USG2110 and USG2210 make IPSEC VPN, the tunnel can be built normally, test the communication by ping the source address of internal network interface, the internal network interface of USG2110 cannot ping the USG2210, and the internal network interface of USG2210 cannot ping the USG2110 too.
1. Check the configuration of inter-domain packet filtering, exclude the problem.
2. Check the configuration of security ACL in IPSEC VPN, exclude the problem.
3. Obtain packet at USG2110 and USG2210 when internal network interface of USG2110 ping USG2210, it finds that “IP packet is dropped for the visit interface is down!”reported on USG2210, Check the configuration of USG2210, it is found that the internal network using the sub interface, but no VLAN label encapsulation. The state of sub interface was physical UP, the state of protocol was down. Guide users to configure VLAN label in the sub interface, and solve the problem.
Attach: configuration of obtaining packets
acl number 3999
rule 5 permit ip source 10.0.21.1 0 destination 192.168.3.55 0
rule 10 permit ip source 192.168.3.55 0 destination 10.0.21.1 0
debug ip packet acl 3999
The wrong information is：
*0.1137506316 Secoway IP/8/debug_case:
Discarding, interface = Ethernet0/0/0, version = 4, headlen = 20, tos = 0,
pktlen = 84, pktid = 56391, offset = 0, ttl = 255, protocol = 1,
checksum = 64640, s = 192.168.3.55, d = 10.0.21.1
prompt: IP packet is droped for the visit interface is down!
configuration of USG2210 is same with USG2110
1. The wrong configuration of inter-domain result in the disable ping.
2. The wrong configuration of security ACL in IPSEC VPN, result in the disable ping.
analyze the situation that IPSEC VPN can be built but internal network cannot communicate by debug obtaining packets.