No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Service Interruption Occurs Due to the Packet Redirection Function of the USG2200

Publication Date:  2012-07-24 Views:  3 Downloads:  0
Issue Description
The IP address of the SRG20-20 in the provincial center is a fixed public IP address.
The SRG20-10 is connected to the Internet through ADSL, which is connected to the interface Ethernet0/0/0.
Vlan 10 and Vlan 20 can only access the provincial intranet. Vlan 30 can access the Internet through SRG20-20 between the IPSec VPN and the provincial center the and NAT.
Symptom 1:
   The multi-to-one IPSec VPN is established between more than 400 gas stations and the provincial center. IPSec VPN disconnections occur.
Alarm Information

None.

Handling Process
To disable this function, run the following command:
undo firewall permit send icmp-errorreply
Root Cause

According to the network, the data of the gas station Vlan 30 arrives at the SRG20-20 through the IPSec VPN, and is connected to the Internet after NAT on the SRG20-20.
However, the traffic of such data packets comes in and goes out through the extranet interface to the Internet.
The SRG20-20 can audit the ingress and egress of the received data packet. If the ingress and egress are the same, the SRG20-20 assumes that route redundancy exists in the data packet, and sends the icmp-errorreply information to the source host, instructing the source host to modify the route entry.
By default, this function is enabled, and is hidden in the configuration.
Therefore, the enabling of this function conflicts with the network and requirements. The SRG20-20 continually sends icmp-errorreply packets to the source host, exhausting device resources. As icmp-errorreply packets accumulate, the IPSec VPN tunnel cannot be maintained due to insufficient resources, a large number of VPNs become disconnected.
 

Suggestions
By default, many functions are enabled and hidden in the configuration. It is recommended that default enabled functions be displayed in the configuration and default disabled functions not be displayed in the configuration.

END