Fast Forward of internal network interface was not closed caused ipsec services are unavailable

Publication Date:  2012-11-28 Views:  685 Downloads:  0
Issue Description
PC1 ---- USG2130 ------- SRG20-20 ----- PC2

1, USG2130 can ping PC2, USG2130 with the source address (PC1 gateway) is also able to ping PC2, PC1 can not ping PC2

2. Display ipsec sa and the display ike sa tunnel to establish normal.
Alarm Information
NULL
Handling Process
1, Check the equipment on the ipsec configuration carefully , that is no problem

2. View PC1 that gateway was really on the the USG2130 internal netowrk

3, It found that PC1 message is not encrypted by normal way, but it directly forwarded. through the command debug ipsec all

Turn off the fast-forward function on internal network interface by undo ip fast-forwarding qff command, problem solving.
Root Cause
1, USG2130 and SRG about IPSEC VPN configuration problems.

2, PC1 did not configure network management, or PC1 network management was not in USG2130.

3, USG2130 internal network interface did not shut down the fast-forward
Suggestions
The low-end devices are off as much as possible to do ipsec vpn interface fast forward function

undo ip fast-forwarding qff

END