环境说明:主机10.243.178.141与主机10.243.178.133在同一个VLAN,现有一外围系统的四台主机10.243.183.33需要访问主机10.243.178.141。
在防火墙10.243.180.17上添加了一条访问策略,如下:
netscreen-5400-II(M)-> get policy id 338
name:"none" (id 338), zone Untrust -> Trust,action Permit, status "enabled"
4 sources: "10.243.183.33/32", "10.243.183.34/32", "10.243.183.35/32", "10.243.183.36/32"
1 destination: "10.243.178.133/32","10.243.178.141/32"
3 services: "50141", "PING", "TRACEROUTE"
Policies on this vpn tunnel: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00000800, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log no, log count 82, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 189344, counter(session/packet/octet) 0/0/0
No Authentication
No User, User Group or Group expression set
name:"none" (id 338), zone Untrust -> Trust,action Permit, status "enabled"
4 sources: "10.243.183.33/32", "10.243.183.34/32", "10.243.183.35/32", "10.243.183.36/32"
1 destination: "10.243.178.133/32","10.243.178.141/32"
3 services: "50141", "PING", "TRACEROUTE"
Policies on this vpn tunnel: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00000800, session backup: on
traffic shapping off, scheduler n/a, serv flag 00
log no, log count 82, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 189344, counter(session/packet/octet) 0/0/0
No Authentication
No User, User Group or Group expression set
此时进行测试,结果是在主机10.243.183.33上可以ping通10.243.178.133,但无法ping通10.243.178.141。于时进行traceroute获取更多的信息,traceroute信息如下:
10.243.183.33#traceroute 10.243.178.133
trying to get source for 10.243.178.133
source should be 10.243.183.33
traceroute to 10.243.178.133 (10.243.178.133) from 10.243.183.33 (10.243.183.33), 30 hops max
outgoing MTU = 1500
1 10.243.183.62 (10.243.183.62) 1 ms 0 ms 0 ms
2 10.243.183.18 (10.243.183.18) 10 ms 10 ms 10 ms
3 10.244.132.249 (10.244.132.249) 1 ms 1 ms 1 ms
4 * * *
5 10.244.132.49 (10.244.132.49) 2 ms 2 ms 2 ms
6 10.244.132.50 (10.244.132.50) 2 ms 2 ms 2 ms
7 10.243.180.46 (10.243.180.46) 2 ms 2 ms 2 ms ------->cisco 3550
8 10.243.180.17 (10.243.180.17) 2 ms 2 ms 2 ms ------->ns-5400-II
9 10.243.180.11 (10.243.180.11) 3 ms 3 ms 3 ms -------->cisco 6509
10 10.243.178.133 (10.243.178.133) 3 ms 2 ms 3 ms
trying to get source for 10.243.178.133
source should be 10.243.183.33
traceroute to 10.243.178.133 (10.243.178.133) from 10.243.183.33 (10.243.183.33), 30 hops max
outgoing MTU = 1500
1 10.243.183.62 (10.243.183.62) 1 ms 0 ms 0 ms
2 10.243.183.18 (10.243.183.18) 10 ms 10 ms 10 ms
3 10.244.132.249 (10.244.132.249) 1 ms 1 ms 1 ms
4 * * *
5 10.244.132.49 (10.244.132.49) 2 ms 2 ms 2 ms
6 10.244.132.50 (10.244.132.50) 2 ms 2 ms 2 ms
7 10.243.180.46 (10.243.180.46) 2 ms 2 ms 2 ms ------->cisco 3550
8 10.243.180.17 (10.243.180.17) 2 ms 2 ms 2 ms ------->ns-5400-II
9 10.243.180.11 (10.243.180.11) 3 ms 3 ms 3 ms -------->cisco 6509
10 10.243.178.133 (10.243.178.133) 3 ms 2 ms 3 ms
10.243.183.33#traceroute 10.243.178.141
trying to get source for 10.243.178.141
source should be 10.243.183.33
traceroute to 10.243.178.141 (10.243.178.141) from 10.243.183.33 (10.243.183.33), 30 hops max
outgoing MTU = 1500
1 10.243.183.62 (10.243.183.62) 1 ms 2 ms 4 ms
2 10.243.183.18 (10.243.183.18) 18 ms 19 ms 20 ms
3 10.244.132.249 (10.244.132.249) 1 ms 1 ms 1 ms
4 * * *
5 10.244.132.49 (10.244.132.49) 3 ms 3 ms 2 ms
6 10.244.132.50 (10.244.132.50) 2 ms 2 ms 2 ms
7 10.243.180.46 (10.243.180.46) 3 ms 2 ms 2 ms
8 * * *
9 * * *
10 * * *
......
从上面的信息可知,traceroute 10.243.178.141到第八跳就断了,表示为“*”符号。百思不得其解,都是同一条策略,traceroute结果应该一样才对。后来查来查去,花了1个多小时,才找到原因所在,竟然是:
netscreen-5400-II(M)-> get address trust name 10.243.178.141/32
Name Address/Prefix-length Flag Comments
10.243.178.141/32 10.243.178.149/32 0200
Name Address/Prefix-length Flag Comments
10.243.178.141/32 10.243.178.149/32 0200
真是晕了,无话可说!也不知是谁定义的,这么粗心大意!!!
在排障时个人觉得:扎实的基础+清醒的头脑+自信=高效率
