The USG5120 BSR is deployed at headquarters, and the USG2130 BSR at a branch. IPSec is configured between them, but the IPSec tunnel fails to be established. Run display ike sa to check the SA negotiation. The first phase of negotiation is Up. The second phase is not established yet.
Modify the ACL applied through IPSec of the USG5120 BSR and USG2130 BSR to keep the source IP address and destination IP address symmetric. After the modification, the tunnel is set up successfully and the communication becomes normal.
Generally, the fault that IKE SA established the first phase instead of the second phase is caused by the ACL. In the test, the traffic is triggered to set up the IPSec tunnel. However, the traffic matches the ACL.
Later, it is found that the ACLs applied to the IPSec of the USG5120 BSR and USG2130 BSR specifies the destination IP address only
On large-scale networks, if multiple branches set up the IPSec tunnel with the headquarters, pay attention to ensure the symmetric ACL referenced through IPSec.