No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

When the Express Forwarding of the Intranet Interface is Disabled, IPSec Services are Unavailable

Publication Date:  2012-07-27 Views:  50 Downloads:  0
Issue Description
PC1----USG2130-------SRG20-20-----PC2
1. The USG2130 can ping through PC2, no matter whether it has a source IP address (PCI Gateway). However, PC1 cannot ping through PC2.
2. Tunnels of display ipsec sa and display ike sa are normally established.
Alarm Information
None.
Handling Process
1. Check the IPSec configuration of the device. The configuration is correct.
2. Check whether the PC1 gateway is on the intranet of the USG2130.
3. Run the debug ipsec all command. It is discovered that the packets sent by PC1 are directly forwarded without being encrypted.
Run the undo ip fast-forwarding qff command to disable the EF function on the intranet interface.
Root Cause
1. The IPSec VPN is not correctly configured on the USG2130 and SRG.
2. PC1 is not configured with the NMS, or the NMS of PC1 is not on the USG2130.
3. The Express Forwarding (EF) function is not disabled on the USG2130.
Suggestions
For the IPSec VPN on low-end devices, you are advised to disable the EF function.
 undo ip fast-forwarding qff

END