No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


ailed to Set up the IPSec Tunnel Due to Asymmetric ACL Configuration

Publication Date:  2012-07-18 Views:  456 Downloads:  0

Issue Description

The USG5120 BSR is deployed at headquarters, and the USG2130 BSR at a branch. IPSec is configured between them, but the IPSec tunnel fails to be established. Run display ike sa to check the SA negotiation. The first phase of negotiation is Up. The second phase is not established yet.

Alarm Information


Handling Process

Modify the ACL applied through IPSec of the USG5120 BSR and USG2130 BSR to keep the source IP address and destination IP address symmetric. After the modification, the tunnel is set up successfully and the communication becomes normal.

Root Cause

Generally, the fault that IKE SA established the first phase instead of the second phase is caused by the ACL. In the test, the traffic is triggered to set up the IPSec tunnel. However, the traffic matches the ACL.
Later, it is found that the ACLs applied to the IPSec of the USG5120 BSR and USG2130 BSR specifies the destination IP address only


On large-scale networks, if multiple branches set up the IPSec tunnel with the headquarters, pay attention to ensure the symmetric ACL referenced through IPSec.