No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade
Knowledge Base

IPSec ping only works one way

Publication Date:  2020-01-30  |   Views:  149  |   Downloads:  0  |   Author:  a84114277  |   Document ID:  EKB1100045211

Contents

Issue Description

IPSec tunnel is up, but local server cannot ping the remoteserver.

The tunnel is up and the peer devicemanages to ping the server which is with us .On the other hand the ping from the server to the peer devicedoes not work.

8d5332186a4b43afa8c139011baea0b8


 

Handling Process

During the ping , we check firewall session by command “display firewall session table verbose source inside server@ destination peer@”, we found the traffic was NAT by USG firewall because of the command of "source NAT policy" that was configured before the IPSec encryption.  

If the traffic hit the NAT policy before the IPSec encryption, it will not be natted and eventually will not match IPSec ACL anymore as the address is different.

Root Cause

Configuration issue: the traffic match the Source NAT policy command before IPSec encryption.

Solution

We add the NO-NAT policy command for the source address of the server to the destination address and then the ping was successful and it cameback to work.