No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


SVN2230 L2TP over IPSec access successfully but can't reach interior server case

Publication Date:  2014-03-31 Views:  880 Downloads:  1

Issue Description

The customer uses SVN2230 as network gateway, the on business trip staffs use L2TP over IPSec to access company network, when they access the SVN2230 successfully, but can’t reach interior servers.   

Alarm Information


Handling Process

The users can access SVN2230 by using L2TP over IPSec, this shows that the network from VPN to SVN2230 is normal. The issue should be in the network from SVN2230 to interior server, or the SVN2230 configuration has some incorrect points.

(1) Firstly, Let's check the configuration of SVN2230, I find that the l2tp IP address pool and the interface within the same network.If use this configuration to work, the interior device will drop the reply packets due to can't find ARP items. Configuration as following:

domain default
domain vg_oa.dom
  authentication-scheme  vg_oa.scm
  authorization-scheme vg_oa.scm
  radius-server vg_oa.tpl
  ldap-server vg_oa.tpl
  user-priority 255
  ip pool 1
interface GigabitEthernet0/0/0.3
vlan-type dot1q 3000
ip address
ipsec policy 1 auto-neg

(2)  After change IP address pool to, do the access interior servers test again, but can’t reach yet. Check the sessions in the SVN2230, find that there are packets only in one direction, the interior servers don’t reply the request. As following:

[CIKVDIVPN001] display firewall session table verbose destination global
16:08:17  2014/03/16
Current Total Sessions : 1
  tcp  VPN:public --> public
  Zone: lan--> lan  TTL: 00:00:05  Left: 00:00:02
  Interface: GigabitEthernet0/0/0.3  NextHop:  MAC: xx-xx-xx-91-7f-ba
  <--packets:0 bytes:0   -->packets:2 bytes:128>   

(3) And then, check the configuration of interior firewall USG2200, I find that the route of uses the interior network gateway as next hop, as following:

ip route-static

If configured like above, the packets which interior servers reply the network request will not be forwarded to SVN2230,farther more the server service will be abnormal. So need to add the following route:

ip route-static // is the interface IP of SVN2230

After add the above route, VPN users can reach the interior servers normally, this issue is resolved.

Root Cause

According to issue information, the possible reasons as following:
(1) The network from SVN2230 to interior servers have some problems;
(2) SVN2230 drops packets;


Because of the incorrect IP address pool configuration and miss some route in the USG2200 firewall, due to the VPN users can't reach interior servers.

Like the above type issue, the probable reason is always the interior route, please pay more attention to it.