No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Due to P2P Traffic Control, the TOPSEC VPN Client Dial-up is Automatically Disconnected after a Few Minutes

Publication Date:  2012-07-24 Views:  46 Downloads:  0
Issue Description
The customer's network is VPN client—USG2200—Internet—TOPSEC firewall. The VPN client performs NAT on the USG2200 to establish the IPSec VPN with the TOPSEC firewall. Service interruption occurs after the connection is established for two minutes.
Alarm Information
None.
Handling Process
1. Check session entries on the firewall. No reply packet is discovered. Make statistics on packet loss on the USG2200:
[USG2210-hidecmd]dis firewall debug_statistic
 Current Show sessions count: 1
 Protocol(UDP) SourceIp(200.200.200.5) DestinationIp(221.214.111.82)  
 SourcePort(2011) DestinationPort(2012) VpnIndex(public)  
           Receive           Forward           Discard  
 Obverse : 88         pkt(s) 22         pkt(s) 198        pkt(s)  
 Reverse : 21         pkt(s) 21         pkt(s) 126        pkt(s)
  
 Discard detail information:
  DP_FW_Rcv                     :exit 10:     66
  DP_GMAC_SEND_ENQUEUE          :exit 1:     43
  DP_GMAC_SEND_ENQUEUE          :exit 3:     43
  DP_GMAC_SEND_ENQUEUE          :exit 4:     43
  DP_GMAC_SEND_ENQUEUE          :exit 8:     43
  DP_GMAC_SEND_ENQUEUE          :exit 15:     43
  DP_GMAC_SEND_CALLED           :exit 6:     43
The packets whose UDP port is 2011 and those are sent by the VPN client are discarded by the USG2200, making the TOPSEC firewall fail to receive the reply packet.
2. Query sessions of the USG2200:
USG2210]display firewall session table destination-port 2012
Current total sessions: 1
  udp [PPFILM]: VPN: public -> public
  200.200.200.5:2011[60.213.185.98:56532]-->221.214.111.82:2012
Discarded packets are identified as PPFILM packets.
3. It is likely that the P2P mistakes dial-up interactive packets as PPFILM packets and directly performs traffic control. Since the value of CIR is 0, these packets are discarded, making VPN services interrupted.
4. Disable the P2P traffic control, or increase the value of class. The service restores to normal.
Root Cause
P2P classes configured by the customer are as follows:
P2P-class 0
Cir default 0
P2P-class 1
Cir default 0
The bandwidth of the class is 0. The dial-up interactive packet of the TOPSEC VPN client is identified as PPFILM for P2P traffic control. Since the P2P bandwidth is 0, all identified packets are discarded, and the VPN service is automatically disconnected.
Suggestions
The R&D personnel has modified the P2P pattern file. Dial-up interactive packets sent by the TOPSEC VPN are no longer identified as PPFILM packets.
For such a problem, you can locate the problem by collecting statistics on packet loss on the firewall.

END