Two Nodes Connected by the IPSec Tunnel cannot Communicate with Each Other Due to the Policy-based Route

Publication Date:  2012-07-18 Views:  108 Downloads:  0
Issue Description
The customer's live network topology is as follows. Each county and district creates secure VPN tunnel with the headquarters USG5120 BSR through IPSec. It is required that counties can communicate with each other. However, the communication between counties fails during the implementation.
Alarm Information
None
Handling Process
  Modify the ACL applied by the policy-based route on the external network interface of the USG5120 BSR. Ensure that the destination IP address is on the network segment of the headquarters.
After the modification, counties communicate with each other normally. The problem is solved.
Root Cause
Check the IPSec configuration. The IPSec configuration is normal. Each county creates the IPSec tunnel successfully with the headquarters and the communication is proper.
Check the route configuration. In each county, the default route points to the public network gateway. There is no problem.
At last, it is discovered that the policy-based route is used on the external network interface G0/0/0 of the USG520 BSR at headquarters. According to customer requirement, traffic accessing the headquarters from the counties must pass through the USG5120 BSR link. Therefore, the policy-based route is applied. However, the ACL referenced by the policy-based route is not specified clearly. The ACL specifies the source IP addresses of each county but not the destination IP address. That is why the inter-county communication fails.
Suggestions
When a large-scale network is configured, ACLs are referenced in multiple places. Ensure that the ACLs are configured accurately to prevent application conflicts and unnecessary troubles.

END