某局点分支采用msr2600-10 跟总部锐捷,对接ipsec ,能正常建立起来,但是会出现不定时中断,业务不通,出现中断的时候,设备侧会提示下面信息,并且把ike 第一阶段给删除掉了,reset ike sa 和ipsec sa 之后,又能重新建立起来。
Mar 22 03:14:02:536 2016 fengze1 IKE/4/IKE_PACKET_DROPPED: -Src addr=10.27.249.244-Dst addr=171.12.0.23-I_COOKIE=5dd3009e9dfecb12-R_COOKIE=000ea0108cd51d37-Cause=Invalid protocol ID-Payload=DELETE; IKE packet dropped.
收集debug 信息分析,
锐捷发送的2个DELETE报文,一个是针对第一阶段SA的,一个是针对IPsec SA的
我们删除第一阶段SA的原因是因为收到了针对第一阶段SA的delete载荷。
针对IPsec SA的delete载荷,我们认为有错而没有处理。
错误在于,针对IPsec协议的删除消息的delete,其DOI应该是IPsec DOI,而不是ISAKMP DOI。
对于这种报文,我们忽略了。
IPsec DOI的值是1,ISAKMP DOI的值是0. DOI是IKE报文里的一个字段
关键debug 信息:
%Mar 22 03:14:02:536 2016 fengze1 IKE/4/IKE_PACKET_DROPPED: -Src addr=10.27.249.244-Dst addr=171.12.0.23-I_COOKIE=5dd3009e9dfecb12-R_COOKIE=000ea0108cd51d37-Cause=Invalid protocol ID-Payload=DELETE; IKE packet dropped.
*Mar 22 03:14:02:536 2016 fengze1 IKE/7/DEBUG: DO decrypt: after decryption:
*Mar 22 03:14:02:536 2016 fengze1 IKE/7/DEBUG: 0c000014 4d12c4aa e9289d30 05f5545f
*Mar 22 03:14:02:536 2016 fengze1 IKE/7/DEBUG: 22a6f5d7 00000014 00000000 03040002
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: 5c70c008 75aea933 00000000 00000008
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: parse payloads: payload HASH
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: parse payloads: payload DELETE
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: validate payload HASH
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: validate payload DELETE
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: DOI: ISAKMP
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: PROTO: IPSEC_ESP
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: SPI_SZ: 4
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: NSPIS: 2
*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: exchange setup(R): a2b7920
*Mar 22 03:14:02:538 2016 fengze1 IKE/7/DEBUG: validate DELETE: can't support this protocol
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: received message:
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: ICOOKIE: 0x5dd3009e9dfecb12
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: RCOOKIE: 0x000ea0108cd51d37
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: NEXT_PAYLOAD: HASH
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: VERSION: 16
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: EXCH_TYPE: INFO
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: FLAGS: [ ENC ]
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: MESSAGE_ID: 0x4412eb28
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: LENGTH: 92
*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: initialized IV:
*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 43abfe90 4296252e 5f91b169 2a7414c5
*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: DO decrypt: before decryption:
*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: d065daf8 e0c99633 15923f23 ae26d4c5
*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 90512196 1f0aacf4 bb2a0d9a 97343996
*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 0b333d54 59d00611 986178a3 18f1e4f7
*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 04f8ae69 71f2e48f 261b7eb0 0aee9efa
*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: CryptoEngine_BlockEncrypt: op type = 0x00001013.
*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: enc_key:
*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 3dee6f9a 2e046f46 a2355aef 079f4e5f
*Mar 22 03:14:02:542 2016 fengze1 IKE/7/DEBUG: iv:
*Mar 22 03:14:02:542 2016 fengze1 IKE/7/DEBUG: 43abfe90 4296252e 5f91b169 2a7414c5
*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: DO decrypt: after decryption:
*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: 0c000014 2862c151 7b1854db 5a2afd08
*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: c903c0de 0000001c 00000000 01100001
*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: 5dd3009e 9dfecb12 000ea010 8cd51d37
*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: 00000000 00000000 00000000 00000010
*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: parse payloads: payload HASH
*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: parse payloads: payload DELETE
*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: validate payload HASH
*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: validate payload DELETE
*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG: DOI: ISAKMP
*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG: PROTO: ISAKMP
*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG: SPI_SZ: 16
*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG: NSPIS: 1
*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG: exchange setup(R): a2b6a40
*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG: exchange check: checking for required INFO
*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG:
客户联系锐捷研发之后,发现锐捷侧的DPD 实现不规范,取消DPD之后,恢复正常。
该案例暂时没有网友评论
✖
案例意见反馈
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作