Services Along an IPSec Tunnel Are Interrupted

Publication Date:  2013-12-31 Views:  155 Downloads:  0
Issue Description
After an IPSec tunnel is established between a USG2100 and a USG5100 (headquarters), services are interrupted between the two devices.
11.101.2.1/24 usg2100 2.2.2.2/24 ------ 1.1.1.1/24  usg5100 11.1.1.1/24  
Private address        Public address     Public address      Private address

Alarm Information
None
Handling Process
1. On the USG2100, ping 11.11.1.1 from 11.101.2.1. The ping fails.
2. Check whether NAT is performed on sessions. Check sessions on the USG5100 in the headquarters.
<USG5100>display  firewall  session table  verbose  destination inside   11.101.2.1
   Current Total Sessions : 1
  icmp  VPN:public --> public
  Zone: untrust--> local  TTL: 00:00:20  Left: 00:00:19
  Interface: InLoopBack0  NextHop: 127.0.0.1  MAC: 00-00-00-00-00-00
  <--packets:3 bytes:252   -->packets:3 bytes:252
  11.101.2.1:43986-->11.1.1.1:2048
The USG5100 sends response packets after receiving request packets.
3. Check ESP packets on the USG2100.
[USG2100]display firewall session table verbose source global  1.1.1.1
Current Total Sessions : 1
  esp  VPN:public --> public
  Zone: dx--> trust  TTL: 00:10:00  Left: 00:09:59
  Interface: Vlanif1  NextHop: 11.101.2.200  MAC: 6c-ae-8b-63-95-9a
  <--packets:0 bytes:0   -->packets:272 bytes:29368
  1.1.1.1:0-->2.2.2.2.:0[11.101.2.200:0]
The mapping exists.
4. Collect information from the customer. It is found that the public network address 2.2.2.2 of the USG2100 is mapped to a server on the private network.
5. Delete the ESP session.
Services are normal.
Root Cause
1. NAT on data traffic is faulty.
2. Data traffic returned from the headquarters is abnormal.
3. Transmission of Encapsulating Security Payload (ESP) packets is faulty.
Suggestions
Pay attention to the procedure for troubleshooting IPSec-related faults.

END