Publication Date: 2020-01-30 | Views: 149 | Downloads: 0 | Author: a84114277 | Document ID: EKB1100045211
IPSec tunnel is up, but local server cannot ping the remote server.
The tunnel is up and the peer device manages to ping the server which is with us . On the other hand the ping from the server to the peer device does not work.
During the ping , we check firewall session by command “display firewall session table verbose source inside server@ destination peer@”, we found the traffic was NAT by USG firewall because of the command of "source NAT policy" that was configured before the IPSec encryption.
If the traffic hit the NAT policy before the IPSec encryption, it will not be natted and eventually will not match IPSec ACL anymore as the address is different.
Configuration issue: the traffic match the Source NAT policy command before IPSec encryption.
We add the NO-NAT policy command for the source address of the server to the destination address and then the ping was successful and it cameback to work.