The customer's network is VPN client—USG2200—Internet—TOPSEC firewall. The VPN client performs NAT on the USG2200 to establish the IPSec VPN with the TOPSEC firewall. Service interruption occurs after the connection is established for two minutes.
1. Check session entries on the firewall. No reply packet is discovered. Make statistics on packet loss on the USG2200:
[USG2210-hidecmd]dis firewall debug_statistic
Current Show sessions count: 1
Protocol(UDP) SourceIp(22.214.171.124) DestinationIp(126.96.36.199)
SourcePort(2011) DestinationPort(2012) VpnIndex(public)
Receive Forward Discard
Obverse : 88 pkt(s) 22 pkt(s) 198 pkt(s)
Reverse : 21 pkt(s) 21 pkt(s) 126 pkt(s)
Discard detail information:
DP_FW_Rcv :exit 10: 66
DP_GMAC_SEND_ENQUEUE :exit 1: 43
DP_GMAC_SEND_ENQUEUE :exit 3: 43
DP_GMAC_SEND_ENQUEUE :exit 4: 43
DP_GMAC_SEND_ENQUEUE :exit 8: 43
DP_GMAC_SEND_ENQUEUE :exit 15: 43
DP_GMAC_SEND_CALLED :exit 6: 43
The packets whose UDP port is 2011 and those are sent by the VPN client are discarded by the USG2200, making the TOPSEC firewall fail to receive the reply packet.
2. Query sessions of the USG2200:
USG2210]display firewall session table destination-port 2012
Current total sessions: 1
udp [PPFILM]: VPN: public -> public
Discarded packets are identified as PPFILM packets.
3. It is likely that the P2P mistakes dial-up interactive packets as PPFILM packets and directly performs traffic control. Since the value of CIR is 0, these packets are discarded, making VPN services interrupted.
4. Disable the P2P traffic control, or increase the value of class. The service restores to normal.
P2P classes configured by the customer are as follows:
Cir default 0
Cir default 0
The bandwidth of the class is 0. The dial-up interactive packet of the TOPSEC VPN client is identified as PPFILM for P2P traffic control. Since the P2P bandwidth is 0, all identified packets are discarded, and the VPN service is automatically disconnected.
The R&D personnel has modified the P2P pattern file. Dial-up interactive packets sent by the TOPSEC VPN are no longer identified as PPFILM packets.
For such a problem, you can locate the problem by collecting statistics on packet loss on the firewall.