Side2Side 問題

torohuang

Hi

小弟最近遇到了個問題
我目前三個點互作side2side VPN
ASA-3後段是一段Server用網段10.222.0.0/16
一段是SSLVPN用的192.168.78.0/24
分別與ASA-1和ASA-2做side2side
正常設定都沒問題
但ASA-3與ASA-1建立的部份在過一段時間後
ASA-3後SSLVPN用的網段192.168.78.0/24會突然的不通連不到
但ASA-3與ASA-1的都沒問題，設定值是一樣的
需在其中一邊的設備上下clear ipsec sa peer x.x.x.x
讓ASA-3與ASA-1重建才會正常
但一段時間後就又不能了
指令檢查是正常的
ASA-3# sho crypto isakmp sa

IKEv1 SAs:

   Active SA: 3
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3

1   IKE Peer: 6.22.15.250
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 12.21.101.253
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
3   IKE Peer: 6.22.15.220
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

There are no IKEv2 SAs

show ipsec sa 時正常的狀況下是能看到192.168.78.0/24的資訊
ASA-3# show ipsec sa peer 6.22.15.220
peer address: 6.22.15.220
    Crypto map tag: Outsite_map0, seq num: 3, local addr: 12.21.90.253

      access-list Outsite_cryptomap_8 extended permit ip 10.222.0.0 255.255.0.0 10.227.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.222.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.227.0.0/255.255.0.0/0/0)
      current_peer: 6.22.15.220


      #pkts encaps: 7807, #pkts encrypt: 7807, #pkts digest: 7807
      #pkts decaps: 9243, #pkts decrypt: 9243, #pkts verify: 9243
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 7807, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 8
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 12.21.90.253/0, remote crypto endpt.: 6.22.15.220/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 60719752
      current inbound spi : 3FFEF94A

    inbound esp sas:
      spi: 0x3FFEF94A (1073674570)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 2342912, crypto-map: Outsite_map0
         sa timing: remaining key lifetime (kB/sec): (4372681/24650)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x60719752 (1618057042)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 2342912, crypto-map: Outsite_map0
         sa timing: remaining key lifetime (kB/sec): (4372869/24650)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001


然後有問題時會跳出以下的log

3

Oct 07 2016

17:50:44

Tunnel Manager has failed to establish an L2L SA.  All configured IKE versions failed to establish the tunnel. Map Tag= Outsite_map0.  Map Sequence Number = 3.

3

Oct 07 2016

17:50:44

Group = 6.22.15.220, IP = 6.22.15.220, Removing peer from correlator table failed, no match!

3

Oct 07 2016

17:50:44

Group = 6.22.15.220, IP = 6.22.15.220, QM FSM error (P2 struct &0x00007fffe32afdd0, mess id 0xa971c2f8)!

請高手求解