No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Solve the problem that the internal network between IPSEC butt branches to headquarters doesn’t connect

Publication Date:  2012-10-18 Views:  170 Downloads:  0

Issue Description

A customer uses USG2110-F as client do IPSEC butt with the headquarters USG3030 equipment, uses the point to more IPSEC sub policy way to establish VPN, multiple branches are fixed IP addresses, the links from branch to headquarters IPSEC all can communicate normally.
And the internal network (branch to headquarters) can communicate each other. But the internal network’s PC of the node USG2110-F can’t communicate the headquarters normally.

Alarm Information


Handling Process

First empty branch tunnel, through the headquarters ping the internal network of USG2110-F, and found that the configured ACL 3019 didn’t match.
And “disp Ike sa” is blank, did not establish link.
Through another branch USG2110-F equipment communicate with headquarters USG3000, found no matter launched from headquarters, or launched from branches can set up the tunnel and ping pass.
Focus on ACL configuration, headquarters configuration is as follows:
ipsec policy 2 23 isakmp                              // Normal branches
security acl 3018
ike-peer beijing
proposal 1
ipsec policy 2 24 isakmp                             //Abnormal branches             
security acl 3019
ike-peer hefei
proposal 1
acl number 3018                                    // Normal branch interested flow acl
rule 10 permit ip source destination
rule 20 permit ip source destination
rule 100 deny ip

acl number 3019                                              // Abnormal branch interested flow acl
rule 1 permit ip source destination
rule 10 permit ip source destination
rule 20 permit ip source destination
rule 100 deny ip

The corresponding acl entries of normal branches configured sub strategy include abnormal branch’s acl entries (in fact it is that the acl range configured by the headquarters is too big, contains other acl entries). Cause ACL entry conflict.
Suggesting the customers write the ACL entries into specific detailed network segments can solve the problem.

Root Cause

First of all judge whether the ACL is hit, whether matched the ACL network segment. Estimate ping impassability may relevant with other ACL settings. Because IPSEC tunnel have been built successfully, then the IPSEC configuration should not have problem.