No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

An IPSec VPN Is Established Between the AR101GW-Lc-S and the HQ. However, Private Network Users Cannot Access the HQ Database

Publication Date:  2019-04-15 Views:  24 Downloads:  0
Issue Description

Device model: AR101GW-Lc-S

Software version: V200R009SPH008

User networking: A---AR101GW-Lc-S (IPSec VPN)----AR3200----B

Symptom: Two ARs are connected through IPSec VPN. The VPN tunnel is set up successfully. Private network users on both ends can ping each other. (A can ping B.) B is a database server. A is expected to access B by entering the IP address of B in the browser. However, A cannot access B.
Handling Process

Handling Process

1. Determine that the specific AR router is faulty because the AR routers at the other branches can successfully access the AR3200 deployed at the HQ, narrowing down the fault scope.

2. Run the display ike sa command. The command output shows that the tunnel is set up successfully and A can successfully ping B. This indicates that an IPSec tunnel is set up successfully. It is suspected that this fault occurs because TCP packets are not fragmented

Pinging 192.168.35.163 with 32 bytes of data:

Reply from 192.168.35.163: bytes=32  time=34ms  TTL=60

Reply from 192.168.35.163: bytes=32  time=28ms  TTL=60

Reply from 192.168.35.163: bytes=32  time=29ms  TTL=60

3. Configure the AR101GW-Lc-S to fragment packets and check whether the database server can be accessed. The database server is successfully accessed, indicating that this fault occurs because TCP packets are not fragmented.

ipsec df-bit clear

ipsec fragmentation before-encryption 


Root Cause

After the original packet is encapsulated through the IPSec tunnel, the packet size exceeds the MTU of the interface. As a result, the packet cannot be completely transmitted, resulting in packet loss.

Solution

Run the following commands to fragment packets:

ipsec df-bit clear

ipsec fragmentation before-encryption

Suggestions

During configuration of the IPSec VPN, if special services, for example, the peer terminal needs to be accessed by entering the IP address in the browser, you are advised to run the following commands on the router to fragment packets for transmission. Otherwise, services may be interrupted.

ipsec df-bit clear

ipsec fragmentation before-encryption

END