outbound LLB

2023-12-27 20:07:12 Published
  • 0 Followed
  • 0Collected ,3981Browsed
Zhoutian

Network Topology

FW serves as an Internet egress and serves as an SSL VPN gateway.

 

Equipment model: F1000-AI-25

Software version: Release 8860P27

 

Networking: PC----Internet------FW--------Intranet server

Problem Description

After the PC dials up SSLVPN, it cannot ping the intranet server, but the FW intranet port can ping the server.

Process Analysis

1.      Check the session whose source address is the PC address on the FW and find that it already exists on the FW. This means that the PC packet has been sent to the FW, but the source address has been translated, and the ICMP request has been sent to other interfaces connected to the Internet. Check the routing table and find that the route of this packet points to the internal network port.

[fw]display session table ipv4 source-ip 10.10.10.10 verbose

Slot 1:

Initiator:

  Source      IP/port: 10.10.10.10/1

  Destination IP/port: 192.168.1.1/2048

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: SSLVPN-AC1

  Source security zone: test

Responder:

  Source      IP/port: 192.168.1.1/24786

  Destination IP/port: 17.17.17.17/0

  DS-Lite tunnel peer: -

  VPN instance/VLAN ID/Inline ID: -/-/-

  Protocol: ICMP(1)

  Inbound interface: GigabitEthernet1/2/3

  Source security zone:  test1

State: ICMP_REQUEST

Application: ICMP

Rule ID: -/-/-

Rule name:

Start time: 2023-09-07 22:58:54  TTL: 57s

Initiator->Responder:            3 packets        180 bytes

Responder->Initiator:            0 packets          0 bytes

 

2.      Checking the on-site configuration found that Outbound LLB was configured, and using loadbalance schedule-test, it was found that the packet matched the LLB. The traffic coming from the Internet was sent from other Internet interfaces, and matched the nat outbound configured under the outbound interface:


Solution

Since the on-site SSL VPN traffic will also preferentially match the Outbound LLB, you need to configure the load balancing policy so that the SSL VPN traffic from the PC accessing the intranet server does not perform load balancing actions.

#

loadbalance action sslvpn type link-generic

 forward all    (Forwarded directly according to the routing table)

#

Note: The incoming interface (Internet interface) of ICMP traffic needs to enable ip last-hop hold, so that forward all is not required for return packets.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ip last-hop hold

Please rate this case:   
0 Comments

No Comments

Add Comments:

Copyright© 2025 H3C reserves all rights to the current version NO.1

The copyright of this icon belongs to H3C. It is only for the use of this community. Do not use it for commercial purposes. Anyone who violates this icon will be prosecuted