The customer usesAR200 to establish the IPsec tunnel, the IPsec tunnel establish normally, butthe traffic which goes through the tunnel only can reach in one direction, inother direction the traffic is unreachable.
2 AlarmInformation
None
3 Cause Analysis
Accordingto issue detail information,the reason maybe as following:
(1).thereare some device between the AR200 drops the packet from AR200 to other side.
(2).theAR200 doesn’t reply the other side.
(3).thereare some route issue in the configuration.
4 HandlingProcess
Firstly,checkif the traffic packets go into the IPsec tunnel, according to informationcollected by commad“display ipsec sa”and “displayipsec statistics esp”,the packets have gone into the tunnel,as following:
[RouterA]display ipsec sa
===============================
Interface:Ethernet0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec policy name: "policy1"
Sequence number : 10
Acl Group : 3002
Acl rule : 5
Mode : ISAKMP
-----------------------------
Connection ID : 10
Encapsulation mode: Tunnel
Tunnel local : 192.10.1.13
Tunnel remote : 10.99.100.1
Flow source : 10.1.1.0/0.0.0.255 0/0
Flow destination : 10.1.2.0/0.0.0.255 0/0
[Outbound ESP SAs]
SPI: 2599725180 (0x9af4a87c)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec):1887369088/2544
Max sent sequence-number: 88 //thiscounter increases
UDP encapsulation used for NAT traversal:N
[Inbound ESP SAs]
SPI: 3898733167 (0xe861f26f)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-MD5
SA remaining key duration (bytes/sec):1887435434/2544
Max received sequence-number: 16
UDP encapsulation used for NAT traversal:N
[RouterA]display ipsec statistics esp
Inpacket count : 31
Inpacket auth count : 0
Inpacket decap count : 0
Outpacket count : 110 //this counter increases
Outpacket auth count : 0
Outpacket encap count : 0
Inpacket drop count : 0
Outpacket drop count : 0
BadAuthLen count : 0
AuthFail count : 0
PktDuplicateDrop count : 0
PktSeqNoTooSmallDrop count: 0
PktInSAMissDrop count : 0
From the above information, seems like thetraffic has been forward by the device.
Secondly, Need to make sure if traffic hasbeen forwarded by the AR200 device. When we do the ping test from the insidePC, we find that the traffic packets don’t go out from the IPsec interface. Asfollowing:
[RouterA-Ethernet0/0/0] display this interface
Ethernet0/0/0 current state : UP
Line protocol current state : UP
Last line protocol up time : 2014-06-2622:33:35
Description:HUAWEI, AR Series,Ethernet0/0/0 Interface
Route Port,The Maximum Transmit Unit is1500
Internet Address is 192.10.1.13/24
IP Sending Frames' Format isPKTFMT_ETHNT_2, Hardware address is 1047-8003-72dc
Last physical up time : 2014-06-26 14:33
Last physical down time : 2014-06-26 14:33
Current system time: 2014-06-26 14:33
Port Mode: COMMON COPPER
Speed : 100, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO
Last 300 seconds input rate 320 bits/sec, 0packets/sec
Last 300 seconds output rate 104 bits/sec,0 packets/sec
Input peak rate 1304 bits/sec,Record time:2014-06-26 14:33
Output peak rate 1712 bits/sec,Record time:2014-06-26 14:33
Input: 289 packets, 21961 bytes
Unicast: 3, Multicast: 286
Broadcast: 0, Jumbo: 0
Discard: 0, Total Error: 0
CRC: 0, Giants: 0
Jabbers: 0, Throttles: 0
Runts: 0, Alignments: 0
Symbols: 0, Ignoreds: 0
Frames: 0
Output: 79 packets, 5056 bytes //this counter does’t increase
Unicast: 0, Multicast: 0
Broadcast: 79, Jumbo: 0
Discard: 0, Total Error: 0
Collisions: 0, ExcessiveCollisions: 0
Late Collisions: 0, Deferreds: 0
Buffers Purged: 0
Input bandwidth utilization threshold : 100.00%
Output bandwidth utilization threshold: 100.00%
Input bandwidth utilization :0.01%
Output bandwidthutilization : 0.01%
And then we check the configuration again,we find that the route of the traffic has configured next-hop with interface,not with the next-hop ip address. As following:
ip route-static10.1.2.0 255.255.255.0 Ethernet0/0/0
ip route-static10.99.100.0 255.255.255.0 Ethernet0/0/0
After confirmed with R&D colleagues, asthe above configuration, the traffic will not find the next-hop MAC, so thatthe traffic packets are dropped.
We need to change the route configurationto the following with IP address as the next-hop.
ip route-static10.1.2.0 255.255.255.0 192.168.100.1
ip route-static10.99.100.0 255.255.255.0 192.168.100.1
After change the configuration, all thetraffic packets are normal.
5 Suggestions andSummary
When use IPsec tunnel,please pay attention to the route which for thetraffic,it needs to be configuration with the detail next-hop ip address,notwith output interface.From group: Router This post was last edited by w1 at 2014-06-26 14:33.
