No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>


To have a better experience, please upgrade your IE browser.


IPSEC VPN could establish a tunnel,but one end can not ping another

Publication Date:  2012-09-17 Views:  548 Downloads:  0
Issue Description
Establish IPSEC VPN between USG5100 headquarters and usg2110 branch, the branch can ping the headquarters successfully, but when the tunnel established, the headquarters can not ping the branch. USG version is V100R005SPC300.
Alarm Information
Handling Process
1. There is not interface switch problem on USG5100, and we did not configure NAT on device, also there is no problem on other configuration.
2. Headquarters internal network ping branch internal network, check the conversation on USG device, as follow:
[USG5100]disp firewall session table
09:46:20 2011/09/10
Current Total Sessions : 9
esp VPN:public --> public>
tcp VPN:public --> public>
icmp VPN:public --> public[]-->
netbios-data VPN:public --> public[]-->
We find that the conversation is translated by NAT, but there is no Outband direction NAT on USG5100 configuration, and this address can not access external net.
3. Check the configuration again and find a map that some user does:
nat server 0 protocol tcp global 3389 inside 3389
try to add no-reverse after this configuration, then ping the internal address again, access successfully. It is because IPSEC data flow matchs the opposite conversation of nat server.
Root Cause
1. Problem of interface switch.
2. Outbound direction NAT receives interest data flow.
3. Other.