Security ACL is not hit when the USG L2TP Over IPsec VPN establish success

Publication Date:  2013-12-24 Views:  561 Downloads:  0
Issue Description
USG V300R001

when the VPN client connect success, there is no any Security ACL hit:
<LNS> display acl 3000
Rule 5 permit udp source-port eq 1701   (0 times matched)

topology:
Alarm Information
None
Handling Process
1、 check IPsec and L2TP VPN status:
<LNS> display l2tp tunnel
Total tunnel = 1
LocalTID RemoteTID RemoteAddress    Port   Sessions RemoteName
1        1         20.1.1.10        65480   1      


<LNS> display l2tp session
Total session = 1
LocalSID  RemoteSID  LocalTID
1         1          1

<LNS> display ike sa
current ike sa number: 2                                                      
  ----------------------------------------------------------------------------- 
  conn-id    peer                    flag          phase vpn                    
  ----------------------------------------------------------------------------- 
  2          20.1.1.10:2048          RD            v1:2  public                 
  1          20.1.1.10:2048          RD            v1:1  public           

  flag meaning
  RD--READY    ST--STAYALIVE  RL--REPLACED      FD--FADING
  TO--TIMEOUT  TD--DELETING   NEG--NEGOTIATING  D--DPD

<LNS> display ipsec sa brief

current ipsec sa number: 2
current ipsec tunnel number: 1
--------------------------------------------------------------
Src Address     Dst Address     SPI         Protocol  Algorithm
-------------------------------------------------------------------
20.1.1.10       10.2.1.3        142427840   ESP       E:DES;A:HMAC-MD5-96;
10.2.1.3        20.1.1.10       52885424    ESP       E:DES;A:HMAC-MD5-96;

2、 check VPN client connection is success or not:
C:\Documents and Settings\Administrator> ipconfig
Windows IP Configuration
Ethernet adapter {1D873B6A-BAC3-4A99-A567-9F809EA3CE69}:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 10.3.1.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.3.1.1

3、so the IPsec and L2TP VPN  working fine.

4、after confirm with R&D, the Security ACL  only hit when the the traffic trigger the ipsec establish the tunnel.
after the ipsec tunnel established, all the traffice will pass by tunnel, will not hit the Security ACL again. it's   LNS worki principle.

Root Cause
1、 IPsec or L2TP has problem.
2、 VPN Client configure has problem.
3、 other problem.
Suggestions
when in the case L2TP Over IPsec, Security ACL  not hit is normal.

END