Help Center/ Virtual Private Network/ FAQs/ FAQs - S2C Enterprise Edition VPN/ VPN Negotiation and Interconnection/ What Should I Do If My Firewall Cannot Receive Response Packets from a VPN Subnet?
Updated on 2024-07-23 GMT+08:00

What Should I Do If My Firewall Cannot Receive Response Packets from a VPN Subnet?

  1. Check the routes, security policies, NAT configuration, interesting traffic, and negotiation policies for phase 2 negotiation on the on-premises gateway device.
    • Route configurations: Route the data for accessing cloud subnets to tunnels.
    • Security policies: Allow traffic from on-premises subnets to cloud subnets.
    • NAT policies: Do not perform source NAT on the traffic originated from on-premises subnets to cloud subnets.
    • Interesting traffic: The interesting traffic configurations at both ends are reversed at the two ends of a VPN connection. The address object name cannot be used for the interesting traffic configured using IKEv2.
    • Negotiation policies: Ensure the negotiations policies, especially PFS, at both ends are the same.
  2. After confirming that both phase 1 and phase 2 negotiations are normal, ensure that the security groups on the cloud permit ICMP packets originated from on-premises subnets to cloud subnets.