SVN2230 L2TP over IPSec access successfully but can't reach interior server case

Publication Date:  2014-03-31 Views:  403 Downloads:  1
Issue Description
The customer uses SVN2230 as network gateway, the on business trip staffs use L2TP over IPSec to access company network, when they access the SVN2230 successfully, but can’t reach interior servers.   
Alarm Information
None
Handling Process
The users can access SVN2230 by using L2TP over IPSec, this shows that the network from VPN to SVN2230 is normal. The issue should be in the network from SVN2230 to interior server, or the SVN2230 configuration has some incorrect points.

(1) Firstly, Let's check the configuration of SVN2230, I find that the l2tp IP address pool and the interface within the same network.If use this configuration to work, the interior device will drop the reply packets due to can't find ARP items. Configuration as following:

domain default
domain vg_oa.dom
  authentication-scheme  vg_oa.scm
  authorization-scheme vg_oa.scm
  radius-server vg_oa.tpl
  ldap-server vg_oa.tpl
  user-priority 255
  ip pool 1 172.31.5.130  172.31.5.230
interface GigabitEthernet0/0/0.3
vlan-type dot1q 3000
ip address 172.31.5.2 255.255.255.0
ipsec policy 1 auto-neg

(2)  After change IP address pool to 172.31.6.0/24, do the access interior servers test again, but can’t reach yet. Check the sessions in the SVN2230, find that there are packets only in one direction, the interior servers don’t reply the request. As following:

[CIKVDIVPN001] display firewall session table verbose destination global 172.31.8.62
16:08:17  2014/03/16
Current Total Sessions : 1
  tcp  VPN:public --> public
  Zone: lan--> lan  TTL: 00:00:05  Left: 00:00:02
  Interface: GigabitEthernet0/0/0.3  NextHop: 172.31.5.1  MAC: xx-xx-xx-91-7f-ba
  <--packets:0 bytes:0   -->packets:2 bytes:128
172.31.6.135:50591-->172.31.8.62:80   

(3) And then, check the configuration of interior firewall USG2200, I find that the route of 172.31.0.0/16 uses the interior network gateway as next hop, as following:

ip route-static 172.31.0.0 255.255.0.0 10.161.10.66

If configured like above, the packets which interior servers reply the network 172.31.6.0/24 request will not be forwarded to SVN2230,farther more the server service will be abnormal. So need to add the following route:

ip route-static 172.31.6.0 255.255.255.0 172.31.5.2 //172.31.5.2 is the interface IP of SVN2230

After add the above route, VPN users can reach the interior servers normally, this issue is resolved.
Root Cause
According to issue information, the possible reasons as following:
(1) The network from SVN2230 to interior servers have some problems;
(2) SVN2230 drops packets;
Suggestions
Because of the incorrect IP address pool configuration and miss some route in the USG2200 firewall, due to the VPN users can't reach interior servers.

Suggestion:
Like the above type issue, the probable reason is always the interior route, please pay more attention to it.

END