No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Service interruption caused by Message redirection on USG2200

Publication Date:  2012-09-20 Views:  56 Downloads:  0
Issue Description

The area center SRG20-20 as the fixed public network IP.
SRG20-10 is access to internet via ADSL.ADSL modem connect to ethernet0/0/0 interface.
VLAN10,VLAN20 are only access to provincial intranet ,VLAN30 first get to the area center’s SRG20-20 through IPsec VPN,then access by NAT address transforming.
The symptom
More than 400 gas stations build several-to-one IPsec VPN with the area center.It often happens that most of the IPsec VPN  drop calls ,it’s very precarious.
Alarm Information
none
Handling Process
Turn off the feature. The command is as follows:
undo firewall permit send icmp-errorreply
Root Cause
Analysing based on the networking,we can find that the office data of the gas station in VLAN30 should first get to the SRG20-20 of area center via IPSEC VPN,then accessing the net work can become effective by the nat addresss transforming of SRG20-20.
But in this way,packet will get in through the external net work interface of the SRG20-20,and get out through the same one.
SRG20-20 will check the incoming interface and the outgoing interface of packets,if they were found being same,it’s going to be considered  that the routing redundancy exites for this packet.Then a ICMP-errorreply information will be sent to the source host to warn the mistake exists in the routing table.claiming the host for a optimization.
This function is enabled by default.it’s not displayed in the configuration.
So,this function conflicts with the special networkin and demand of this program,SRG20-20 continue creating the icmp-errorrply message to the source host,wasting the resouce of equipments,when it reaches a centain number, because of the limit of resource,we don’t have enough resource to keep the IPsec VPN tunnels.A lot of VPN drop calls,the instability happens.
Suggestions
There are a lot of features enabled by default,and not displayed in the configuration. It is recommended that the functions enabled by default, to be dislayed in the configuration, and the function turned off by default,needn’t to be displayed in the configuration.

END