Troubleshooting ideas of ipsec vpn debug barrier

Publication Date:  2012-09-11 Views:  603 Downloads:  0
Issue Description
When usg2110 and usg3000 start point-to-point vpn, the tunnel negotiation is not up.
Alarm Information
Handling Process
1 Check on acl, display acl all, found all the acl have hit, the hit acl numbers of the headquarters end haven’t growth, but the segment has been hit,
2 Viewing by dis ike sa, we can find the ike consultation has been completed,
3 Check the configuration of the ike peer, the parameters are all right. The ike peer of headquarters called the encrypted data stream, this is the cause of the problem,
4 In the configuration end of headquarters, system will automatically Mirror encrypted data stream based branch acl.
Root Cause
Tunnel negotiation is unsuccessful generally have the following possible:
1 Tunnel negotiation does not trigger, generally tunnel did not trigger consultations as didn’t hit acl.
2 The problem of ike proposed.I
3 If the parameters of ike peer are consistent or not
4 Name authentication method can only be initiated by the segments agency consultation
Performing the ipsec vpn troubleshooting, need attention to the definition of the interest flow on equipments of headquarters.