USG 1100 policy route don't work, the packet outgoing interface: doll

alexey

Hello.
Site A - usg 1100 v4.72
Site B - usg flex 50W v5.32
Build 2 vti interfaces in trunk. Added policy route to Sote B via trunk.
Device from site A don't have access to site B.
In routing traces i see, that traffic goes to doll interface

172.20.0.90:0->172.20.77.61:0

49316

ICMP

0

0

local

The packet outgoing interface: x

172.20.0.90:0->172.20.77.61:0

49316

ICMP

0

64

local

The packet outgoing interface: doll

Site C - usg flex 50W v5.32
Site A connected to Site C with same config. All work perfect, in routing traces traffic goes via vti interface.

172.20.0.90:0->172.20.58.5:0

35303

ICMP

0

0

local

The packet outgoing interface: vti16

172.20.0.90:0->172.20.58.5:0

35303

ICMP

0

0

local

The packet outgoing interface: x

Zyxel_Jeff

Hi @alexey

Could you share your network topology with IP address for us? It is convenient for us to realize your situation. Thanks.

Zyxel_Jeff

Hi @alexey

Please share your policy route setting with us as well. We would like to check the next hop setting. If you could share both devices' configs with us by private that would be better. Thanks.

Zyxel_Jeff

Hi @alexey

Additionally, if the next-hop is chosen as a tunnel and the outgoing interface is the doll interface while you execute the trace route action. Let you know that. Thanks.

alexey

Zyxel_Jeff said:

Hi @alexey

Could you share your network topology with IP address for us? It is convenient for us to realize your situation. Thanks.

Main office with 40 sites connected by ipsec/vti/vti in trunk.

Firstly, problem site was connected via ipsec tunnel with dynamic peer. All work fine.
After configure 2 vti interfaces in trunk, policy route was change to new next hop via new trunk.
Site began unavailable on both sides.
Traffic goes to doll interface.
After reboot USG1100 with no changes in confuration file all start work as expected. Mysticly!

So i see this reproducing steps:
1 USG Flex 50 connect via USB modem by ipsec with dynamic peer for long time with connect/disconnect.
2 Disable ipsec tunnel, create 2 vti interfaces beetween devices and union they in trunk.
3 Change policy route to new trunk.
4 Nothing work

Zyxel_Jeff

alexey said:

Zyxel_Jeff said:

Hi @alexey

Could you share your network topology with IP address for us? It is convenient for us to realize your situation. Thanks.

Main office with 40 sites connected by ipsec/vti/vti in trunk.

Firstly, problem site was connected via ipsec tunnel with dynamic peer. All work fine.
After configure 2 vti interfaces in trunk, policy route was change to new next hop via new trunk.
Site began unavailable on both sides.
Traffic goes to doll interface.
After reboot USG1100 with no changes in confuration file all start work as expected. Mysticly!

So i see this reproducing steps:
1 USG Flex 50 connect via USB modem by ipsec with dynamic peer for long time with connect/disconnect.
2 Disable ipsec tunnel, create 2 vti interfaces beetween devices and union they in trunk.
3 Change policy route to new trunk.
4 Nothing work

Hi @alexey

Thanks for your response, we would like to clarify your reproducing steps:
"So i see this reproducing steps:
1 USG Flex 50 connect via USB modem by ipsec with dynamic peer for long time with connect/disconnect.
2 Disable ipsec tunnel, create 2 vti interfaces beetween devices and union they in trunk.
3 Change policy route to new trunk.
4 Nothing work"

So, the 5th step is to reboot USG1100 and USG Flex 50 and then the policy routes(the next hop with VTI trunk) are working suddenly?

Thanks.