PC through the USG2110 do NAT access LNS to establish l2tp VPN, the tunnel cannot be established all the time, PC can dial-up to access network if steered clear of USG2110.
1. Through inspected firewall configuration, the inter-domain rules are all unlocked, eliminated configuration problem.
2. L2tp is single channel, does not exist ride-through problems.
3. Through analysis L2TP protocol, under normal circumstances the source port and destination port of L2TP message are the 1701 port of the udp, through checking firewall’s session table, the source port of PC is converted into other port, we suspected that the problem is caused by the source port has been converted.
4, In order to verify this problem, added “no-pat” parameter when configure nat in the inter-domain, the effect of this parameter is not do port multiplexing and do not change the source port. After completed the configuration, PC can establish l2tp VPN normally.
5. Suggest the users to change the LNS settings of the peer end, make it support the non-1701 port dialing in, or use USG2110 as LAC, or increase public IP, use “no-pat” way access the Internet.
1. May be the policy configuration problem, which causes l2tp message can't get through.
2. May be the USG2110 l2tp has problem in ride-through.
It is suggested to have some knowledge about the common protocol, it will be contribute to locate problem.