深信服的vpn防火墙和H3C-F1000-AK135做ipsec vpn失败问题
- 0关注
- 1收藏,1822浏览
问题描述:
在防火墙上看到有连接失败的日志
<JTsanyiyuanCORE_1>ping -a 172.75.76.252 10.20.192.11 PING 10.20.192.11: 56 data bytes, press CTRL_C to break*Apr 26 10:01:54:123 2022 JTSYY IPSEC/7/EVENT: -COntext=1; Can't find block-flow node. *Apr 26 10:01:54:123 2022 JTSYY IPSEC/7/PACKET: -COntext=1; Failed to find SA by SP, SP Index = 1, SP Convert-Seq = 65536. *Apr 26 10:01:54:123 2022 JTSYY IPSEC/7/ERROR: -COntext=1; The reason of dropping packet is no available IPsec tunnel. *Apr 26 10:01:54:123 2022 JTSYY IPSEC/7/EVENT: -COntext=1; Sent SA-Acquire message : SP ID = 1 *Apr 26 10:01:54:124 2022 JTSYY IPSEC/7/EVENT: -COntext=1; Received negotiatiate SA message from IPsec kernel. *Apr 26 10:01:54:124 2022 JTSYY IPSEC/7/EVENT: -COntext=1; Got SA time-based soft lifetime settings when filling Sp data. Configured soft lifetime buffer : 0 seconds. Configured global soft lifetime buffer : 0 seconds. %Apr 26 10:01:54:227 2022 JTSYY SYSLOG/5/LOGFILE_USAGEHIGH: -COntext=1; The usage of log-file flash:/logfile/atk_single.log reaches 80%. Request time out*Apr 26 10:01:56:349 2022 JTSYY IPSEC/7/EVENT: -COntext=1; Found block-flow node. *Apr 26 10:01:56:349 2022 JTSYY IPSEC/7/PACKET: -COntext=1; Failed to find SA by SP, SP Index = 1, SP Convert-Seq = 65536. *Apr 26 10:01:56:349 2022 JTSYY IPSEC/7/ERROR: -COntext=1; The reason of dropping packet is no available IPsec tunnel. Request time out*Apr 26 10:01:58:574 2022 JTSYY IPSEC/7/EVENT: -COntext=1; Found block-flow node. *Apr 26 10:01:58:574 2022 JTSYY IPSEC/7/PACKET: -COntext=1; Failed to find SA by SP, SP Index = 1, SP Convert-Seq = 65536. *Apr 26 10:01:58:574 2022 JTSYY IPSEC/7/ERROR: -COntext=1; The reason of dropping packet is no available IPsec tunnel. Request time out*Apr 26 10:02:00:799 2022 JTSYY IPSEC/7/EVENT: -COntext=1; Found block-flow node. *Apr 26 10:02:00:799 2022 JTSYY IPSEC/7/PACKET: -COntext=1; Failed to find SA by SP, SP Index = 1, SP Convert-Seq = 65536. *Apr 26 10:02:00:799 2022 JTSYY IPSEC/7/ERROR: -COntext=1; The reason of dropping packet is no available IPsec tunnel. Request time out*Apr 26 10:02:03:023 2022 JTSYY IPSEC/7/EVENT: -COntext=1; Found block-flow node. *Apr 26 10:02:03:023 2022 JTSYY IPSEC/7/PACKET: -COntext=1; Failed to find SA by SP, SP Index = 1, SP Convert-Seq = 65536. *Apr 26 10:02:03:023 2022 JTSYY IPSEC/7/ERROR: -COntext=1; The reason of dropping packet is no available IPsec tunnel. Request time out --- 10.20.192.11 ping statistics --- 5 packet(s) transmitted 0 packet(s) received 100.00% packet loss
组网及组网描述:
深信服设备配置如下
- 2022-04-26提问
- 举报
-
(0)
认证算法不对,H3C是md5,深信服是sha-1,改一下再试试
- 2022-04-26回答
- 评论(2)
- 举报
-
(0)
是对的啊,like proposal 33是sha1
还真是,看成22了,那光看配置,好像也没啥问题,你把两边的ike sa和ipsec sa都清空下,然后deb ike,你上边上去像是deb了ipsec,其实不用deb ipsec,deb ike,看下ike协商过程,看看是卡在那个阶段,如果ike有拆线消息,看下是那边发起的拆线
编辑答案
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
- 1. 您举报的内容是什么?(请在邮件中列出您举报的内容和链接地址)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
- 3. 是哪家企业?(营业执照,单位登记证明等证件)
- 4. 您与该企业的关系是?(您是企业法人或被授权人,需提供企业委托授权书)
抄袭了我的内容
×
原文链接或出处
诽谤我
×
- 1. 您举报的内容以及侵犯了您什么权益?(请在邮件中列出您举报的内容、链接地址,并给出简短的说明)
- 2. 您是谁?(身份证明材料,可以是身份证或护照等证件)
对根叔社区有害的内容
×
不规范转载
×
举报说明
还真是,看成22了,那光看配置,好像也没啥问题,你把两边的ike sa和ipsec sa都清空下,然后deb ike,你上边上去像是deb了ipsec,其实不用deb ipsec,deb ike,看下ike协商过程,看看是卡在那个阶段,如果ike有拆线消息,看下是那边发起的拆线