Services Along an IPSec Tunnel Are Interrupted

Publication Date:  2013-12-31 Views:  170 Downloads:  0
Issue Description
After an IPSec tunnel is established between a USG2100 and a USG5100 (headquarters), services are interrupted between the two devices. usg2100 ------  usg5100  
Private address        Public address     Public address      Private address

Alarm Information
Handling Process
1. On the USG2100, ping from The ping fails.
2. Check whether NAT is performed on sessions. Check sessions on the USG5100 in the headquarters.
<USG5100>display  firewall  session table  verbose  destination inside
   Current Total Sessions : 1
  icmp  VPN:public --> public
  Zone: untrust--> local  TTL: 00:00:20  Left: 00:00:19
  Interface: InLoopBack0  NextHop:  MAC: 00-00-00-00-00-00
  <--packets:3 bytes:252   -->packets:3 bytes:252>
The USG5100 sends response packets after receiving request packets.
3. Check ESP packets on the USG2100.
[USG2100]display firewall session table verbose source global
Current Total Sessions : 1
  esp  VPN:public --> public
  Zone: dx--> trust  TTL: 00:10:00  Left: 00:09:59
  Interface: Vlanif1  NextHop:  MAC: 6c-ae-8b-63-95-9a
  <--packets:0 bytes:0   -->packets:272 bytes:29368>[]
The mapping exists.
4. Collect information from the customer. It is found that the public network address of the USG2100 is mapped to a server on the private network.
5. Delete the ESP session.
Services are normal.
Root Cause
1. NAT on data traffic is faulty.
2. Data traffic returned from the headquarters is abnormal.
3. Transmission of Encapsulating Security Payload (ESP) packets is faulty.
Pay attention to the procedure for troubleshooting IPSec-related faults.