Got it

The AR200 IPsec tunnel is normal but traffic is unreachable in one direction case

Latest reply: May 13, 2018 12:35:00 1299 1 0 0 0
1     Symptom Description


The customer usesAR200 to establish the IPsec tunnel, the IPsec tunnel establish normally, butthe traffic which goes through the tunnel only can reach in one direction, inother direction the traffic is unreachable.


2     AlarmInformation


None

3     Cause Analysis


Accordingto issue detail information,the reason maybe as following:

(1).thereare some device between the AR200 drops the packet from AR200 to other side.

(2).theAR200 doesnt reply the other side.

(3).thereare some route issue in the configuration.

4     HandlingProcess


Firstly,checkif the traffic packets go into the IPsec tunnel, according to informationcollected by commaddisplay ipsec saand “displayipsec statistics esp”,the packets have gone into the tunnel,as following:

[RouterA]display ipsec sa


 
===============================

Interface:Ethernet0/0/0

 Path MTU: 1500

===============================


 
  -----------------------------

  IPSec policy name: "policy1"

  Sequence number  : 10

  Acl Group        : 3002

  Acl rule         : 5

  Mode            : ISAKMP

  -----------------------------

    Connection ID     : 10

    Encapsulation mode: Tunnel

    Tunnel local      : 192.10.1.13

    Tunnel remote     : 10.99.100.1

    Flow source       : 10.1.1.0/0.0.0.255 0/0

    Flow destination  : 10.1.2.0/0.0.0.255 0/0


 
    [Outbound ESP SAs]

      SPI: 2599725180 (0x9af4a87c)

      Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5

      SA remaining key duration (bytes/sec):1887369088/2544

      Max sent sequence-number: 88     //thiscounter increases

      UDP encapsulation used for NAT traversal:N


 
    [Inbound ESP SAs]

      SPI: 3898733167 (0xe861f26f)

      Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5

      SA remaining key duration (bytes/sec):1887435434/2544

      Max received sequence-number: 16

      UDP encapsulation used for NAT traversal:N

[RouterA]display ipsec statistics esp

 Inpacket count            : 31

 Inpacket auth count       : 0

 Inpacket decap count      : 0

 Outpacket count           : 110       //this counter increases

 Outpacket auth count      : 0

 Outpacket encap count     : 0

 Inpacket drop count       : 0

 Outpacket drop count      : 0

 BadAuthLen count          : 0

 AuthFail count            : 0

 PktDuplicateDrop count    : 0

 PktSeqNoTooSmallDrop count: 0

 PktInSAMissDrop count     : 0

From the above information, seems like thetraffic has been forward by the device.

Secondly, Need to make sure if traffic hasbeen forwarded by the AR200 device. When we do the ping test from the insidePC, we find that the traffic packets don’t go out from the IPsec interface. Asfollowing:

[RouterA-Ethernet0/0/0] display this interface

Ethernet0/0/0 current state : UP

Line protocol current state : UP

Last line protocol up time : 2014-06-2622:33:35

Description:HUAWEI, AR Series,Ethernet0/0/0 Interface

Route Port,The Maximum Transmit Unit is1500

Internet Address is 192.10.1.13/24

IP Sending Frames' Format isPKTFMT_ETHNT_2, Hardware address is 1047-8003-72dc

Last physical up time   : 2014-06-26 14:33

Last physical down time : 2014-06-26 14:33

Current system time: 2014-06-26 14:33

Port Mode: COMMON COPPER

Speed : 100,  Loopback: NONE

Duplex: FULL,  Negotiation: ENABLE

Mdi  : AUTO

Last 300 seconds input rate 320 bits/sec, 0packets/sec

Last 300 seconds output rate 104 bits/sec,0 packets/sec

Input peak rate 1304 bits/sec,Record time:2014-06-26 14:33

Output peak rate 1712 bits/sec,Record time:2014-06-26 14:33


 
Input: 289 packets, 21961 bytes

 Unicast:                  3,  Multicast:                 286

 Broadcast:                0, Jumbo:                       0

 Discard:                  0,  Total Error:                 0


 
 CRC:                      0,  Giants:                      0

 Jabbers:                  0,  Throttles:                   0

 Runts:                    0, Alignments:                  0

 Symbols:                  0,  Ignoreds:                    0

 Frames:                   0


 
Output:  79 packets, 5056 bytes           //this counter does’t increase

 Unicast:                  0,  Multicast:                   0

 Broadcast:               79,  Jumbo:                       0

 Discard:                  0,  Total Error:                 0


 
 Collisions:               0,  ExcessiveCollisions:         0

 Late Collisions:          0,  Deferreds:                   0

 Buffers Purged:           0


 
   Input bandwidth utilization threshold : 100.00%

   Output bandwidth utilization threshold: 100.00%

   Input bandwidth utilization  :0.01%

Output bandwidthutilization : 0.01%

And then we check the configuration again,we find that the route of the traffic has configured next-hop with interface,not with the next-hop ip address. As following:

ip route-static10.1.2.0 255.255.255.0 Ethernet0/0/0

ip route-static10.99.100.0 255.255.255.0 Ethernet0/0/0

After confirmed with R&D colleagues, asthe above configuration, the traffic will not find the next-hop MAC, so thatthe traffic packets are dropped.

We need to change the route configurationto the following with IP address as the next-hop.

ip route-static10.1.2.0 255.255.255.0 192.168.100.1

ip route-static10.99.100.0 255.255.255.0 192.168.100.1

After change the configuration, all thetraffic packets are normal.

5     Suggestions andSummary


When use IPsec tunnel,please pay attention to the route which for thetraffic,it needs to be configuration with the detail next-hop ip address,notwith output interface.From group: Router This post was last edited by w1 at 2014-06-26 14:33.

This article contains more resources

You need to log in to download or view. No account? Register

x
  • x
  • convention:

wissal
MVE Created May 13, 2018 12:35:00

useful document, thanks
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.