No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


The solving case that ACL mismatch lead to fail to set up IPSEC SA

Publication Date:  2012-09-25 Views:  2067 Downloads:  0

Issue Description

A site of office makes IPSEC VPN connection through two USG2160.  And one is fixed public IP address, the other is 3G dialing, when trigger IPSEC connection from dial-up end, it was find that the tunnel second stage do not establish, and peer flag is: unnamed, network topology are as follows:     usg2160----internet---usg2160

Alarm Information


Handling Process

1. Check IPSEC configuration parameter of two devices and find they are the same.
2. Check the data flow that do the ACL of IPSEC, and find mistakes:
The ACL of one device is that:
Acl number 3001
Rule 5 permit IP source destination
Another ACL is that:
Acl number 3000
Rule 5 permit IP source destination
Change the ACL of first device to: rule 5 permit IP source destination, and it is ok.

Root Cause

ACL does not form a mirror.


If the second stage of IPSEC do not establish, it means ACL don't into mirror or threr are some place IPSEC parameters do not match (especially should pay attention to interconnect to peer vendor products). This case is because write the wrong ACL IP address, and find that only after careful inspection.