Re: HPE MSR3012

grinnZli · ‎10-03-2020

Hello!

i have trouble with Google Service with my Router

security-zone name Local
#
security-zone name Trust
import interface GigabitEthernet0/2
import interface GigabitEthernet0/2.18
#
security-zone name DMZ
import interface GigabitEthernet0/0
#
security-zone name Untrust
import interface GigabitEthernet0/1
#
security-zone name Management
#
zone-pair security source Local destination Trust
packet-filter name InterLan
#
zone-pair security source Local destination Untrust
packet-filter name Local-Untrast
#
zone-pair security source Trust destination Local
packet-filter name InterLan
#
zone-pair security source Trust destination Untrust
packet-filter name GL_NAT
#
zone-pair security source Untrust destination Local
packet-filter name Untrast-Local
#
zone-pair security source Untrust destination Trust
packet-filter name Un-Trust

acl advanced name GL_NAT
rule 1 permit tcp established
rule 5 permit ip source object-group 9-Floor time-range work
rule 7 permit ip source object-group 0dmins
rule 10 permit ip source object-group Market time-range work
rule 15 permit ip source object-group UKS time-range work
rule 25 permit ip source object-group Servers
rule 30 permit ip source object-group ILO-ESXI
rule 50 permit ip source object-group Wi-Fi time-range work-wifi
rule 55 permit ip source object-group VPN-OCS time-range work-vpn
rule 60 permit ip source object-group IP-TEL

acl advanced name InterLan
rule 5 permit ip
#
acl advanced name Local-Untrast
description Link_Router-Internet
rule 0 permit icmp
rule 5 permit tcp established
rule 10 permit udp destination-port eq dns
rule 20 permit udp destination-port eq ntp
rule 25 permit udp destination-port eq 443
rule 55 permit udp source-port eq bootpc
rule 60 permit tcp destination-port eq www
rule 65 permit tcp destination-port eq 8080
rule 70 permit tcp destination-port eq 443
#
acl advanced name Un-Trust
rule 0 permit tcp destination XXXX destination-port eq 443
rule 5 permit udp destination XXXX destination-port eq 443
#
acl advanced name Untrast-Local
description Link_InterNet-Router
rule 0 permit icmp
rule 2 permit udp destination-port eq bootpc
rule 5 permit tcp established

no work Google Service, Protocol Quic,, Help me plz (Лучше по русски конечно )

Ivan_B · ‎10-03-2020

Hi @grinnZli !

You didn't mention hosts in which security-zone have issues with QUIC protocol, but I assume they are located in 'Local'.

I am not an expert in QUIC protocol, but since it uses UDP I think you need to perform following modifications:

acl advanced name Untrast-Local
 rule 10 permit udp source-port eq 443

The thing is that unlike TCP sessions which state router can track by 'established' keyword (it tracks the Acknowledgment (ACK) or Reset (RST) bit), UDP segment's header doesn't have any information about sessions - every UDP packet is independent from others and if application needs to track sessions, this tracking must be implemented in Layer 7. Therefore you need to explicitly allow return traffic from servers that use QUIC, otherwise your ACL will just drop it.

I am an HPE employee

grinnZli · ‎10-07-2020

did not help! Waiting for a response from your internet provider

Ivan_B · ‎10-08-2020

Hi @grinnZli !

I advise you to try a permissive ACL "acl advanced name Untrast-Local" - just put "permit ip" on the top and check if QUIC will start working. If it will, then check QUIC documentation (if any exists) what traffic should be allowed on a firewall or router in order to bypass this protocol inside your network. However, if even with permissive ACL the QUIC won't work, then the issue is definitely outside your router.

I am an HPE employee

grinnZli · ‎10-08-2020

no work!

Ivan_B · ‎10-08-2020

QUIC doesn't work with permissive ACL?

I am an HPE employee

grinnZli · ‎10-09-2020

yes! QUIC doesn't work with permissive ACL

Ivan_B · ‎10-09-2020

I see. So it is either your ISP or maybe another ACL that we overlooked. You need to check the return traffic flow from Google to your hosts - which interfaces it traverses and which ACLs it may hit before reaching your internal PCs.

I am an HPE employee

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: HPE MSR3012

HPE MSR3012

Re: HPE MSR3012

Re: HPE MSR3012

Re: HPE MSR3012

Re: HPE MSR3012

Re: HPE MSR3012

Re: HPE MSR3012

Re: HPE MSR3012