Because configure security acl in the policy-template SVN3000 lead to the ipsec service failure

Publication Date:  2012-10-17 Views:  150 Downloads:  0
Issue Description
SVN3000 (headquarters) establish ipsec VPN with multiple USG2100 (branch), branch devices are all use PPPOE dial-up to get to the network. After the configuration has been completed, in the SVN can see all of the tunnel can establish normally, but only one tunnel intranet interworking with customer, the rest of the branch can not interworking
Alarm Information
none
Handling Process
1 check ACL configuration, interested flow configuration is correct
2 interface fast-forwarding also have closed (usg2100 v1r5 version interface have no port fast-forwarding)
3 through respectively check session table from SVN to branch each branch find that the SVN packets on the VPN are all back to one of the branch by SVN, so lead to other VPN is impassable.
4 delete security acl in ipsec policy-template of the SVN, the problem solved.
Root Cause
1. The user ACL configuration is not correct, it is the interested flow configuration has problem.
2. User do not close port fast-forwarding in the intranet interface
Suggestions
When part of the USG devices such as USG3000, SVN3000 used the policy-template to establish ipsec, all can not configure the security acl.

END