Print

某局点 SecPath F5030-6GW-G(V7) SSLVPN不通

付军
2024-11-29 发表

组网及说明

SecPath F5030-6GW-G(V7),Version 7.1.064, Release 8160P47

问题描述

现场两台F5030-6GW-G防火墙RBM主备+VRRP组网,VRRP虚地址与接口地址不在一个网段,做了SSLVPN不通,iNode登录SSLVPN提示,查询网关参数失败

过程分析

(以下敏感信息已做脱敏处理)

公网地址:100.252.15.38    SSLVPN端口号:50000

查看现场SSLVPN配置,没有发现问题,查看会话,每次iNode登录,dis session table ipv4 destination-ip 100.252.15.38 destination-port 50000 verbose查看是有会话的,防火墙上是有会话产生的,进一步debug查看

 

先写一个到防火墙公网地址的ACL

#

acl advanced 3003

 rule 0 permit tcp destination 100.252.15.38 0 destination-port eq 50000

 rule 6 permit tcp source 100.252.15.38 0 source-port eq 50000

#

 

然后开启debug

debugging ip packet acl 3XXX

debugging ip info acl 3XXX

debugging aspf packet acl 3XXX

debugging security-policy packet ip acl 3XXX

 

 IPFW/7/IPFW_PACKET: -COntext=1;

Sending, interface = GigabitEthernet1/0/1

version = 4, headlen = 20, tos = 0

pktlen = 60, pktid = 1182, offset = 0, ttl = 255, protocol = 6

checksum = 39113, s = 100.252.15.38, d = 33.170.47.136

channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.

VsysID = 1

prompt: Sending IP packet from local at interface GigabitEthernet1/0/1.

Payload: TCP

  source port = 50000, destination port = 32268

  sequence num = 0xa3f2617c, acknowledgement num = 0x450ac2c1, flags = 0x12

  window size = 65535, checksum = 0x2e53, header length = 40.

 

 

 IPFW/7/IPFW_PACKET: -COntext=1;

Delivering, interface = GigabitEthernet1/0/4

version = 4, headlen = 20, tos = 116

pktlen = 60, pktid = 28230, offset = 0, ttl = 56, protocol = 6

checksum = 46509, s = 33.170.47.136, d = 100.252.15.38

channelID = 0, vpn-InstanceIn = 0, vpn-InstanceOut = 0.

VsysID = 1

prompt: Forwarding IP packet to upper layer from FastForward.

Payload: TCP

  source port = 32268, destination port = 50000

  sequence num = 0x450ac2c0, acknowledgement num = 0x00000000, flags = 0x2

  window size = 64240, checksum = 0x121f, header length = 40.

解决方法

从上述debug可以看到,进防火墙的接口和出防火墙的接口不一致,在进来的端口配置ip last-hop hold保持上一跳使流量出去走同一个接口之后解决