No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

The IPSec VPN Service Is Unavailable on the AR1220

Publication Date:  2019-04-15 Views:  35 Downloads:  0
Issue Description

When the AR1220 is deployed at the headquarters and connects to the peer H3C device, IPSec tunnels fail to be established at some branches and services are unavailable.

Handling Process

1. Check whether IPSec tunnels are set up successfully.

<Huawei> display ike sa

    Conn-ID  Peer            VPN   Flag(s)                Phase                

  ---------------------------------------------------------------              

    4186     218.88.232.241   0     RD                     2

    4179     218.88.232.241   0     RD                     1

According to the IKE information, the setup is successful in the first and second phases.

2. Check IPSec SA information to determine whether the traffic is received.

  -----------------------------

  IPSec policy name: "cd"

  Sequence number  : 1

  Acl group        : 0

  Acl rule         : 0

  Mode             : Template

  -----------------------------

    Connection ID     : 4186

    Encapsulation mode: Tunnel

    Tunnel local      : 113.106.166.18

    Tunnel remote     : 218.88.232.241

    Flow source       : 10.10.0.0/255.255.252.0 0/0

    Flow destination  : 10.1.30.0/255.255.255.0 0/0

    Qos pre-classify  : Disable

    Qos group         : -


    [Outbound ESP SAs]

      SPI: 770140858 (0x2de76aba)

      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1

      SA remaining key duration (bytes/sec): 0/3420

      Outpacket count       : 0

      Outpacket encap count : 0

      Outpacket drop count  : 0

      Max sent sequence-number: 0

      UDP encapsulation used for NAT traversal: N


    [Inbound ESP SAs]

      SPI: 1796327253 (0x6b11c755)

      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1

      SA remaining key duration (bytes/sec): 0/3420

      Inpacket count        : 36

      Inpacket decap count  : 36

      Inpacket drop count   : 0

      Max received sequence-number: 36

      Anti-replay window size: 32

      UDP encapsulation used for NAT traversal: N

The preceding information indicates that the received packets are not forwarded.

3. Check route information

Only one default route is available and the next hop points to the carrier's device, indicating that the routing table is normal.

4. On the local AR, perform the tracert operation to check the peer address. It is found that the peer address is 218.89.222.240, which is not the expected one.

5. Check the configuration. The AR uses the IPSec policy template to configure IPSec at the HQ.

6. Check IPSec SA information on the device corresponding to 218.89.222.240.


  -----------------------------

  IPSec policy name: "cd"

  Sequence number  : 1

  Acl group        : 0

  Acl rule         : 0

  Mode             : Template

  -----------------------------

    Connection ID     : 4181

    Encapsulation mode: Tunnel

    Tunnel local      : 113.106.166.18

    Tunnel remote     : 218.89.222.240

    Flow source       : 10.10.0.0/255.255.252.0 0/0

    Flow destination  : 10.0.0.0/255.0.0.0 0/0

    Qos pre-classify  : Disable

    Qos group         : -


    [Outbound ESP SAs]

      SPI: 3658264705 (0xda0cb081)

      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1

      SA remaining key duration (bytes/sec): 0/1106

      Outpacket count       : 88021

      Outpacket encap count : 88021

      Outpacket drop count  : 0

      Max sent sequence-number: 88021

      UDP encapsulation used for NAT traversal: N


    [Inbound ESP SAs]

      SPI: 3674324985 (0xdb01bff9)

      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1

      SA remaining key duration (bytes/sec): 0/1106

      Inpacket count        : 88994

      Inpacket decap count  : 88994

      Inpacket drop count   : 0

      Max received sequence-number: 88994

      Anti-replay window size: 32

      UDP encapsulation used for NAT traversal: N

It is found that a large amount of traffic is sent, and the IPSec-protected data flows cover the address segments of other tunnels.

Root Cause

In IPSec profile mode, the IPSec-protected data flows of one branch include those of other branches.

Solution

Refine the IPSec-protected data flows of each branch. The fault is rectified.

Suggestions

Strictly differentiate the IPSec-protected data flows of branches to prevent traffic forwarding exceptions.

END