Users fail to access the server through the IPSec tunnel on the AR

25

Users fail to access the server through the IPSec tunnel. For details, see Users Fail to Access the Server Through the IPSec Tunnel Because the TCP MSS Value on the AR Is Incorrect.

Other related questions:
An internal user cannot access the internal server through the public address
An intranet user cannot use a public address to access an intranet server. Use the following method: 1. Check whether services on the intranet NAT server are running properly. 2. Check whether the NAT server is configured correctly. 3. Check the connection between the external host and NAT server and the configurations of the connected interfaces. 4. Check that the intranet NAT server is configured with the correct gateway address or route.

A user fails to access a server through a public address when the user on the AR and the server are in the same VLAN and the NAT server is configured on the VLANIF interface
A private user device and server connect to the same VLANIF interface on the same subcard. When the NAT server is configured on the VLANIF interface to map the public network address of the server, the response packets sent by the server to the private user device cannot be sent to the CPU for translation. As a result, the private user device cannot connect to the server. To solve this problem, configure outbound NAT on the VLANIF interface. The response packets sent by the server to the user device pass the AR and the address in the packets is translated. Then the AR forwards the packets to the private user device. The private user device can connect to the server.

An IPSec tunnel fails to be set up for a long time, and then can be established after the IPSec tunnel is reset
The same traffic of the branch is transmitted to the headquarters. The headquarters has an IPSec tunnel to protect traffic between the headquarters and branch. Because the same data flow is protected, the headquarters and branch cannot establish a new IPSec tunnel. After the IPSec tunnel of the headquarters is reset, the old IPSec tunnel is deleted and the new IPSec tunnel can be established.

In this case, you can run the ipsec remote traffic-identical accept command to allow users with the same traffic rule as online users to access the IPSec tunnel. The established IPSec SAs are aged rapidly and an IPSec tunnel is reestablished.


Problem and solution when an IPSec tunnel can be successfully established whereas service access fails
The NAT service is configured on the interface where the IPSec tunnel is established. As a result, the traffic is abnormal. For details about how to solve the problem, see :IPSec session have been established but service is abnormal

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top