No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


A site’s USG3000 L2TP dial-up users video impassability

Publication Date:  2012-10-15 Views:  198 Downloads:  0

Issue Description

A. Network structure:
Video terminal - - - - - - Internet - - - - - - - Router - USG3000 - - - - - - - Server
B. The business description:
1. Video terminal through the Internet L2TP dial to USG3000, then upload the video data to the video server.
2. Mobile client dials through L2TP, the visit is normal at the beginning, after a period of time it appears the access server can only view and can't upload;
3. Video terminal through the L2TP VPN dials, sometimes can view one or two terminal’s video data, sometimes can’t view video data.

Alarm Information


Handling Process

1, At the beginning suspect whether the video data uses multi channel protocol, view from the firewall session table it is 6800 port, not multi channel protocol.
2, since not involves multi channel protocol, doubt whether it is related with state detection. Closed the detection, the problem is still.
3, using “debug IP packet” debug, check ACL matching number, did not find the firewall has lost package.
<USG3000>dis acl 3997
Advanced ACL  3997, 4 rules
Acl's step is 5
rule 5 permit tcp source 0 destination-port eq 6800 (3003 times matched)
rule 10 permit tcp source-port eq 6800 destination (3262 times matched)
rule 15 permit tcp source destination-port eq 6800 (3003 times matched)
rule 20 permit tcp source-port eq 6800 destination 0 (1631 times matched)
Do mirror capture on the firewall, analyzes both ends’ packages, found outside port has fragment message, and have a random sequence, the inside port hasn’t the corresponding message after the decapsulation, and have the “TCP Previous segment lost” phenomenon. Capture packages in outside network interface, found there is fragment message, Capture packages in inside interface, found there is no fragment message. According to this can judgment that it is caused by the fragment message be discarded by firewall.

Root Cause

Due to the video data exists fragment message, and part of the fragment data be received by USG300 random sequence. USG3000 default received subsequent fragment will be discarded if there is no fragment hashtable, need to open fragment transparent or fragment cache. 


When some business is abnormal, especially involving L2TP/IPSec/Gre tunnel encapsulation, need to make sure whether the business is possible to fragment, and the process the firewall do to the fragment.