分支拨号口获取到的ip:114.95.208.XX
防火墙做总部,连接了约200-300个ipsec隧道。每间隔6-7天IKE进程异常退出,部分ipsec隧道会断开,重置ike sa都无法正常建立,需要将总部设备重启后能够恢复。
1、
2、
ipsec transform-set 1
esp encryption-algorithm 3des-cbc
esp authentication-algorithm md5
ipsec policy policy 1 isakmp
transform-set 1
security acl 3000
remote-address 101.231.234.18
ike-profile 1
ike identity fqdn branch
keychain 1
exchange-mode aggressive
local-identity fqdn branch
match remote identity fqdn center
match remote identity address 101.231.234.18 255.255.255.255
proposal 1
ike proposal 1
encryption-algorithm aes-cbc-128
dh group2
authentication-algorithm md5
ike keychain 1
pre-shared-key address 101.231.234.18 255.255.255.0 key cipher $c$3$jNloi9dOZC3UGyV7djpwSOOTqGiToMjmdEdm
3、收集故障debug
*Jan 29 11:21:09:080 2019 H3C IKE/7/EVENT: Received message from ipsec.
*Jan 29 11:21:09:080 2019 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Jan 29 11:21:09:080 2019 H3C IKE/7/EVENT: IKE thread 1997042976 processes a job.
*Jan 29 11:21:09:081 2019 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Jan 29 11:21:09:081 2019 H3C IKE/7/EVENT: vrf = 0, src = 180.175.108.xx, dst = 101.231.234.xx/500
Collision of phase 2 negotiation is found when acquired sa.
*Jan 29 11:21:09:081 2019 H3C IPSEC/7/EVENT:
Sent delete SA message to all nodes, message type is 0x16.
第二阶段协商报错。
后续其他中断的分支(ip:180.175.108.xx)感兴趣流如下:
acl advanced 3000
rule 70 permit ip source 172.16.18.0 0.0.0.255 destination 172.16.32.0 0.0.3.255
rule 90 deny ip
查看总部ipsec通道其中有一条如下:
IPsec policy: branch
Sequence number: 1
Mode: Template
-----------------------------
Tunnel id: 239
Encapsulation mode: tunnel
Perfect Forward Secrecy: dh-group2
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1436
Tunnel:
local address: 101.231.234.xx
remote address: 114.95.208.xx
Flow:
sour addr: 172.16.18.0/255.255.255.0 port: 0 protocol: ip
dest addr: 172.16.32.0/255.255.252.0 port: 0 protocol: ip
可见两个分支:180.175.108.xx和114.95.208.xx的感兴趣是一样的,有冲突,两个分支门店都用172.126.18.0的地址,这样会导致报文发错隧道,现象为使用一段时间后ipsec中断,重启或reset重新触发又好了。
总部一共有近300条隧道,建议排查下300个分支使用的私网地址是否有重叠,感兴趣流是否有冲突。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作