No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Failed to establish IPSec tunnels using the USG 6660

Publication Date:  2015-09-12 Views:  57 Downloads:  0
Issue Description

Network overview: The network is composed of one Central SITE where USG6660, NMS, Access Controller and some other devices resides to provide the services in all the 6000 remotes sides.

Central site USG provides connection between Management Network of Central Site and remote sites, and 2 monitoring networks and remotes sites  by VPN IPsec tunnels: 
To Remote Sites
1. Source Management Network of Central Site (NMS), destination  Management Network of USG6310
2. Source Management Network of Central Site (Access Controller), destination Management Network of APs
3.Source Monitoring Network 1, destination Management Network of USG6310
4.Source Monitoring Network 2, destination Management Network of USG6310
To Monitoring Networks
1.Source Management Network of USG6310 , destination Monitoring Network 1
2. Source Management Network of USG6310, destination Monitoring Network 2

 
At each remote site there are two APs to provide access to wireless users and ong USG6310 that establishes 4 traffic flow IPsec tunnels vs central site:
1. Source Management Network of USG6310, destination Management Network of Central Site (NMS)
2. Source Management Network of APs, destination Management Network of Central Site (Access Controller)
3. Source Management Network of USG6310, destination Monitoring Network 1
4. Source Management Network of USG6310, destination Monitoring Network 2


Fault symptom: After almost 4000 remotes sites were installed, no more tunnels can be established, and the ones that were established were not stable.

Solution

Due to the capacity of IPSec tunnels for USG 6660 is 15000, the solution was to optimize the number of tunnels per site  decreasing from 24000 tunnels needed to 12000, (2 per site instead of 4), so it was required to change the configuration to keep the connectivity between Monitoring networks and remote sites.

At central site, it was implemented NAT server rules to make that the segments of Monitoring Networks use the Network segment of Central Site.

Central VPN IPSec tunnels:
To Monitoring Networks
1.Source Management Network of USG6310 , destination Monitoring Network 1
2. Source Management Network of USG6310, destination Monitoring Network 2
To Remote Sites
1. Source Management Network of Central Site (NMS), destination  Management Network of USG6310
2. Source Management Network of Central Site (Access Controller), destination Management Network of APs
Nat server rules example:
nat server 1 global IP of Management Network of Central Site inside IP of Monitoring Network 1
nat server 1 global IP of Management Network of Central Site inside IP of Monitoring Network 2

Remote sites to Central Site:
1. Source Management Network of USG6310, destination Management Network of Central Site (NMS)
2. Source Management Network of APs, destination Management Network of Central Site (Access Controller)

END