No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Since the Intranet Subinterface of the USG2110 is not Configured with Labels, the IPSec VPN Communication Fails

Publication Date:  2019-07-03 Views:  669 Downloads:  0

Issue Description

Network: USG2110---Internet---USG2210
When the IPSec VPN is configured on the USG2110 and USG2210, the tunnel can be established normally. During the test, run the ping -a command with the source address of the intranet interface to test the communication. The IP address of the intranet interface of the USG2210 can be pinged through from the intranet interface of the USG2110, and vice versa.

Alarm Information


Handling Process

1. Make sure that the interzone packet filtering is correctly configured.
2. Make sure that the security ACL of the IPSec is correctly configured.
3. Ping the intranet interface of the USG2210 from the intranet interface of the USG2110. Obtain packets on the USG2110 and USG2210 at the same time. The error information "IP packet is dropped for the visit interface is down!" is displayed. Check the configurations of the USG2110. The intranet adopts the subinterface, which is not tagged as VLAN. The physical and protocol status of the subinterface is Up and Down respectively. Instruct the user to add a VLAN label on the subinterface. Then the problem is solved.
Attached: packet obtain configuration
acl number 3999
 rule 5 permit ip source 0 destination 0
 rule 10 permit ip source 0 destination 0
debug ip packet acl 3999
The error information is as follows:
*0.1137506316 Secoway IP/8/debug_case:
Discarding, interface = Ethernet0/0/0, version = 4, headlen = 20, tos = 0,
pktlen = 84, pktid = 56391, offset = 0, ttl = 255, protocol = 1,
checksum = 64640, s =, d =
prompt: IP packet is dropped for the visit interface is down!
The configuration of the USG2210 is the same as that of the USG2110.

Root Cause

1. The configuration in the interzone is incorrect.
2. The security acl configuration of the IPSec VPN is incorrect.


When the IPSec VPN can be established but the intranet communication fails, it is recommended that you analyze the problem through debugging packet obtain.