No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

As security protection ACL is opposite between two ends of IPsec device (namely mirror), the users services don’t work

Publication Date:  2012-10-15 Views:  29 Downloads:  0
Issue Description
1.Can not ping the peer end IP VPN service address from one end of the device.
[LingCheng_Eudeom200]ping -a 10.25.126.129 10.25.50.1                          
  PING 10.25.50.1: 56  data bytes, press CTRL+C to break                       
    Request time out                                                           
    Request time out                                                           
    Request time out                                                           
                                                                               
  --- 10.25.50.1 ping statistics ---                                           
    4 packet(s) transmitted                                                    
    0 packet(s) received                                                       
    100.00% packet loss      
2. There is no IPSec security protocol packet data between the devices.
[LingCheng_Eudeom200]disp ipsec
statistics                                            
  the security packet statistics:                                              
    input security packets: 0                                                  
    output security packets: 0                                                 
    decryped input bytes: 0                                                    
    encrypted output bytes: 0                                                  
    input/output dropped security packets: 0/0                                 
    dropped security packet detail:                                            
      no enough memory: 0                                                      
      can't find SA: 0                                                         
      queue is full: 0                                                         
      authentication is failed: 0                                              
      wrong length: 0                                                          
      replay packet: 0                                                         
      too long packet: 0                                                       
      wrong SA: 0
Alarm Information
none
Handling Process
1, login E200 to check IPsec security packet data statistics

[LingCheng_Eudeom200]disp ipsec
statistics                                            
  the security packet statistics:                                              
    input security packets: 0                                                  
    output security packets: 0                                                 
    decryped input bytes: 0                                                    
    encrypted output bytes: 0                                                  
    input/output dropped security packets: 0/0                                 
    dropped security packet detail:                                            
      no enough memory: 0                                                      
      can't find SA: 0                                                         
      queue is full: 0                                                         
      authentication is failed: 0                                              
      wrong length: 0                                                          
      replay packet: 0                                                         
      too long packet: 0                                                       
      wrong SA: 0  
2、Check E1000 configuration, IPsec and ACL, found IPsec has no problem, but check the ACL configuration between E200 and E1000, find the ACL for security protection is not corresponding between two ends of the device (namely mirror). specific as follows:
1)、E200 access control list used for security protection as follows:

acl number 3010 match-order auto                                               
rule 5 permit ip source 10.25.126.0 0.0.0.255 destination 10.0.0.0 0.255.255.255
2)、E100 access control list used for security protection as follows::
acl number 3010 match-order auto                                               
rule 5 permit ip source 10.0.0.0 0.0.255.255  destination 10.25.126.0 0.0.0.255
3、the service become normal after modify the E1000 ACL。
acl number 3010 match-order auto                                               
rule 5 permit ip source 10.0.0.0 0.255.255.255  destination 10.25.126.0 0.0.0.255
4、if the range of active side acl is less than the passive side, consultation can also be successful.
Root Cause
1, check client PC IP, gateway and configuration have no problem, PC also can get out of the public network
2, check the E200 configuration, IPsec and ACL are no problem
3, check E1000 configuration, IPsec and ACL, found IPsec has no problem, but check the ACL configuration between E1000 and E200, find the ACL for security protection is not corresponding between two ends of the device (namely mirror).
Suggestions
The security protection of access control list must be corresponding (namely mirror) defined by the local and remote router. So in one end the authenticate/encrypted data can be authenticated/decrypted to peer end. If received data flow of local end ACL mirror definition has not been encrypted, the router will regard it as attack packets and discard. ACL data flow defined by mirror is refers to data flow defined by the peer end ACL, they usually configured to the mirror relationship to each other.
In addition, if the range of active side acl is less than the passive side, consultation can also be successful.

END