目的ping端口
ping端口 时间:2021-05-01 阅读:()
知莘启跃2016-06-12发表PingV7防火墙本地大包不通,小包正常解决办法Ping防火墙本地大包不通,小包正常.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
流统确认防火墙已接收到报文,但并未回应.
1.
检查域间策略配置#security-zonenameUntrustimportinterfaceGigabitEthernet1/0/0#zone-pairsecuritysourceAnydestinationAnyobject-policyapplyiptest#object-policyiptestrule1passservicepingrule2passservicetelnet#2.
域间策略及会话建立相关debug首先定义一个acl,acl匹配的为ping测试的源、目的IP(本次测试源IP为172.
31.
0.
14,目的IP为防火墙接口IP172.
31.
0.
24)#acladvanced3010rule0permiticmpsource172.
31.
0.
140destination172.
31.
0.
240rule5permiticmpsource172.
31.
0.
240destination172.
31.
0.
140#debugobject-policypacketipacl3010ThiscommandisCPUintensiveandmightaffectongoingservices.
Areyousureyouwanttocontinue[Y/N]:ydebugsessionsession-tableallacl3010tmThecurrentterminalisenabledtodisplaylogs.
tdThecurrentterminalisenabledtodisplaydebugginglogs.
从172.
31.
0.
14这台设备ping大包(以2000Bytes为例):*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(FSM):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))FSM:NONE-->ICMP_REQUEST,dir:ORIGIN,PacketType:REQUEST(8)*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasbackuped.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
*Jun1210:59:53:9172016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
*Jun1210:59:53:9502016H3CSESSION/7/TABLE:-COntext=1-Slot=2;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywasdeleted.
从debug信息可以看出,有一些被域间策略deny的信息:*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
其中,源端口号是9,目的端口号是2048(0x0800)再回过头来看之前配置的域间策略:object-policyiptestrule1passserviceping放通了ping这个预定义服务,接下来看一下这个ping服务定义的具体内容,指定了icmp的type/code作为源/目的端口[H3C]probe[H3C-probe]displaysysteminternalobject-groupservicedefaultnamepingslot1Serviceobjectgroupping:1object(inuse)0serviceicmp80Ping大包时,分片首包过来,aspf使用type/code作为源/目的端口去匹配对象策略,通过.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketispermitted.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=8,Dst-Port=0,Protocol=ICMP(1),Application=other(1),ObjectPolicy=test,Rule-ID=1.
建立会话,这里使用icmpid(11)作为会话源端口,0x0800(2048)作为目的端口*Jun1210:59:53:9162016H3CSESSION/7/TABLE:-COntext=1;Tuple5(EVENT):172.
31.
0.
14/11-->172.
31.
0.
24/2048(ICMP(1))Sessionentrywascreated.
后续非首分片过来,不携带icmp头,命中了首包建立的会话,使用会话里携带的源/目的端口去匹配对象策略,没有命中,被丢弃.
*Jun1210:59:53:9162016H3CFILTER/7/PACKET:-COntext=1;Thepacketisdenied.
Src-ZOne=Untrust(matched=Any),Dst-ZOne=Local(matched=Any);If-In=GigabitEthernet1/0/0(1),If-Out=InLoopBack0(132);PacketInfo:Src-IP=172.
31.
0.
14,Dst-IP=172.
31.
0.
24,VPN-Instance=,Src-Port=11,Dst-Port=2048,Protocol=ICMP(1),Application=other(1),ACL=none,Rule-ID=none.
规避方法:定义一个icmp服务,然后在策略中调用#object-groupserviceicmp0serviceicmp#object-policyiptestrule1passservicepingrule3passserviceicmp#解决方法:升级软件版本,不同设备的软件版本号见软件版本说明书中解决问题列表.
Dynadot多种后缀优惠域名优惠码 ,.COM域名注册$6.99
Dynadot 是一家非常靠谱的域名注册商家,老唐也从来不会掩饰对其的喜爱,目前我个人大部分域名都在 Dynadot,还有一小部分在 NameCheap 和腾讯云。本文分享一下 Dynadot 最新域名优惠码,包括 .COM,.NET 等主流后缀的优惠码,以及一些新顶级后缀的优惠。对于域名优惠,NameCheap 的新后缀促销比较多,而 Dynadot 则是对于主流后缀的促销比较多,所以可以各取所...
云雀云(larkyun)低至368元/月,广州移动1Gbps带宽VDS(带100G防御),常州联通1Gbps带宽VDS
云雀云(larkyun)当前主要运作国内线路的机器,最大提供1Gbps服务器,有云服务器(VDS)、也有独立服务器,对接国内、国外的效果都是相当靠谱的。此外,还有台湾hinet线路的动态云服务器和静态云服务器。当前,larkyun对广州移动二期正在搞优惠促销!官方网站:https://larkyun.top付款方式:支付宝、微信、USDT广移二期开售8折折扣码:56NZVE0YZN (试用于常州联...
特网云-新上线香港五区补货资源充足限时抢 虚拟主机6折,低至38元!
官方网站:点击访问特网云官网活动方案:===========================香港云限时购==============================支持Linux和Windows操作系统,配置都是可以自选的,非常的灵活,宽带充足新老客户活动期间新购活动款产品都可以享受续费折扣(只限在活动期间购买活动款产品才可享受续费折扣 优惠码:AADE01),购买折扣与续费折扣不叠加,都是在原价...
ping端口为你推荐
-
采用360facilitarphp亿元支付宝phpwindPHPWIND和DISCUZ有什么区别碧海银沙网怎样在碧海银沙网里发布图片?三五互联股票三五互联是干什么的?工具条手机的工具栏怎么在任务栏里?怎么把工具栏调到手机下面?kingcmsKingCMS 开始该则呢么设置呢?zencart模板zencart里那些目录分别对应MVC设计模式的模型 视图 和控制器呢?403forbidden403forbidden怎么解决