Why data packets do not pass the IPSec tunnel

33

Service packets fail to be transmitted after an IPSec tunnel is successfully established. To troubleshoot this fault, perform the following operations:
1. Check whether data packets match any ACL rule.
2. If NAT is configured on an interface, the matching ACL rule must deny data flows protected by IPSec. After confirming that the ACL rule is correctly configured, enable IPSec.
3. If SHA2 authentication is used, configure the ipsec authentication sha2 compatible enable command.
4. Check that the route configuration is correct.
5. Check that data packets can reach the AR router.

Other related questions:
Capturing packets to view IPSec encrypted data packets
Capturing packets to view IPSec encrypted data packets Can IPSec packets be captured on the USG? You can capture and view IPSec packets but not protected data packets on the USG.

Why an IPSec tunnel between AR routers frequently flaps
Possible causes for frequent flapping of an IPSec tunnel include: - The intermediate network is unstable. - Interfaces frequently alternate between Up and Down. - During DPD detection configuration, the sequence of the payload in DPD packets on both ends is inconsistent. To solve this problem, run the dpd msg { seq-hash-notify | seq-notify-hash } command in the IKE peer view to modify the configuration. - The BFD or NQA status is unstable when the IPSec tunnel is associated with BFD/NAQ.

capture packet to check the data that ipsec have encrypted
USG can capture and view the IPSec protocol packets, but can not view the protected data packets

An IPSec tunnel fails to be set up for a long time, and then can be established after the IPSec tunnel is reset
The same traffic of the branch is transmitted to the headquarters. The headquarters has an IPSec tunnel to protect traffic between the headquarters and branch. Because the same data flow is protected, the headquarters and branch cannot establish a new IPSec tunnel. After the IPSec tunnel of the headquarters is reset, the old IPSec tunnel is deleted and the new IPSec tunnel can be established.

In this case, you can run the ipsec remote traffic-identical accept command to allow users with the same traffic rule as online users to access the IPSec tunnel. The established IPSec SAs are aged rapidly and an IPSec tunnel is reestablished.


If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top