After establish IPSEC tunnel, the connection is unstable and intermittent

Publication Date:  2012-11-07 Views:  194 Downloads:  0
Issue Description
Two USG devices set up ipsec VPN, but appear that can set up the tunnel some time, but some time cannot.
Networking as shown in figure:
A :USG2160 (211.161.103.10) - - - - - - Internet - - - - - - - (58.210.140.210)
B :USG2130
Alarm Information
none
Handling Process
1, when can't establish the tunnel, capture packet respectively in both ends, and find that both ends sent out ipsec negotiation message, but they can't receive the negotiation message from the peer end:
capture packet at A place: 

capture packet at B place: 

So preliminarily judge the link between two ends may have problem.
2, establishment is not successful:
Occasionally in B place find the following tunnel:
dis ike sa
08:57:00 2012/05/24
current ike sa number: 1
---------------------------------------------------------------------
connection-id peer vpn flag phase doi
--------------------------------------------------------------------
0xdda 222.73.189.2 0 RD|ST v2:1 IPSEC
the B place always have the following session:
display firewall session table v source inside 222.73.189.2
10:35:31 2012/05/25
Current Total Sessions : 1
udp VPN:public --> public
Zone: untrust--> local TTL: 00:02:00 Left: 00:01:25
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:196 bytes:58016
222.73.189.2:65181-->58.210.140.210:500
222.73.189.2:65181-->58.210.140.210:500 means the port from 222.73.189.2 to 58.210.140.210 is the 500,namely the ipsec port,but B place only establish ipsec with A place, and do not have any contact with the address.
3, modify the configuration, make both ends do not have data flow trigger, make sure session become aging. If B place first launch access, can set up the tunnel, if A place first launch access, maybe establish, also maybe cannot establish. The information after succeed to establish the tunnel is as follows:
dis ike sa
10:46:06 2012/05/25
current ike sa number: 2
---------------------------------------------------------------------
connection-id peer vpn flag phase doi
--------------------------------------------------------------------
0x15c9 211.161.103.10 0 RD v2:2 IPSEC
0x15c8 211.161.103.10 0 RD v2:1 IPSEC
display firewall session table v source inside 222.73.189.2
10:50:46 2012/05/25
Current Total Sessions : 2
esp VPN:public --> public
Zone: untrust--> local TTL: 00:10:00 Left: 00:10:00
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:8470 bytes:9864064
222.73.189.2:0-->58.210.140.210:0
udp VPN:public --> public
Zone: untrust--> local TTL: 00:02:00 Left: 00:00:44
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:14 bytes:1232 -->packets:14 bytes:1232
222.73.189.2:48534-->58.210.140.210:500

the peer end address established by ipsec is A address:211.161.103.10,but the session has the address: 222.73.189.2,means the message from A maybe modified to: 222.73.189.2。
4、check the above analysis:
B ping A,check the session at A,normal:
dis firewall session table source global 58.210.140.210
03:17:44 2012/05/25
Current Total Sessions : 1
icmp VPN:public --> public 58.210.140.210:44072-->211.161.103.10:2048
A ping B,check the session at B,don’t find the icmp session from A:
display firewall session table v source global 211.161.103.10
11:00:15 2012/05/25
Current Total Sessions : 1
esp VPN:public --> public
Zone: untrust--> local TTL: 00:10:00 Left: 00:09:59
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:3269 bytes:934928
211.161.103.10:0-->58.210.140.210:0
display firewall session table v source global 211.161.103.10

But find the icmp message information from 222.73.189.2 at B, means the access address is replaced between A and B:
display firewall session table v source inside 222.73.189.2
11:01:35 2012/05/25
Current Total Sessions : 8
esp VPN:public --> public
Zone: untrust--> local TTL: 00:10:00 Left: 00:01:07
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:0 bytes:0 -->packets:32559 bytes:40045352
222.73.189.2:0-->58.210.140.210:0
icmp VPN:public --> public
Zone: untrust--> local TTL: 00:00:20 Left: 00:00:00
Interface: InLoopBack0 NextHop: 127.0.0.1 MAC: 00-00-00-00-00-00
<--packets:1 bytes:84 -->packets:1 bytes:84
222.73.189.2:35917-->58.210.140.210:2048
Root Cause
1,Device configuration is not consistent.
2, both ends configured dpd.
3, the intermediate link problem.
Suggestions
when A and B access the message, Because intermediate link carrier exist the phenomenon address is replaced, affect the IPSEC negotiation and establishment, lead to intermediate link become unstable and intermittent.

END