No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

C company VPN device configuration error lead to the some IP cannot pass when Eudemon FW connect IPSec

Publication Date:  2012-11-08 Views:  37 Downloads:  0
Issue Description
Eudemon200 version:V200R001C01B05g。
Networking:PC1--L2Switch-E200---Internet---C company VPN device---Intranet---PC2。
                                      |
      PC3--HQ VPN device---Internet----------
PC1 network segment IP is 10.196.226.0/28,PC3 network segment is 172.18.31.48/28。
Fault phenomenon: after IPSec VPN set up, PC1 can only ping pass individual IP of the customer intranet, cannot ping pass other IP need access. Here assume cannot ping pass PC2. Establish IKE PHASE1 success, set up PC1 - PC2 IKE PHASE2 and IPSec SA failure.
The alarm information:
*0.1808675483 SAUDIPAK_TAC IKE/8/DEBUG:message parse payloads: payload HASH    
*0.1808675566 SAUDIPAK_TAC IKE/8/DEBUG:message parse payloads: payload DELETE, l
en 24                                                                          
*0.1808675666 SAUDIPAK_TAC IKE/8/DEBUG:message parse payloads: payload DELETE  
*0.1808675750 SAUDIPAK_TAC IKE/8/DEBUG:message parse payloads: payload NONE, len
28      
Alarm Information
*0.1808675483 SAUDIPAK_TAC IKE/8/DEBUG:message parse payloads: payload HASH   
*0.1808675566 SAUDIPAK_TAC IKE/8/DEBUG:message parse payloads: payload DELETE, l
en 24                                                                         
*0.1808675666 SAUDIPAK_TAC IKE/8/DEBUG:message parse payloads: payload DELETE 
*0.1808675750 SAUDIPAK_TAC IKE/8/DEBUG:message parse payloads: payload NONE, len
28     
Handling Process
After C company VPN device delete 10.196.226.0/28 segment from Security ACL2, launch negotiation again, PC1 can ping PC2 normally, and do not affect the original PC3 of HQ VPN access PC2.
Root Cause
1, from the debug Ike information analysis find that the first stage negotiation is successful, after E200 launch the second stage negotiation, cisco VPN device reply a delete message, and E200 export interface capture packet information also proved it.
2, the second negotiation stage do not succeed, preliminary analyze the both ends configuration have problem, and the second negotiation stage is triggered by Security ACL, so first doubt Security ACL configuration.
3,after obtain the VPN session Security ACL1 from C VPN device, do not find the error configuration.
4, Find HQ VPN device is already set up IPSec VPN with Cisco VPN device, it need to visit PC2 as ours.
5, after obtain VPN session Security ACL2 set up from C VPN device to HQ VPN device, find the conflict configuration, namely also add the 10.196.226.0/28 (PC1 segment IP) to Security ACL2.
6, After E200 launch the second negotiation stage, C VPN device pass the matching inspection, first use the Security ACL2, rather than Security ACL1, lead to the second negotiation stage fail.
Suggestions
Sometimes position problem, need consider as a whole.

END