IPSEC due to the sub interface doesn’t encapsulate VLAN, the business is impassable

Publication Date:  2012-12-04 Views:  299 Downloads:  0
Issue Description
Network: Usg2110-------internet-------usg2130
Ipsec2110 is branch, 2130 is the headquarters, ipsec on both ends are well equipped, both the first ike stage and the second ike stage of tunnel Ike are normal, ipsec sa also is created successful, the user reacts in the internal network gateway address of usg2110 is unable to ping the internal network gateway address of 2130. Ipsec sa has been established, but the business is impassability.
Alarm Information
Handling Process
1. through checking the acl can be sure the acl configuration has no problem, the port fast forwarding also is closed.
2. finally made a debug test in firewall 2110 above, from debugging can see firewall 2110 did not carry labels, and then abandoned the data.
Solutions: after encapsulated vlan for the IP address in sub interface, both sides’ firewalls of the tunnel have the internal network address, and the IP can be PING pass.
Root Cause
1. ACL configuration
2. port fast forwarding hasn’t shut down