运行中出错的,总部与分支ipsec建立失败,ike sa没有建立起来,两边公网互ping没有问题,debug信息如下,显示分支Number of negotiating IKE SAs exceeded the limit,但是分支侧没有ike sa。
*Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/EVENT: Received message from ipsec, message type is 0.
*Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/EVENT: Received SA acquire message from IPsec.
*Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/EVENT: Received message from ipsec, message type is 0.
*Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/EVENT: Received SA acquire message from IPsec.
*Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/EVENT: IKE thread 1099256910512 processes a job.
*Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/EVENT: Received SA acquire message from IPsec.
*Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/EVENT: vrf = 0, local = 39.129.xxx.xxx, remote = 112.31.xxx.xxx/500 Set IPsec SA state to IKE_P2_STATE_INIT. *Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/EVENT: IKE SA not found. Initiate IKE SA negotiation.
*Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/ERROR: Number of negotiating IKE SAs exceeded the limit.
*Dec 29 02:54:30:877 2022 OA_PE_SD-WAN IKE/7/EVENT: vrf = 0, local = 39.129.xxx.xxx, remote = 112.31.xxx.xxx/500 Send delete SA to IPsec, the reason is negotiate fail.
*Dec 29 02:54:30:879 2022 OA_PE_SD-WAN IKE/7/EVENT: Send delete SA to IPsec, the reason is negotiate fail.
运行时出错,配置未改动,表示配置侧没问题。deb显示ike sa超过限制,但是display ike sa ,分支侧实际无在使用的ike sa,怀疑是软件ike模块内部实现存在问题。经过确认现场版本R6728P1401存在ike sa的内存无法释放问题,概率性触发。
该问题只存在于R6728P1401、R6728P14 版本有问题,
设备已经通过远程通过 ike limit max-negotiating-sa 300 规避,后续升级到最新的年度版本彻底解决。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作