Five.common failure Debug Commands
[H3c]disike SA
After the configuration is complete, users who find network A and network B cannot access each other.
Possible causes
1. Traffic does not match ACL rules
2. Inconsistent IKE security offer configuration for both devices
Execute the command display IKE proposal on NGFW_A and Ngfw_b respectively, to see if the IKE security proposal configuration for both devices is consistent, including the encryption algorithm (authentication algorithm), the authentication algorithm (encryption algorithm) and DH Group identification (diffie-hellman groups).
3. Different IKE versions for both devices
4. Misconfiguration of the peer IP address or the peer domain name
5. The pre-shared key configuration for both ends of the device is inconsistent
6. NAT traversal feature not enabled
7. Inconsistent IPSec security offer configuration for both devices
Execute the command display IPSec proposal [brief | name Proposal-name] on ngfw_a and Ngfw_b respectively, to see if the IPSec security offer configuration for both devices is consistent, including the security protocol used, The security protocol adopts the authentication algorithm and the encryption algorithm, the message encapsulation mode and so on.
8. The PFS feature configuration is inconsistent for both ends of the device
9.IPSEC Security Policy Sequence number configuration error
10.IPSEC security Policy applied on the wrong interface
11.SA Timeout configured too small
If the user disconnects frequently, the reason may be that the IKE SA time-out is configured too small. The IKE SA timeout period defaults to 86,400 seconds.
Execute the command display IKE proposal to see the time-out of the IKE SA
12. Routing Configuration Error
13. Security Policy Configuration Error
14.NAT Policy configuration Error
15. No old or existing SA (Security Alliance) has been cleared
Reprint http://dadiwm.blog.51cto.com/1773851/1783449/
This article is from the "Garrett" blog, make sure to keep this source http://garrett.blog.51cto.com/11611549/1983606
IPsec VPN Detailed--Verify configuration