No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Removable computer access in L2TP can not ping intranetserver

Publication Date:  2012-09-22 Views:  129 Downloads:  0

Issue Description

After L2TP Client pc accessed it was not ping intranet WEB server, is address segment for client
Topology is like this

Alarm Information


Handling Process

Changed ACL applied in policy-based routing,stream of denny can reach target network segment,changed ACL configuration as follows
acl number 3000
rule 1 deny ip destination
rule 2 deny ip destination 0
rule 3 deny ip destination
rule 5 permit ip source address-set celveluyou

Root Cause

Removable computer access in L2TP,means USG 2100 is no problems in configuration,but check tunnel information of L2TP,found that this pc is already existing in tunnel list
[USG2100]dis l2tp tunnel
11:58:53 2012/05/24
Total tunnel = 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
1 1 1701 1 client1

In L2TP Client PC,we can not ping WEB server,on the contrary,we ping test in the firewall,check information of firewall,found firewall is turn to public network address,as this:  
[USG2100]dis firewall session table source inside protocol icmp
11:55:06 2012/05/24
Current Total Sessions : 1
icmp VPN:public --> public[]-->

After check configuration,firewall set policy-based routing,point a majority of source addresses of celveluyou go out from dialer1,including WEB server,all of public address will be converted,result in can not ping,configuration as follows
ip address-set celveluyou type object
address 0 range
address 1 range
address 2 range
acl number 3000
rule 1 deny ip destination
rule 2 deny ip destination 0
rule 5 permit ip source address-set celveluyou
interface Vlanif1
mtu 1400
ip address
ip policy-based-route abc
dhcp select interface
dhcp server dns-list
policy-based-route abc permit node 30
if-match acl 3000
apply output-interface Dialer1