组网及说明
MSR810作为分支采用国密方式同总部的MSR810建立gre over ispec,目前仅建立一条隧道。
问题描述
ike sa和ipsec sa都有,gre隧道口也是up的,但分布侧带tunnel源地址ping tunnel目的地址不通。
隧道口不通:
[测试]ping -a 172.26.33.60 172.26.0.1
Ping 172.26.0.1 (172.26.0.1) from 172.26.33.60: 56 data bytes, press CTRL+C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- Ping statistics for 172.26.0.1 --- 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss
过程分析
1、查看ike sa和ipsec sa均建立
2、tunnel口是up的
3、分支侧display ipsec statistics计数无增长,但是debug ip paket有发出包
发出报文持续为0
分支debug看报文有发出
4、总部ping分支时,计数正常增长,怀疑分支侧有问题
<zongbu>dis ipsec statistics
IPsec packet statistics:
Received/sent packets: 0/15
Received/sent bytes: 0/1440
Dropped packets (received/sent): 0/0
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 0
MTU check failure: 0
Loopback limit exceeded: 0
Crypto speed limit exceeded: 0
5、当不用国密算法时,隧道能正常通信,怀疑是硬件加密模块故障。
解决方法
替换硬件加密模块。
编辑评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
你的评论太水了