问

F1000-AK160/F1030

2019-04-30提问

0关注
1收藏，1487浏览

zhiliao_mKPYT

zhiliao_mKPYT 二段

粉丝：0人关注：0人

问题描述：

总部F1000-AK160系统升级后与分支F1030建立IPSEC VPN中断（只有阶段1存在）、与其他分支VPN建立正常，在总部查看debu信息如下：

*Apr 30 16:26:46:455 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Received packet from 202.99.252.211 source port 500 destination port 500. *Apr 30 16:26:46:455 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 I-COOKIE: a4169bd793148df3 R-COOKIE: f2ff68f7eaf9cd3d next payload: HASH version: ISAKMP Version 1.0 exchange mode: Quick flags: ENCRYPT message ID: ddb9fc81 length: 156 *Apr 30 16:26:46:455 2019 Center_Out_FW IKE/7/EVENT: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Set IPsec SA state to IKE_P2_STATE_INIT. *Apr 30 16:26:46:455 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Decrypt the packet. *Apr 30 16:26:46:455 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Received ISAKMP Hash Payload. *Apr 30 16:26:46:455 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Received ISAKMP Security Association Payload. *Apr 30 16:26:46:455 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Received ISAKMP Nonce Payload. *Apr 30 16:26:46:456 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Received ISAKMP Identification Payload (IPsec DOI). *Apr 30 16:26:46:456 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Received ISAKMP Identification Payload (IPsec DOI). *Apr 30 16:26:46:456 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Process HASH payload. *Apr 30 16:26:46:456 2019 Center_Out_FW IKE/7/EVENT: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Validated HASH(1) successfully. *Apr 30 16:26:46:456 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Process IPsec ID payload. *Apr 30 16:26:46:456 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Process IPsec ID payload. *Apr 30 16:26:46:456 2019 Center_Out_FW IKE/7/EVENT: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Set inside vrf to Nego flow info. *Apr 30 16:26:46:456 2019 Center_Out_FW IKE/7/EVENT: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 IPsec SA state changed from IKE_P2_STATE_INIT to IKE_P2_STATE_GETSP. *Apr 30 16:26:46:457 2019 Center_Out_FW IKE/7/ERROR: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Failed to get IPsec policy for phase 2 responder. Delete IPsec SA. *Apr 30 16:26:46:457 2019 Center_Out_FW IKE/7/ERROR: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Failed to negotiate IPsec SA. *Apr 30 16:26:46:457 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Encrypt the packet. *Apr 30 16:26:46:469 2019 Center_Out_FW IKE/7/PACKET: -COntext=1; vrf = 0, local = 218.28.61.122, remote = 202.99.252.211/500 Construct notification packet: INVALID_ID_INFORMATION.