ISP网关设备的ARP问题造成Netscreen MIP映射不成功

 

引用

ISP网关设备的ARP问题造成Netscreen MIP映射不成功

如果被用来做MIP映射的外网IP地址最近曾在其它设备上使用过,刚有可能会出现以下情况:
1、和UNTRUST接口IP一样的MIP地址会映射成功,其它和UNTRUST接口IP不一样的MIP映射都不能访问,在内部网络下都可以成功访问。
解决方法:
1、通知ISP对网关设备重启或清除ARP列表。
2、把untrust接口地址和每个不通的MIP地址对调,访问外网正常后,再对调回来。
3、ping 192.168.11.2 from mip 10.1.1.3
   (ISP网关地址或其它外部IP)(不能访问的MIP地址)
 

Solution ID: nskb698

MIP not working

If the IP address used for the MIP was previously configured on another network device connected to the Internet router, there may be problems with the new MIP address.

1、Clear the arp cache by rebooting the router that is on the untrusted side of the Netscreen
2、If you cannot clear the arp cache or reboot the router:
1、Swap the IP address on the Untrust interface for the MIP address
2、Ping the router on the untrust side to force the arp cache on the router to be updated with the MIP address with the MAC address of the untrust interface
3、Revert the IP configuration back to the original IP addresses

ping example:
ping 10.100.2.11 count 4 from ethernet1
ping 192.168.11.2 from mip 10.1.1.3
ping 10.100.2.11 count 4 size 1000 time-out 3
ping 10.100.2.171 count 3
使用VBS脚本快速执行:
NS.vbs

set sh=WScript.CreateObject("WScript.Shell")
WScript.Sleep 1000
sh.SendKeys "telnet 防火墙IP"
sh.SendKeys "{ENTER}"
WScript.Sleep 1000
sh.SendKeys "user{ENTER}"
WScript.Sleep 1000
sh.SendKeys "pwd{ENTER}"
WScript.Sleep 800
sh.SendKeys "ping 220.181.6.6 from e3{ENTER}"
'从Untrust口Ping百度IP
WScript.Sleep 500
sh.SendKeys "set interface e3 ip 219.141.15.21/24{ENTER}"
'设置Untrust接口地址为映射不成功的MIP地址
WScript.Sleep 500
sh.SendKeys "save{ENTER}"
WScript.Sleep 500
sh.SendKeys "ping 220.181.6.6 from e3{ENTER}"
WScript.Sleep 500
sh.SendKeys "set interface e3 ip 219.141.15.20/24{ENTER}"
'恢复Untrust接口地址为初始地址
WScript.Sleep 500
sh.SendKeys "save{ENTER}"
WScript.Sleep 500
sh.SendKeys "Exit{ENTER}"
WScript.Sleep 500
sh.SendKeys "Exit{ENTER}"
WScript.Sleep 500

NS.bat

@echo off
%comspec% /k cscript //Nologo NS.vbs