Problem and solution when IPSec is automatically disconnected and a ping operation is required for triggering on the USG6000

40

Configuring automatic IPSec triggering (automatic negotiation) on the USG
The auto-neg option can be configured in the case of establishing an IPSec tunnel in non-template mode, which indicates that an IPSec tunnel is established through auto-negotiation. If this option is not selected, traffic triggers the establishment of an IPSec tunnel.
In the case of tunnel establishment in template mode, the configuration template end cannot proactively initiate the negotiation. In this case, if the non-template end does not send traffic, the tunnel fails to be established. At this moment, you can configure the auto-neg command on the non-template end to enable the IPSec auto-negotiation function. After auto-neg is configured at the non-template end, the system immediately checks data flows one by one. The non-template end proactively sends a negotiation request to the template end when no traffic is transmitted, and establishes an IPSec tunnel. The check is performed at a certain interval (far smaller than the SA lifetime) to ensure that all tunnels in the system are in the status of established.
Configuration example
Apply an IPSec policy group named policy1 to GigabitEthernet 0/0/3 and proactively initiate a tunnel connection.
system-view
[sysname] interface GigabitEthernet 0/0/3
[sysname-GigabitEthernet0/0/3] ipsec policy policy1 auto-neg

Other related questions:
Problem and solution when the USG6000 virtual system cannot be configured
Check the permission of the administrator account used for login. If you use the root system administrator account to configure the virtual system, the level of the root system administrator shall be the system administrator. If you use the virtual system administrator account to configure the virtual system, the level of the virtual system administrator shall be the system administrator or the configuration administrator with the read and write permissions. Choose System > Admin > Administrator Role and configure the administrator account.

Problem and solution when the database cannot be accessed due to ping-pong effect
You can solve the problem that the database cannot be accessed due to ping-pong effect as follows: 1. Issue Description The Oracle RAC database service of one site provides two hosts to use storage resources through the multipathing mode. LUN0 in the storage device is mapped to the two hosts but one of the two hosts cannot access the LUN. Product and version information S5000 series Application server using Huawei ATAE boards The application server runs on SUSE 9 SP3. UltraPath for Linux V100R002C01 is used. 2. Alarm Information None 3. Handling Process a. Run the upadm show option command on the CLI to check whether the failover function is disabled. # upadm show option The following information is displayed: maxlun = 256 maxpath = 4 maxcontroller = 8 maxarray = 30 failback_interval = 60 optimal_path_check_interval = 60 failed_path_check_interval = 30 iopolicy = round_robin lbcontroller = off failover = on maxtargetid = 512 b. If failover is on, run the upadm set failover=off command to disable the failover function. # upadm set failover=off c. Run the upadm start updateimage command to update UltraPath configuration. # upadm start updateimage d. Run the upadm show option command to ensure that the failover function of UltraPath is disabled. # upadm show option The following information is displayed: maxlun = 256 maxpath = 4 maxcontroller = 8 maxarray = 30 failback_interval = 60 optimal_path_check_interval = 60 failed_path_check_interval = 30 iopolicy = round_robin lbcontroller = off failover = off maxtargetid = 512 ----End 4. Root Cause a. Based on log analysis, two application servers use UltraPath to switch paths to access LUN0 frequently. b. Based on log analysis, the link status between host DB1 and controller A of the storage device is Link Down. c. Base on log analysis, the link status between DB2 and controller A is also Link Down. The storage device LUN0 switches connections to the working controllers frequently and the database log displays I/O timeout. Conclusion The ping-pong effect leads to repeated switchover of the LUN's working controller and unavailable access to the database. 5. Suggestions a. Do not map a LUN to two or more application servers. b. If you must map a LUN to two application servers in some scenarios, install a cluster software in the application servers and configure cluster reservation. In other scenarios, refer to this case and solve them by disabling the failover function.

Configuring automatic triggering of IPSec VPN on the firewall
Configuring automatic IPSec triggering (automatic negotiation) on the USG The auto-neg option can be configured in the case of establishing an IPSec tunnel in non-template mode, which indicates that an IPSec tunnel is established through auto-negotiation. If this option is not selected, traffic triggers the establishment of an IPSec tunnel. In the case of tunnel establishment in template mode, the configuration template end cannot proactively initiate the negotiation. In this case, if the non-template end does not send traffic, the tunnel fails to be established. At this moment, you can configure the auto-neg command on the non-template end to enable the IPSec auto-negotiation function. After auto-neg is configured at the non-template end, the system immediately checks data flows one by one. The non-template end proactively sends a negotiation request to the template end when no traffic is transmitted, and establishes an IPSec tunnel. The check is performed at a certain interval (far smaller than the SA lifetime) to ensure that all tunnels in the system are in the status of established. Configuration example Apply an IPSec policy group named policy1 to GigabitEthernet 0/0/3 and proactively initiate a tunnel connection. system-view [sysname] interface GigabitEthernet 0/0/3 [sysname-GigabitEthernet0/0/3] ipsec policy policy1 auto-neg

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top