ASA5515 - QM FSM 错误/传输大文件时无法建立 L2L SA

网络工程 思科 防火墙 ACL 站点到站点
2021-08-02 18:53:23

我希望有人可以帮助我解决我遇到的问题 - 稍微澄清或建议将不胜感激:

问题:我设置了一台新的备份服务器,我想将数据从我们的生产服务器之一备份到备份服务器。服务器通过 DC A 和 DC B 之间的站点到站点隧道连接 - 两者都使用 Cisco ASA 5515。

我传输文件的方式是通过使用 SSH(端口 22)的 innobackup。我正在传输一个 5gb 的文件,突然它变成了 4.6gb 并断开了连接。我尝试了也使用端口 22 的 SCP,它也做了同样的事情。然后我使用 netcat 并在原始端口上再次进行传输,但它仍然失败。

因此,在日志文件中没有看到任何内容并运行上述测试后,我排除了端口或 ufw 配置问题,因此我向路由器寻求答案。所以我在 ASA 上运行了调试工具并再次尝试传输和宾果游戏!- 给我一些日志!

FW A logs
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fbda978db0, mess id 0xd36ff5ab)!
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fb9d8fde4a0, mess id 0xd36ff5ab)!

FW B logs 
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29852230, mess id 0xd36ff5ab)!
Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= outside_map. Map Sequence Number = 1.
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29124500, mess id 0xb09bc855)!
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29124500, mess id 0xb09bc855)!
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!kbs to gb
Group = <peer ip>, IP = <peer ip>, QM FSM error (P2 struct &0x00007fff29124500, mess id 0xb09bc855)!
Group = <peer ip>, IP = <peer ip>, Removing Peer from correlator table failed, no match!

因此,在 google 上查找后,我遇到了两个潜在原因(可能还有更多)- ACL 不匹配或加密映射集安全关联生命周期问题。

我的困境 - 目前我已经增加了加密映射集安全关联生命周期以满足我需要的文件传输的大小(这有效!) - 但不禁觉得这有点绕开另一个问题。你会看到我们有另一个包含备份的 DC,它使用加密映射集安全关联生命周期默认值,并且可以很好地传输大小相当的文件。

我还没有更改 ACL 的原因是因为 ACL 管理器中的标题“outside_crypto_map”下已经有一个 FW A 和 FW B - 这是否被忽略了?还是我需要添加另一个条目?两个 ACL 的配置如下:源:目的地:服务:IP 操作:允许

这是我的消毒配置:

固件 A(主要):

ASA Version 9.8(2) 

access-list outside_cryptomap_4 extended permit ip object network_internal object Backup_Internal 

nat (inside,outside) source static network_internal network_internal destination static Backup_Internal Backup_Internal no-proxy-arp route-

crypto ipsec ikev1 transform-set ESP-AES-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac 
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5

crypto map outside_map 7 match address outside_cryptomap_4
crypto map outside_map 7 set pfs 
crypto map outside_map 7 set peer X.X.X.X
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set security-association lifetime kilobytes unlimited
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside


crypto isakmp identity address 
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400

 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800

group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
 vpn-tunnel-protocol ikev1 

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
 default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
 ikev1 pre-shared-key XXXXXXX
 ikev2 remote-authentication pre-shared-key XXXXXXX
 ikev2 local-authentication pre-shared-key XXXXXXX

FW B(备份):

    ASA Version 9.1(1) 

access-list outside_cryptomap extended permit ip Internal_Network object Main_DC_Internal 

nat (inside,outside) source static Internal_Network Internal_Network destination static Main_DC_Internal Main_DC_Internal no-proxy-arp route-lookup

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs 
crypto map outside_map 1 set peer X.X.X.X 
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800

group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
 vpn-tunnel-protocol ikev1 ikev2 

tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
 default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
 ikev1 pre-shared-key XXXXXX
 ikev2 remote-authentication pre-shared-key XXXXXXXX
 ikev2 local-authentication pre-shared-key XXXXXXXX

感谢您的时间!

1个回答

我建议您检查固件 A 中的加密 acl:s outside_cryptomap_4 和固件 B 中的 external_cryptomap。它们必须相同但已镜像。

acl:s 的真实内容隐藏在您使用对象的背后。这样做:

在 FW A 上发出命令“show access-list outside_cryptomap_4”,在 FW B 中发出“show access-list outside_cryptomap”。(是的,显示访问列表,而不是显示运行访问列表)。这将向您显示两个未使用对象而展开的访问列表。它们必须相同,但有一个例外:一个 acl 中的源必须是另一个 acl 中的目标,反之亦然。

是的,所有 acl 行都必须是“permit ip”。没有拒绝线。没有 tcp/udp/ports 等。

如果您不熟悉使用 SSH 运行命令,您可以使用菜单项从 ASDM 运行特定命令。

祝你好运!

其它你可能感兴趣的问题
上一篇思科 ISR - 警察和突发 下一篇防火墙可以部署在 L2 设备定义的网络上吗?