Since the Intranet Subinterface of the USG2110 is not Configured with Labels, the IPSec VPN Communication Fails

Publication Date:  2012-07-23 Views:  242 Downloads:  0
Issue Description
Network: USG2110---Internet---USG2210
When the IPSec VPN is configured on the USG2110 and USG2210, the tunnel can be established normally. During the test, run the ping -a command with the source address of the intranet interface to test the communication. The IP address of the intranet interface of the USG2210 can be pinged through from the intranet interface of the USG2110, and vice versa.
 
Alarm Information
None
Handling Process
1. Make sure that the interzone packet filtering is correctly configured.
2. Make sure that the security ACL of the IPSec is correctly configured.
3. Ping the intranet interface of the USG2210 from the intranet interface of the USG2110. Capture packets on the USG2110 and USG2210 at the same time. The error information "IP packet is dropped for the visit interface is down!" is displayed. Check the configurations of the USG2110. The intranet adopts the subinterface, which is not tagged as VLAN. The physical and protocol status of the subinterface is Up and Down respectively. Instruct the user to add a VLAN label on the subinterface. Then the problem is solved.
Attached: packet capture configuration
USG2110:
acl number 3999
 rule 5 permit ip source 10.0.21.1 0 destination 192.168.3.55 0
 rule 10 permit ip source 192.168.3.55 0 destination 10.0.21.1 0
debug ip packet acl 3999
The error information is as follows:
*0.1137506316 Secoway IP/8/debug_case:
Discarding, interface = Ethernet0/0/0, version = 4, headlen = 20, tos = 0,
pktlen = 84, pktid = 56391, offset = 0, ttl = 255, protocol = 1,
checksum = 64640, s = 192.168.3.55, d = 10.0.21.1
prompt: IP packet is dropped for the visit interface is down!
The configuration of the USG2210 is the same as that of the USG2110.
 
Root Cause
1. The configuration in the interzone is incorrect.
2. The security acl configuration of the IPSec VPN is incorrect.
 
Suggestions
When the IPSec VPN can be established but the intranet communication fails, it is recommended that you analyze the problem through debugging packet capture.

END