No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

After an IPSec tunnel Is Established Between a USG2200 and a USG5160, a Network Segment Fails to Be Connected

Publication Date:  2014-01-06 Views:  87 Downloads:  0
Issue Description
A USG2200 is deployed on a branch network and establishes an IPSec tunnel with the USG5160 on the headquarters network. The USG2200 fails to ping network segment 192.168.101.0 under the USG5160. Check response packets sent by the USG5160.
Configurations on the USG2200 are as follows:
<NH_USG2200>  display ike sa
21:12:23  2012/12/10
current ike sa number: 3
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40062      183.63.88.242           RD|ST         v1:2  public
40061      183.63.88.242           RD|ST         v1:1  public
40060      183.63.88.242           RD|ST         v1:2  public

<NH_USG2200> display ipsec sa
21:12:38  2012/12/10
===============================
Interface: Dialer0
    path MTU: 1492
===============================

IPsec policy name: "nh"
  sequence number: 10
  mode: isakmp
  vpn: public
  -----------------------------
    connection id: 40060
    rule number: 20
    encapsulation mode: tunnel
    holding time: 0d 0h 45m 12s
    tunnel local : 14.215.54.95    tunnel remote: 183.63.88.242
    flow      source: 192.168.1.0/255.255.255.0 0/0
    flow destination: 192.168.101.0/255.255.255.0 0/0

    [inbound ESP SAs]
      spi: 2842066142 (0xa9667cde)
      vpn: public  said: 96  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887433608/888
      max received sequence-number: 38
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 1885594521 (0x7063e399)
      vpn: public  said: 97  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887432768/888
      max sent sequence-number: 49
      udp encapsulation used for nat traversal: N

Configurations on the USG5160 are as follows:
ipsec policy-template map_temp 1
security acl 3200
ike-peer dongtai                     
proposal 1
#
ipsec policy map1 10 isakmp
security acl 3100
ike-peer dg
proposal 1
#
ipsec policy map1 20 isakmp
security acl 3101
ike-peer gz
proposal 1
#
ipsec policy map1 30 isakmp
security acl 3102
ike-peer zjxc
proposal 1
#
ipsec policy map1 100 isakmp template map_temp

acl number 3100
……
……
#                                   
acl number 3101
……
……
#
acl number 3102
description ZhuJiangXinCheng-VPN
rule 1 permit ip source 192.168.0.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 2 permit ip source 192.168.30.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 3 permit ip source 192.168.100.0 0.0.0.255 destination 192.168.88.0 0.0.0.255
rule 5 permit ip source 192.168.101.0 0.0.0.255 description 192.168.88.0 0.0.0.255
#
acl number 3200
……
……
Alarm Information
None
Handling Process
Check the IP address of the USG2200.
[USG5160]  display ike sa
21:14:15  2012/12/10
current ike sa number: 24
-----------------------------------------------------------------------------
conn-id    peer                    flag          phase vpn
-----------------------------------------------------------------------------
40263      14.215.54.95            RD            v1:2  public
40261      14.215.54.95            RD            v1:1  public
40266      113.105.134.250         RD|ST         v1:2  public
40260      113.105.134.250         RD|ST         v1:2  public
40258      113.105.134.250         RD|ST         v1:2  public
40251      14.215.54.95            RD            v1:2  public

Run the ping –a 192.168.1.254   192.168.101.254 command on the USG2200.
Run the display ipsec sa remote 14.215.54.95 command on the USG5160.
IPsec policy name: "map1"
  sequence number: 100
  mode: template
  vpn: public
  -----------------------------
    connection id: 40593
    rule number: 4294967295
    encapsulation mode: tunnel
    holding time: 0d 11h 53m 37s
    tunnel local : 183.63.88.242    tunnel remote: 14.215.54.95
    flow      source: 192.168.101.0/255.255.255.0 0/0
    flow destination: 192.168.1.0/255.255.255.0 0/0

    [inbound ESP SAs]
      spi: 2682147349 (0x9fde5215)      
      vpn: public  said: 824  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887435120/2864
      max received sequence-number: 20
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 3189386226 (0xbe1a2bf2)
      vpn: public  said: 825  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436380/2864
      max sent sequence-number: 6
      udp encapsulation used for nat traversal: N

-----------------------------
  IPsec policy name: "map1"
  sequence number: 100
  mode: template
  vpn: public
  -----------------------------
    connection id: 40593
    rule number: 4294967295
    encapsulation mode: tunnel
    holding time: 0d 11h 54m 30s
    tunnel local : 183.63.88.242    tunnel remote: 14.215.54.95
    flow      source: 192.168.101.0/255.255.255.0 0/0
    flow destination: 192.168.1.0/255.255.255.0 0/0

    [inbound ESP SAs]
      spi: 2682147349 (0x9fde5215)      
      vpn: public  said: 824  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887434700/2811
      max received sequence-number: 25
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs]
      spi: 3189386226 (0xbe1a2bf2)
      vpn: public  said: 825  cpuid: 0x0000
      proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
      sa remaining key duration (bytes/sec): 1887436380/2811
      max sent sequence-number: 6
      udp encapsulation used for nat traversal: N

The number of outgoing packets does not increase, and the number of times that packets match rule 5 of ACL 3102 is counted.
Based on the preceding configurations, description is displayed in rule 5 of ACL 3102. As a result, outgoing packets preferentially match rule 5 of ACL 3102.
To rectify the fault, modify rule 5 of ACL 3102.

Root Cause
Response packets sent by the USG5160 are not forwarded along the IPSec tunnel.
Suggestions
Locate such a fault carefully.

END