토론토 (1.1.1.1), 미시 소거 (2.2.2.2) 및 샌프란시스코 (3.3.3.3)의 세 사이트가 있습니다. 세 사이트에는 모두 ASA 5520이 있습니다. 모든 사이트는 서로간에 두 사이트 간 VPN 링크와 함께 연결됩니다.
내 문제는 토론토와 샌프란시스코 사이의 터널이 매우 불안정하여 매 40 분에서 60 분마다 떨어집니다. 토론토와 미시 소거 사이의 터널 (같은 방식으로 구성)은 방울 없이도 괜찮습니다.
또한 핑이 끊어지는 것을 알았지 만 ASA는 터널이 여전히 가동 중이라고 생각합니다.
터널 구성은 다음과 같습니다.
토론토 (1.1.1.1)
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 3.3.3.3
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
샌프란시스코 (3.3.3.3)
crypto map Outside_map0 2 match address Outside_cryptomap_1
crypto map Outside_map0 2 set peer 1.1.1.1
crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map0 2 set ikev2 ipsec-proposal AES256
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
나는 길을 잃었다. 어떤 아이디어?
최신 정보:
# show crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
# show crypto ipsec sa
interface: Outside
Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.99.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.99.0.0/255.255.255.0/0/0)
current_peer: 74.200.4.148
#pkts encaps: 30948, #pkts encrypt: 30948, #pkts digest: 30948
#pkts decaps: 28516, #pkts decrypt: 28516, #pkts verify: 28516
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 30948, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: EFADD3D6
current inbound spi : 756AB014
inbound esp sas:
spi: 0x756AB014 (1969926164)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4372005/17024)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEFADD3D6 (4021146582)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4369303/17024)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 18777146, #pkts encrypt: 18777329, #pkts digest: 18777329
#pkts decaps: 23208489, #pkts decrypt: 23208489, #pkts verify: 23208489
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 18777328, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: D2002A5B
current inbound spi : 2E1F7B20
inbound esp sas:
spi: 0x2E1F7B20 (773815072)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3224936/17000)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD2002A5B (3523226203)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (2120164/17000)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.110.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.110.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1289226, #pkts encrypt: 1289226, #pkts digest: 1289226
#pkts decaps: 1594987, #pkts decrypt: 1594987, #pkts verify: 1594987
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1289226, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 27
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 45B5CECD
current inbound spi : 862EB1DB
inbound esp sas:
spi: 0x862EB1DB (2251207131)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4318958/16999)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x45B5CECD (1169542861)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4360717/16999)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 1, local addr: 1.1.1.1
access-list Outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.10.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 3444336, #pkts encrypt: 3444336, #pkts digest: 3444336
#pkts decaps: 1756137, #pkts decrypt: 1756137, #pkts verify: 1756137
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3444336, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 3.3.3.3/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6B0981E6
current inbound spi : 2F85EB3C
inbound esp sas:
spi: 0x2F85EB3C (797305660)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1245184, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3944948/12647)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x6B0981E6 (1795785190)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1245184, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (364451/12647)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
당신은 공공 인터넷을 통해 핑을 잃습니까?
—
제레미
아니, 공공 장소는 두 위치에서 모두 괜찮습니다.
—
ScottAdair
로부터 출력 기능
—
Shane Madden
show crypto isakmp sa
과 show crypto ipsec sa
문제가 발생하는 경우와 같은 모습은? SA를 수정하여 해결하려고 생각합니다. 맞습니까? 데드 피어 감지를 비활성화 한 특별한 이유는 무엇입니까? 마지막으로 어떤 코드 버전이 있습니까?
모든 시스템은 8.4 (2) 및 ASDM 6.4 (5)를 실행하고 있습니다. 명령 출력이 위입니다. 터널에 따르면 트래픽이 발생했지만 트래픽이 발생하지 않습니다. 죽은 동료를 비활성화하는 특별한 이유는 오늘 오후에 시도한 것이 아닙니다.
—
ScottAdair
흥미롭게도 SF의 ASA는 터널이 다운 된 것으로 생각하지만 TO의 ASA는 터널이 다운 된 것으로 생각합니다.
—
ScottAdair