Comware

Hello,

we have some strange routing-problems with our 5412zl (Firmware-Version 12.10):

the switch (ip 172.21.3.8) is the default gateway for all clients in the default-vlan is routing all the traffic between the vlans without any problems.

We defined a static route on the switch (0.0.0.0/0 172.21.3.9) to our firewall where all the internet- and some vpn-traffic would be routet externally. All this is working well except some URLS are not working as they should.

If you try to open for exaple the url "https://mall.automation.siemens.com" on any client you sometimes get the page and sometimes you don´t (and when you get the page you could only follow links for 30 to 60 seconds till the page isn´t working any more)

If you configure a client to use the firewall as default gateway this url´s work perfectly.

I´ve got the running-config attached and appreciate any suggestions.

Thanks

Dirk

Problem:
switch VLAN interface and firewall interface are in the same subnet: 172.21.3.0/24 (I suppose)

Solution:
-create new switch VLAN interface, assign 10.1.1.1/24 to it, assign 10.1.1.2/24 to the firewall interface
-untagg the firewall port in this VLAN, -issue: ip route 0.0.0.0 0.0.0.0 10.1.1.2 in the switch
-don't change the default gateway of the clients (leave it to 172.21.3.8)

Should work.

Thank You for your Reply.

Could you please tell me, why it is a Problem that the Client-Default-gateway and the Firewall are in the same subnet ?

basically the routing is working well.

Thank You

Dirk

Hello Dan,

i have just attached a simplified scheme of our network - maybe you could have a look on it (The HP 5412 and the 2650 are in different buildings in Town, connectet with Gigabit-Fibre).

Please note that problems occur on the clients from the 172.21.x.x and from the 192.168.105.x Subnet.

Does your answer mean i should create additional Vlans between 5412 and 2650 and between 2650 and "Firewall Company B" ?

Thanks

Dirk

Hi Dirk


Can you attach the configuration of the 5400 after removing any private info for the company.

One more thing,
If the clients gateway was the firewall, and your are saying everything is working fine, then did you enable routing on the firewall in this case for other Vlans ?

Also, did you add another default route on both sides as a backup pointing to other side ?

Good Luck !!!

Hello Mohieddin,

i have attached the running-config of the 5412.

When we give a client the Firewall as gateway it was for testing only - so no routing to other vlans was made. We have no backup-routes defined on both devices.

I just found out today, that when the 5412 got nothing to to (since nearly nobody is working) everything is working fine.

Thank You

Dirk

Hi

I've seen the configuration and it look fine.

But i have one doubt to share with you.

I've faced problem before with HTTPs with one of my clients and after invistigating i noticed that the HTTPs session timed out before any reply.

So it was a timing issue, and i noticed that my client configured a Local DNS server that was 5 to 6 HOPs away from the LAN, and when i changed to alternative DNS which was 1 HOP, things startd to work fine.

Also, you can;t imagine that some HTTPs sites like the HOTMAIL, YAHOO MAIL login pages were perfect but not the GMAIL.

I suggest you see where the packet is being delayed and timed out.

Good Luck !!!