故障描述
客戶使用USG2110-F連接專網(wǎng)和Internet??蛻魧>W(wǎng)使用定制開發(fā)的遠(yuǎn)程控制軟件無法使用。但換其它品牌路由器可以正常使用。
故障分析
無
處理過程
1、從故障現(xiàn)像來看可以確定為USG2110-F設(shè)備軟件版本或配置問題,查看設(shè)備版本,確認(rèn)已經(jīng)是最新版本。仔細(xì)查看配置文件發(fā)現(xiàn)配置有DPI,對(duì)P2P進(jìn)行了過濾,試著關(guān)閉DPI后測試遠(yuǎn)程控制軟件,可以正常使用。確定問題為DPI導(dǎo)致。
2、修改DPI對(duì)應(yīng)的ACL配置文件。允許專網(wǎng)數(shù)據(jù),僅對(duì)去往Internet報(bào)文進(jìn)行DPI過濾即可。
配置如下:
acl number 3000
rule 5 permit ip source 10.10.0.0 0.0.255.255
rule 10 permit ip destination 10.10.0.0 0.0.255.255
rule 15 deny ip
#
#
dpi
whole-packet-search enable application gnutella
whole-packet-search enable application msn_audio
whole-packet-search enable application msn_im
whole-packet-search enable application http
whole-packet-search enable application https
whole-packet-search enable application mms_stream_signal
whole-packet-search enable application rtsp
whole-packet-search enable application pop3_ssl
whole-packet-search enable application wap_connless
whole-packet-search enable application wap_conn
whole-packet-search enable application ssl
whole-packet-search enable application quicktime_streaming
whole-packet-search enable application cotp_data
whole-packet-search enable application stun
whole-packet-search enable application icy
whole-packet-search enable application tcp_other
relation-detection enable
update rule-base server domain sec.huawei.com
rule 1 if-match category p2p packet-filter acl-number 3000
rule 2 if-match category peer_casting packet-filter acl-number 3000
#
建議/總結(jié)
無