无
某局点采用WX3510H和对端CISCO设备对接IPsec,实现内网无线终端业务流量能访问对面,之前使用都是正常的,但是最近发现ipsec 业务不定时中断,出现中断的时候dis ike sa 没有了,只有dis ipsec sa,初步怀疑是两边ike 协商有问题,但是由于现场cisco 设备暂无法登入,无法查看对端配置,只能在本端收集debug信息查看。
第一次故障时查看dis ike sa 没有,但是dis ipsec sa 还有。
<AC-WX3510H-F>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
<AC-WX3510H-F> dis ipsec sa
-------------------------------
Interface: Vlan-interface100
-------------------------------
-----------------------------
IPsec policy: 1
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1428
Tunnel:
local address: x.x.x.x
remote address: x.x.x.90
Flow:
sour addr: 172.x.x.0/255.255.252.0 port: 0 protocol: ip
dest addr: 192.x.x.0/255.255.255.0 port: 0 protocol: ip
后续在8:23的时候dis ike sa 已协商正常,并且业务已恢复正常,
*Jan 21 08:23:52:828 2021 AC-WX3510H-F IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
4783 x.x.x..90 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<AC-WX3510H-F>*Jan 21 08:23:54:827 2021 AC-WX3510H-F IPSEC/7/PACKET:
在08:28 查看时,发现dis ike sa 又消失了,业务再次中断
*Jan 21 08:28:54:999 2021 AC-WX3510H-F IPSEC/7/PACKET:
Outbound IPsec processing: Packet encapsulated successfully.
<AC-WX3510H-F>
<AC-WX3510H-F>dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
<AC-WX3510H-F>dis ipsec sa
-------------------------------
查看故障时的debug信息,发现在ike 第一阶段协商的时候,协商的存活时间为60s,但是查看设备侧没有做特殊配置,采用的是默认配置,但是由于对端暂无法登入,无法查看配置确认。
*Jan 21 08:23:41:702 2021 AC-WX3510H-F IKE/7/EVENT: Vendor ID NAT-T rfc3947 is matched.
*Jan 21 08:23:41:702 2021 AC-WX3510H-F IKE/7/PACKET: vrf = 0, local = x.x.x.202, remote = x.x.x.90/500
Process SA payload.
*Jan 21 08:23:41:702 2021 AC-WX3510H-F IKE/7/PACKET: vrf = 0, local = x.x.x.202, remote = x.x.x.90/500
Check ISAKMP transform 1.
*Jan 21 08:23:41:702 2021 AC-WX3510H-F IKE/7/PACKET: vrf = 0, local = x.x.x.202, remote = x.x.x.90/500
Encryption algorithm is AES-CBC.
*Jan 21 08:23:41:702 2021 AC-WX3510H-F IKE/7/PACKET: vrf = 0, local = x.x.x.202, remote = x.x.x.90/500
Key length is 128 bytes.
*Jan 21 08:23:41:703 2021 AC-WX3510H-F IKE/7/PACKET: vrf = 0, local = x.x.x.202, remote = x.x.x.90/500
HASH algorithm is HMAC-SHA1.
*Jan 21 08:23:41:703 2021 AC-WX3510H-F IKE/7/PACKET: vrf = 0, local = x.x.x.202, remote = x.x.x.90/500
DH group is 2.
*Jan 21 08:23:41:703 2021 AC-WX3510H-F IKE/7/PACKET: vrf = 0, local = x.x.x.202, remote = x.x.x.90/500
Authentication method is Pre-shared key.
*Jan 21 08:23:41:703 2021 AC-WX3510H-F IKE/7/PACKET: vrf = 0, local = x.x.x.202, remote = x.x.x.90/500
Lifetime type is 1.
*Jan 21 08:23:41:703 2021 AC-WX3510H-F IKE/7/PACKET: vrf = 0, local = x.x.x.202 remote = x.x.x.90/500
Life duration is 60.
*Jan 21 08:23:41:704 2021 AC-WX3510H-F IKE/7/EVENT: vrf = 0, local = x.x.x.202, remote = x.x.x.90/500
Found pre-shared key that matches address x.x.x.90 in keychain 1.
后续协商客户,登入CISCO设备查看,发现CISCO上的存活时间改为60s了,对端60s 就出现重新协商,但是我司设备不会重新协商,导致业务中断。
最终把我司的ike sa duration 改为60s 之后,问题解决。
ike proposal 1
encryption-algorithm aes-cbc-128
dh group2
sa duration 60
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作