组网及说明

V7防火墙为出网口设备，内网用户通过本地portal认证才可上公网。

告警信息

认证portal页面可正常弹出，输入用户名密码界面报错“系统繁忙，请稍后重试”。

问题描述

V7防火墙为出网口设备，内网用户通过本地portal认证才可上公网，浏览器认证portal页面可正常弹出，输入用户名密码界面报错“系统繁忙，请稍后重试”。

过程分析

现场参考典配《V7防火墙本地portal典型配置案例》（https://zhiliao.h3c.com/Theme/details/77243）开局，查看命令行配置未见异常，接口已放入安全域，安全策略有一条全放通。

主要配置如下：

#

interface Vlan-interface200

ip address 172.16.200.253 255.255.255.0

portal enable method direct

portal domain portal

portal apply web-server portal

#

# domain portal

authentication portal local

authorization portal local

accounting portal none

#

#

security-zone name Trust

import interface Vlan-interface200

mport interface GigabitEthernet1/0/25 vlan 1 to 4094

#

# portal web-server portal

url http://172.16.200.253/portal

#

portal local-web-server http default-logon-page 15723486157012.zip

user-password modify enable

#

#

security-policy ip

rule 0 name any-any

action pass

logging enable

#

#

local-user test class network

password cipher $c$3$pdql1JFjx+1RI0Jzruv3EjWxvHeTWtUxSA==

service-type portal

authorization-attribute user-role network-operator

#

debugging portal all查看portal报文交互过程，在设备发出重定向后，也收到了终端发过来的http报文，但是未获取到终端的MAC地址。若终端与int-vlan200属于同网段，肯定能学习到终端MAC。核查终端UserIP=172.16.0.2，int-vlan200地址172.16.200.253/24，两者跨网段，所以int-vlan200接口下的portal enable method direct配置就有问题。

*Aug2 11:57:07:715 2023 WWFW PORTAL/7/EVENT: -COntext=1; Accept a new user request connection *Aug2 11:57:07:715 2023 WWFW PORTAL/7/EVENT: -COntext=1; Receive HTTP GET method packet.

*Aug2 11:57:07:715 2023 WWFW PORTAL/7/EVENT: -COntext=1; Request for /portal/common.css. *Aug2 11:57:07:716 2023 WWFW PORTAL/7/EVENT: -COntext=1; Can't find MAC address.

*Aug2 11:57:07:716 2023 WWFW PORTAL/7/ERROR: -COntext=1; Failed to get SSID when get matchpkg.UserIP=172.16.0.2,MAC=0000-0000-0000

*Aug2 11:57:07:716 2023 WWFW PORTAL/7/EVENT: -COntext=1; Failed to get dhcp option55 due to failure to get user physical info, user IP=172.16.0.2.

*Aug2 11:57:07:716 2023 WWFW PORTAL/7/EVENT: -COntext=1; Failed to get dhcp option55 due to failure to get user physical info, user IP=172.16.0.2.

*Aug2 11:57:07:716 2023 WWFW PORTAL/7/EVENT: -COntext=1; Connection has been destroyed,UserIP=172.16.0.2

解决方法

portal修改为可跨三层认证方式后正常。

#

interface Vlan-interface200

portal enable method layer3