No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


The solution that the second phase of IPSEC fail to negotiate of when interconnect USG2130 and yishang ES800.

Publication Date:  2012-09-21 Views:  257 Downloads:  0

Issue Description


The user networking as the photo shows. The fault symptom is that USG2130 can’t interconnect to the ES800 both in main mode and aggressive mode, and can’t pass the second phase negotiation.

dis ike sa                                                            
    connection-id  peer            flag        phase   doi                    
       31                 NONE          2     IPSEC                   
       30         RD|ST         1     IPSEC      

Alarm Information


Handling Process

Firstly, checking the ipsec proposal have no difference between two ports, so that is no problem.
Secondly, checking whether the ACL is matched by display acl. Find the ACL is not matched .
Inspection by the dubug information:
*0.89881316 USG2130BSR IKE/8/DEBUG:Get IPsec policy: get IPsec policy failed     
*0.89881400 USG2130BSR IKE/8/DEBUG:validate_prop: no IPsec policy found          
*0.89881483 USG2130BSR IKE/8/DEBUG:dropped message from due to notification

Then check that the local end ACL is correct.
And find that ACL configuration of peer end has N ACL policy. So it can not match ours. Then modify the ACL as the same with ours, and the problem solved.

Root Cause

 We have sa in he first phase, but the peer of sa is unnamed in the second phase. So the ipsec sa fails to negotiate. Need inspect some configuration related to ipsec, as the ipsec proposal and acl configuration.


Suggest that interconnect with other enterprise, expcet checking the IKE IPSEC configuration, we need to check whether the ACL is matched. If want more judgement,need inspect the debug information.