Side2Side 問題
Hi小弟最近遇到了個問題
我目前三個點互作side2side VPN
ASA-3後段是一段Server用網段10.222.0.0/16
一段是SSLVPN用的192.168.78.0/24
分別與ASA-1和ASA-2做side2side
正常設定都沒問題
但ASA-3與ASA-1建立的部份在過一段時間後
ASA-3後SSLVPN用的網段192.168.78.0/24會突然的不通連不到
但ASA-3與ASA-1的都沒問題,設定值是一樣的
需在其中一邊的設備上下clear ipsec sa peer x.x.x.x
讓ASA-3與ASA-1重建才會正常
但一段時間後就又不能了
指令檢查是正常的
ASA-3# sho crypto isakmp sa
IKEv1 SAs:
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: 6.22.15.250
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 12.21.101.253
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
3 IKE Peer: 6.22.15.220
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
show ipsec sa 時正常的狀況下是能看到192.168.78.0/24的資訊
ASA-3# show ipsec sa peer 6.22.15.220
peer address: 6.22.15.220
Crypto map tag: Outsite_map0, seq num: 3, local addr: 12.21.90.253
access-list Outsite_cryptomap_8 extended permit ip 10.222.0.0 255.255.0.0 10.227.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.222.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.227.0.0/255.255.0.0/0/0)
current_peer: 6.22.15.220
#pkts encaps: 7807, #pkts encrypt: 7807, #pkts digest: 7807
#pkts decaps: 9243, #pkts decrypt: 9243, #pkts verify: 9243
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 7807, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 8
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 12.21.90.253/0, remote crypto endpt.: 6.22.15.220/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 60719752
current inbound spi : 3FFEF94A
inbound esp sas:
spi: 0x3FFEF94A (1073674570)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 2342912, crypto-map: Outsite_map0
sa timing: remaining key lifetime (kB/sec): (4372681/24650)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x60719752 (1618057042)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 2342912, crypto-map: Outsite_map0
sa timing: remaining key lifetime (kB/sec): (4372869/24650)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
然後有問題時會跳出以下的log
3Oct 07 201617:50:44Tunnel Manager has failed to establish an L2L SA.All configured IKE versions failed to establish the tunnel. Map Tag= Outsite_map0.Map Sequence Number = 3.
3Oct 07 201617:50:44Group = 6.22.15.220, IP = 6.22.15.220, Removing peer from correlator table failed, no match!
3Oct 07 201617:50:44Group = 6.22.15.220, IP = 6.22.15.220, QM FSM error (P2 struct &0x00007fffe32afdd0, mess id 0xa971c2f8)!
請高手求解
页:
[1]