IPSEC VPN could establish a tunnel,but one end can not ping another

Publication Date:  2012-09-17 Views:  267 Downloads:  0
Issue Description
Establish IPSEC VPN between USG5100 headquarters and usg2110 branch, the branch can ping the headquarters successfully, but when the tunnel established, the headquarters can not ping the branch. USG version is V100R005SPC300.
Alarm Information
none
Handling Process
1. There is not interface switch problem on USG5100, and we did not configure NAT on device, also there is no problem on other configuration.
2. Headquarters internal network ping branch internal network, check the conversation on USG device, as follow:
[USG5100]disp firewall session table
09:46:20 2011/09/10
Current Total Sessions : 9
esp VPN:public --> public 123.233.206.111:0-->124.133.249.10:0
tcp VPN:public --> public 192.168.10.33:1058-->192.168.1.112:3389
icmp VPN:public --> public 192.168.1.112:1024[124.133.244.10:1024]-->192.168.10.1:2048
netbios-data VPN:public --> public 192.168.1.112:138[124.133.244.10:138]-->192.168.1.255:138
We find that the conversation is translated by NAT, but there is no Outband direction NAT on USG5100 configuration, and this address can not access external net.
3. Check the configuration again and find a map that some user does:
nat server 0 protocol tcp global 124.133.244.10 3389 inside 192.168.1.112 3389
try to add no-reverse after this configuration, then ping the internal address again, access successfully. It is because IPSEC data flow matchs the opposite conversation of nat server.
Root Cause
1. Problem of interface switch.
2. Outbound direction NAT receives interest data flow.
3. Other.
Suggestions
none

END