No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Troubleshooting ideas of ipsec vpn debug barrier

Publication Date:  2012-09-11 Views:  1837 Downloads:  0

Issue Description

When usg2110 and usg3000 start point-to-point vpn, the tunnel negotiation is not up.

Alarm Information


Handling Process

1 Check on acl, display acl all, found all the acl have hit, the hit acl numbers of the headquarters end haven’t growth, but the segment has been hit,
2 Viewing by dis ike sa, we can find the ike consultation has been completed,
3 Check the configuration of the ike peer, the parameters are all right. The ike peer of headquarters called the encrypted data stream, this is the cause of the problem,
4 In the configuration end of headquarters, system will automatically Mirror encrypted data stream based branch acl.

Root Cause

Tunnel negotiation is unsuccessful generally have the following possible:
1 Tunnel negotiation does not trigger, generally tunnel did not trigger consultations as didn’t hit acl.
2 The problem of ike proposed.I
3 If the parameters of ike peer are consistent or not
4 Name authentication method can only be initiated by the segments agency consultation


Performing the ipsec vpn troubleshooting, need attention to the definition of the interest flow on equipments of headquarters.