防火牆RBM+靜態路由雙主，同一個NAT下，內網部分服務器訪問同一台外網服務器業務不通。

 防火牆1

nat address-group 179 name for_byzoro1 address 134.84.76.179 134.84.76.179 #

 nat remote-backup port-alloc primary#

 object-group ip address 179 1 network range 172.18.5.3 172.18.5.6 #

 interface Route-Aggregation1 ip address 192.168.101.2 255.255.255.252 nat outbound 2179 address-group 179 nat server global 134.84.76.176 inside 172.18.5.2 reversible rule ServerRule_1 #

 acl basic 2179 rule 1 permit source object-group 179 #

防火牆2

nat address-group 179 name for_byzoro1 address 134.84.76.179 134.84.76.179 #

 nat remote-backup port-alloc secondary#

 object-group ip address 179 1 network range 172.18.5.3 172.18.5.6 #

 interface Route-Aggregation1 ip address 192.168.101.2 255.255.255.252 nat outbound 2179 address-group 179 nat server global 134.84.76.176 inside 172.18.5.2 reversible rule ServerRule_1 #

 acl basic 2179 rule 1 permit source object-group 179 #

故障現象：172.18.5.6 訪問134.64.49.80的業務不通，但可以ping通；172.18.5.3 、172.18.5.4訪問134.64.49.80正常

dis session table ipv4 source-ip 172.18.5.6 destination-ip 134.64.49.80 verbose Slot 1: Initiator: Source IP/port: 172.18.5.6/60212 Destination IP/port: 134.64.49.80/8088 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: Route-Aggregation2 Source security zone: Trust Responder: Source IP/port: 134.64.49.80/8088 Destination IP/port: 134.84.76.179/44816 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: Route-Aggregation1 Source security zone: Untrust State: TCP_SYN_SENT Application: GENERAL_TCP Rule ID: 1 Rule name: trust-untrust Start time: 2023-03-09 11:20:09 TTL: 28s Initiator->Responder: 3 packets 180 bytes Responder->Initiator: 0 packets 0 bytes Total sessions found: 1

dis session table ipv4 source-ip 172.18.5.3 destination-ip 134.64.49.80 verbose Slot 1: Initiator: Source IP/port: 172.18.5.3/50472 Destination IP/port: 134.64.49.80/8088 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: Route-Aggregation2 Source security zone: Trust Responder: Source IP/port: 134.64.49.80/8088 Destination IP/port: 134.84.76.179/44792 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: Route-Aggregation1 Source security zone: Untrust State: TCP_ESTABLISHED Application: GENERAL_TCP Rule ID: 1 Rule name: trust-untrust Start time: 2023-03-09 11:16:35 TTL: 3594s Initiator->Responder: 2 packets 112 bytes Responder->Initiator: 1 packets 60 bytes

RBM_P<F5000-1>dis session table ipv4 source-ip 172.18.5.4 destination-ip 134.64.49.80 verbose Slot 1: Initiator: Source IP/port: 172.18.5.4/39708 Destination IP/port: 134.64.49.80/8088 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: Route-Aggregation2 Source security zone: Trust Responder: Source IP/port: 134.64.49.80/8088 Destination IP/port: 134.84.76.179/44831 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: Route-Aggregation1 Source security zone: Untrust State: TCP_ESTABLISHED Application: GENERAL_TCP Rule ID: 1 Rule name: trust-untrust Start time: 2023-03-09 11:21:41 TTL: 3597s Initiator->Responder: 0 packets 0 bytes Responder->Initiator: 1 packets 60 bytes RBM_S<F5000-2>dis session table ipv4 source-ip 172.18.5.4 destination-ip 134.64.49.80 verbose Slot 1: Initiator: Source IP/port: 172.18.5.4/39708 Destination IP/port: 134.64.49.80/8088 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: Route-Aggregation2 Source security zone: Trust Responder: Source IP/port: 134.64.49.80/8088 Destination IP/port: 134.84.76.179/44831 DS-Lite tunnel peer: - VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: Route-Aggregation1 Source security zone: Untrust State: TCP_ESTABLISHED Application: GENERAL_TCP Rule ID: 1 Rule name: trust-untrust Start time: 2023-03-09 11:24:40 TTL: 3598s Initiator->Responder: 2 packets 112 bytes Responder->Initiator: 0 packets 0 bytes