In the previous articleJuniperSSG140Use PBRAchieve dual-line accessIn this document, we completed dual-line access at SSG140 by enabling the PBR function. However, it was recently discovered that a subsidiary of China Unicom can only establish a VPN with the China Telecom line of the company. As we all know, the communication between China Telecom and China Unicom is not very good, so the VPN delay established in this method is very large, and the maximum latency detected can reach 200 ms.Troubleshooting process:1. first, it is suspected that the VPN settings are incorrect. log on to the firewalls at both ends and re-establish the VPN based on the China Unicom line. after repeated attempts, the VPN still fails, and the same settings are normal on the China Telecom line. the following error is prompted in the branch firewall log: Phase 1: Retransmission limit has been reached. according to the relevant troubleshooting methods one by one after inspection, the fault Still reference: http://www.liusuping.com/juniper/juniper-dongtai-vpn-guzhang-jiejue.html) 2. from the results of the first step, the root cause of the problem is likely to be on the Head Office side. However, the newly added lines on the firewall of the head office can be used normally, and no problems are found after detection by multiple parties. 3. After asking for help, a friend suggested that this was a routing problem. Write a route to the specified line. However, at that time, I was too busy to think carefully and analyze it. later, due to the need for a large amount of data transmission with the branch, the high latency made it very urgent to solve this problem. So I carefully analyzed the cause of the problem and finally solved this seemingly strange fault. The head office connects China Unicom and China Telecom. By default, all data packets are forwarded through China Telecom lines. Only data packets that meet the EACL conditions of PBR are forwarded through China Unicom lines. Therefore, when the Branch's VPN_Request packet arrives at the headquarters normally, the company's VPN_Response packet is forwarded by the default telecommunications line. When the branch firewall receives the VPN_Response packet from the telecommunications line, when the package is split, it is found that the source address is a strange signature of the telecom line, the firewall will automatically ignore it, and the VPN channel will not be established and will remain in the trial establishment phase. For example, B borrowed money from A. A says it's okay, but you have to write A loan first, and I will transfer the money online to you, B wrote the document at home and forgot to sign the document. Then he asked his friend C to send it out. C signed his name and gave it to, after receiving the loan, A checked out that B borrowed XX yuan from A, but the final signature was C. A was so angry that he didn't transfer money to B.Solution:Add a route entry to the route table of the firewall of the company that uses Destination as the IP address of the public network port of the firewall of the company. Specify the route entry to forward data through the China Unicom line. After the route entry is completed, create a VPN based on the China Unicom line again. Everything works normally.
This article is from the "OnMyWay" blog and will not be reproduced!