No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

IPSec session have been established but service is abnormal

Publication Date:  2017-11-29 Views:  402 Downloads:  0
Issue Description

The customer have two USG6310, they want to configure the site-to-site IPSec so that the branch can communicate with the HQ.

The topology just as below:

They used the default parameter of IPSec and they can see that session have been established between the two FW.

Then they used the PC1 to ping the server, it shows request time out.

Handling Process

First we checked the IPSec SA and the IKE SA, on the branch Firewall it shows as below:

From the IPSec SA we can know that the branch data have been encrypted and send out, but there are no data come back.

We used the PC1 to ping the Server, on the branch Firewall, we can see the esp session and the icmp session.

Then we check the HQ Firewall session, we found that there are no icmp session and the esp session is abnormal.

The esp session shows that the destination IP have been translated to one internal server IP.

After the customer delete the NAT-Server configuration the IPSec service is normal.

Root Cause

The customer used the interface IP which used to establish the IPSec session to configure NAT-Server, when the IPSec data come from the peer device it will be forwarded to the internal server.

Solution

when you configure the IPSec you can't use the interface IP to configure the NAT-Server, it will cause the IPSec service can't work.

END