客戶使用USG2110-F連接專網和Internet。客戶專網使用定制開發的遠程控制軟件無法使用。但換其它品牌路由器可以正常使用。
無
1、從故障現像來看可以確定為USG2110-F設備軟件版本或配置問題,查看設備版本,確認已經是最新版本。仔細查看配置文件發現配置有DPI,對P2P進行了過濾,試著關閉DPI后測試遠程控制軟件,可以正常使用。確定問題為DPI導致。
2、修改DPI對應的ACL配置文件。允許專網數據,僅對去往Internet報文進行DPI過濾即可。
配置如下:
acl number 3000
rule 5 permit ip source 10.10.0.0 0.0.255.255
rule 10 permit ip destination 10.10.0.0 0.0.255.255
rule 15 deny ip
#
#
dpi
whole-packet-search enable application gnutella
whole-packet-search enable application msn_audio
whole-packet-search enable application msn_im
whole-packet-search enable application http
whole-packet-search enable application https
whole-packet-search enable application mms_stream_signal
whole-packet-search enable application rtsp
whole-packet-search enable application pop3_ssl
whole-packet-search enable application wap_connless
whole-packet-search enable application wap_conn
whole-packet-search enable application ssl
whole-packet-search enable application quicktime_streaming
whole-packet-search enable application cotp_data
whole-packet-search enable application stun
whole-packet-search enable application icy
whole-packet-search enable application tcp_other
relation-detection enable
update rule-base server domain sec.huawei.com
rule 1 if-match category p2p packet-filter acl-number 3000
rule 2 if-match category peer_casting packet-filter acl-number 3000
#
無