A: Service unavailability is often caused because the routes between the branch offices and the headquarters are not configured or incorrect.
Symptom
In Figure 1-1, after IPSec is deployed between FWs, PCs cannot communicate with each other.
Figure 1-1 IPSec networking
1. Run the display ike sa command on FW1, finding that an IPSec tunnel has been established.
<FW1> display ike sa
IKE SA information :
Conn-ID
Peer
VPN
Flag(s) Phase
---------------------------------------------------------------
151003222
2.1.1.1:500
RD|ST|A v1:2
151003215
2.1.1.1:500
RD|ST|A v1:1
Number of IKE SA :
2
---------------------------------------------------------------
Flag
Description:
RD--READY ST--STAYALIVE RL--REPLACED
FD--FADING TO--TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO.
BCK--BACKED UP
M--ACTIVE S--STANDBY A--ALONE
NEG--NEGOTIATING
2. Run the ping command on FW1, finding that the private network route to the remote end is unreachable.
<FW1> ping 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to
break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=1
ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=1
ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=1
ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=1
ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=1
ms
--- 10.1.1.2 ping statistics
---
5 packet(s)
transmitted
5 packet(s)
received
0.00% packet
loss
round-trip min/avg/max = 1/1/1 ms
<FW1> ping 10.1.2.2
PING 10.1.2.2: 56 data bytes, press CTRL_C to
break
Request time
out
Request time
out
Request time
out
Request time
out
Request time
out
--- 10.1.2.2 ping statistics
---
5 packet(s)
transmitted
0 packet(s)
received
100.00% packet loss
Possible Causes
The private network route from FW1 to FW2 is unreachable.
Procedure
Run the display ip routing-table command to check the IP routing table of FW1.
<FW1> display ip routing-table
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
Public
Destinations :
15 Routes :
15
Destination/Mask Proto Pre
Cost Flags
NextHop
Interface
0.0.0.0/0
Unr 70
0 D
192.168.1.1 GigabitEthernet1/0/7
1.1.1.0/24 Direct
0
0 D
1.1.1.1 GigabitEthernet1/0/1
1.1.1.1/32 Direct
0
0 D
127.0.0.1 GigabitEthernet1/0/1
2.1.1.0/24 Static
60 0
RD 1.1.1.2
GigabitEthernet1/0/1
10.128.0.0/10 Static 60
0 RD
192.168.50.1 GigabitEthernet1/0/5
127.0.0.0/8 Direct
0
0 D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct
0
0 D
127.0.0.1
InLoopBack0
192.168.1.0/24 Direct 0
0 D
192.168.1.2 GigabitEthernet1/0/7
192.168.1.2/32 Direct 0
0 D
127.0.0.1 GigabitEthernet1/0/7
......
The preceding command output shows that FW1 does not have a private network route to FW2.
On FW1, configure a private network route to FW2.
ip route-static 10.1.2.0 255.255.255.0 1.1.1.2
After the configuration, PCs can communicate with each other.
----End
Suggestion and Summary
If an IPSec tunnel has been established between services are interrupted, check whether a routing failure occurs. If the local device does not have any route to the private network segment of the remote device, the local device discards packets.
For details, see the HUAWEI USG6000&USG9500 & NGFW Module V500R005C00 Product Documentation(hdx).
Step 1 Log in to the enterprise technical support website at http://support.huawei.com/enterprise.
Step 2 Click Security.
Step 3 Click the name of the product to be queried, for example, Secospace USG6600.
Step 4 Choose Documentation> Product Documentation, and then select the corresponding product document library .
Step 5 Select the hedex document, and then find the IPSec node in the administrator's Guide. .
----End
HUAWEI USG6000&USG9500 & NGFW Module V500R005C00 Product Documentation(hdx)
