When the IPSec VPN is configured on the USG2110 and USG2210, the tunnel can be established normally. During the test, run the ping -a command with the source address of the intranet interface to test the communication. The IP address of the intranet interface of the USG2210 can be pinged through from the intranet interface of the USG2110, and vice versa.
1. Make sure that the interzone packet filtering is correctly configured.
2. Make sure that the security ACL of the IPSec is correctly configured.
3. Ping the intranet interface of the USG2210 from the intranet interface of the USG2110. Obtain packets on the USG2110 and USG2210 at the same time. The error information "IP packet is dropped for the visit interface is down!" is displayed. Check the configurations of the USG2110. The intranet adopts the subinterface, which is not tagged as VLAN. The physical and protocol status of the subinterface is Up and Down respectively. Instruct the user to add a VLAN label on the subinterface. Then the problem is solved.
Attached: packet obtain configuration
acl number 3999
rule 5 permit ip source 10.0.21.1 0 destination 192.168.3.55 0
rule 10 permit ip source 192.168.3.55 0 destination 10.0.21.1 0
debug ip packet acl 3999
The error information is as follows:
*0.1137506316 Secoway IP/8/debug_case:
Discarding, interface = Ethernet0/0/0, version = 4, headlen = 20, tos = 0,
pktlen = 84, pktid = 56391, offset = 0, ttl = 255, protocol = 1,
checksum = 64640, s = 192.168.3.55, d = 10.0.21.1
prompt: IP packet is dropped for the visit interface is down!
The configuration of the USG2210 is the same as that of the USG2110.
1. The configuration in the interzone is incorrect.
2. The security acl configuration of the IPSec VPN is incorrect.
|When the IPSec VPN can be established but the intranet communication fails, it is recommended that you analyze the problem through debugging packet obtain.|