No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The headquarters USG5150BSR founds IPSec with two branches USG2130 and VPN accessing each other is exception

Publication Date:  2012-09-24 Views:  30 Downloads:  0
Issue Description
1.1. Topology

1.2. Synopsis
As the picture to show, two USG2130W as branch office found IPSec VPN tunnel with headquarters USG5150BSR.The PC of  branch 192.168.0.2/24 and PC:192.168.3.2/24 can access internal network server PC:192.168.2.2/24 of headquarters.
1.3. Fault phenomena description
(1) After finishing configuring of correlation equipment,we can find IPSec VPN tunnel can establish successfully,but branch 1 cannot access headquarters private network each other ,branch 2 cannot access headquarters private network each other;
(2) After finishing modulating configuration of correlation equipment and testing ,we find branch 1 can access headquarters private network ,but branch 2 cannot access headquarters private network each other ,branch 1 and branch 2 are mirror configuration.
Alarm Information
None.
Handling Process
Remote access three facilities,check the correlation configuration information,we find some configuration mistakes,it is in the accessory which is the red deletion parts and green accession parts.After modulating ,we find branch 1can access headquarters private network each other,but branch 2 cannot access headquarters private network each other, branch 1 and branch 2 are mirror configuration,and then using the commcand of display ip routing-table 192.168.3.0 on the USG5150BSR and find the red label problem as follows 14:40:28  2012/06/07
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask    Proto    Pre  Cost     Flags   NextHop         Interface
192.168.3.0/24     Static    60   0        RD   10.10.11.2   GigabitEthernet0/0/2
This item of information shows headquarters USG5150BSR appoint the backhaul packet of 192.168.3.0/24 to internal layer three switch,and then inspect the route setting of headquarters USG5150BSR carefully,we find client configure a backhaul route appoint to layer three switch: ip route-static 192.168.0.0 255.255.0.0 10.10.11.2,it lead the backhaul packet of which sending to 192.168.3.0/24 has been threw to internal network by mathcing this static route and branch 2 cannot access headquarters private network each other.
Root Cause
1) The device-dependent configuration is wrong or faultiness
2) The backhaul route range which has been configured by client is too big to the backhaul packet of sending to 192.168.3.0/24 match static route: ip route-static 192.168.0.0 255.255.0.0 10.10.11.2 has been threw to internal network,and lead branch 2 cannot access headquarters private network each other.
Suggestions
When we deal with the correlation fault,we must realize the actual demand ,actual business application and network topology of the client detailedly.Ensure there is no problems in device-dependent configuration and lookup the reason of producing the fault phenomena by some qualification or retrieving method.

END