No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Acl does not match lead to intranet user can't trigger ipsec connection

Publication Date:  2012-10-17 Views:  99 Downloads:  0

Issue Description

Two USG50 (A - headquarters, B - branch) to establish IPSEC VPN, A using policy template way can trigger IPSEC feom B, but the PC connected to B from can't trigger IPSEC;

Alarm Information


Handling Process

1, Check client PC IP, gateway and so on, find the configuration has no problem, PC can also get out of the public network
2, Check B (USG50) configuration, IPSEC and ACL are all no problem
3, Check A (USG50) configuration, IPSEC configuration has no problem, found the ACL has problem configured by customer. At the ACL from Trust (intranet) - > Untrust (extranet), customer DENY the packet from intranet to intranet, lead to the packet can reach from PC to A, but A will not respond to PC packet, therefore it is impossible to establish IPSEC connection; This problem solved;
As for why from B (USG50) directly establish connection with A (USG50), because the B packet is from Locoal---->Untrust --->Untrust--->Locoal, no matching ACL, so IPSEC connection can establish successfully;

Root Cause

1, customer PC setting problem
2, USG50 ACL configuration problem
3, USG50 version problem