No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


shutdown the primary path, the SSL VPN cannot be through the secondary path

Publication Date:  2017-08-10 Views:  456 Downloads:  0

Issue Description

Shut the link (tracked by Firewall) to RO1. Firewall switchover is successful however SSL VPN fails. All the SSL Configuration was done on Active firewall and backup auto.

below is the topo. GE0/3/0 of R1 connect to FW1, and the two routers is connected by Eth-trunk1.


Handling Process

according to check with customer, we have found the SSL VPN is on intherface GE7/0/8.51 of firewall, and it is belong to vlan51. and the two firewalls are active/standby hot-standby, FW1 is active, so SSL VPN configuration should be sync auto to FW2. and when the primary path is ok, the SS VPN is fine. so the SSL VPN configuration of two firewalls should be ok. and we checked the two firewall SSL VPN configuration, they are really ok.

interface GigabitEthernet7/0/8.51
 vlan-type dot1q 51
 ip binding vsys idb
 ip address
 vrrp vrid 151 virtual-ip active
 service-manage ping permit


then we checked the configuration on R1, found there is NAT configuration for the vlan51. and it is only applied on GE0/3/0. not applied on Eth-trunk1

nat instance idb id 1
 service-instance-group group1
 nat log session enable
 nat address-group address-group1 group-id 1
 nat server global inside


interface GigabitEthernet0/3/0
 description *** To VSM-FW01-7/0/8 ***
 undo shutdown
 port link-type trunk
 port trunk allow-pass vlan 1 to 4094
 traffic-policy NAT1 inbound vlan 51


interface Eth-Trunk1
 description *** Trunk to VSM-INT-RO-02 ***
 port link-type trunk
 port trunk allow-pass vlan 1 to 4094


Root Cause

when the SSL VPN is through the primary path, NAT is configured on GE0/3/0, so when disconnect the downlink of R1, the traffic will be through FW2-R2-R1-public, when the traffic is through R2 to R1, still need configure NAT on Eth-trunk1 of R1


configure command "traffic-policy NAT1 inbound vlan 51" on Eth-trunk1 of R1

 traffic-policy NAT1 inbound vlan 51