我们的备份链路一直使用基于 GRE 隧道的 VPN 到集线器。最近，我们安装了第二个集线器，并将主要链路迁移到基于 GRE 隧道的 VPN 和 EIGRP，以处理两者之间的路由。上周 ISP 宕机，主 VPN 宕机，很好，但每隔 30-40 分钟，备份 VPN 就会停止传输流量。发生这种情况时，我注意到以下情况。

debug ip packet 将显示外部 ACL 阻止 GRE 数据包。为什么？这些应该在 IPSec 数据包内，这就是允许的，为什么内部 GRE 被阻止？

Aug 26 14:43:54: IP: s=<vpn-gw1> (FastEthernet1), d=192.168.0.2, len 108, access denied, proto=47

同时，检查映射正在为 NAT-T VPN 生成会话。为什么？甚至没有配置路由器生成的 UDP 检查。

Session 84295484 (192.168.0.2:4500)=>(<vpn-gw1>:4500) udp SIS_OPEN

清除此会话 clear ip inspect session 84294584 将立即恢复流量。

请注意，我们不关心辐条到辐条的流量，因此我们的 DMVPN 配置中没有该功能。

分支配置：

version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
!
no aaa new-model
!
dot11 syslog
no ip source-route
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.159.100 192.168.159.126
ip dhcp excluded-address 192.168.159.1 192.168.159.49
ip dhcp excluded-address 192.168.179.1 192.168.179.49
!
ip dhcp pool pool1
network 192.168.159.0 255.255.255.128
default-router 192.168.159.1
dns-server 192.168.2.10 192.168.2.12
!
ip dhcp pool pool2
network 192.168.179.0 255.255.255.128
default-router 192.168.179.1
dns-server 8.8.8.8 8.8.4.4
!
no ip bootp server
no ip domain lookup
ip inspect name guest cuseeme
ip inspect name guest ftp
ip inspect name guest h323
ip inspect name guest icmp router-traffic
ip inspect name guest netshow
ip inspect name guest rcmd
ip inspect name guest realaudio
ip inspect name guest rtsp
ip inspect name guest esmtp
ip inspect name guest sqlnet
ip inspect name guest streamworks
ip inspect name guest tftp
ip inspect name guest udp
ip inspect name guest vdolive
ip inspect name guest tcp router-traffic
!
multilink bundle-name authenticated
!
vtp mode transparent
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key <key> address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 20
!
crypto ipsec transform-set aes128sha esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile vpn
set security-association lifetime seconds 28800
set transform-set aes128sha
!
archive
log config
hidekeys
!
vlan 99
name guest
!
ip ssh version 2
!
track 1 rtr 1
delay down 30 up 30
!
interface Tunnel0
ip address 192.168.101.159 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 192.168.101.1 <vpn-gw1>
ip nhrp network-id 100000
ip nhrp holdtime 300
ip nhrp nhs 192.168.101.1
ip tcp adjust-mss 1360
delay 1050
tunnel source FastEthernet1
tunnel destination <vpn-gw1>
tunnel key 100000
tunnel route-via FastEthernet1 mandatory
tunnel protection ipsec profile vpn
!
interface Tunnel1
ip address 192.168.103.159 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp map 192.168.103.1 <vpn-gw2>
ip nhrp network-id 300000
ip nhrp holdtime 300
ip nhrp nhs 192.168.103.1
ip tcp adjust-mss 1360
delay 1000
tunnel source FastEthernet0
tunnel destination <vpn-gw2>
tunnel key 300000
tunnel route-via FastEthernet0 mandatory
tunnel protection ipsec profile vpn
!
interface FastEthernet0
description ISP
ip address <public-ip> 255.255.255.248
ip access-group 101 in
ip nat outside
ip inspect guest out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
description Backup
ip address 192.168.0.2 255.255.255.0
ip access-group 101 in
ip nat outside
ip inspect guest out
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
switchport mode trunk
!
interface FastEthernet9
switchport access vlan 99
!
interface Vlan1
ip address 192.168.159.1 255.255.255.128
ip access-group 100 in
ip directed-broadcast
ip nat inside
ip virtual-reassembly
!
interface Vlan99
ip address 192.168.179.1 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
router eigrp 1
passive-interface Vlan1
passive-interface Vlan99
network 192.168.0.0 0.0.255.255
distance eigrp 130 170
no auto-summary
eigrp stub connected
!
ip local policy route-map sla
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <isp-gw> 180 track 1
ip route 0.0.0.0 0.0.0.0 192.168.0.1 200
ip route <vpn-gw1> 255.255.255.255 192.168.0.1
ip route <vpn-gw2> 255.255.255.255 <isp-gw>
!
no ip http server
no ip http secure-server
ip nat inside source list nat1 interface FastEthernet0 overload
ip nat inside source list nat2 interface FastEthernet1 overload
!
ip access-list extended nat1
permit ip 192.168.179.0 0.0.0.255 any
ip access-list extended nat2
permit ip 192.168.159.0 0.0.0.127 192.168.0.0 0.0.0.255
permit ip 192.168.179.0 0.0.0.255 any
ip access-list extended sla
permit icmp any host <vpn-gw2> echo
!
ip sla 1
icmp-echo <vpn-gw2> source-interface FastEthernet0
frequency 30
ip sla schedule 1 life forever start-time now
access-list 100 permit udp any eq bootpc any eq bootps
access-list 100 permit ip any <private-networks>
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any time-exceeded
access-list 101 permit esp <hq-public-subnet> 0.0.0.31 any
access-list 101 permit udp <hq-public-subnet> 0.0.0.31 any eq isakmp
access-list 101 permit udp <hq-public-subnet> 0.0.0.31 any eq non500-isakmp
access-list 101 permit tcp <hq-public-subnet> 0.0.0.31 any eq 22
access-list 102 deny ip any <private-networks>
access-list 102 deny ip any 10.0.0.0 0.255.255.255
access-list 102 permit ip any 192.168.179.0 0.0.0.127
access-list 102 deny ip any 172.16.0.0 0.15.255.255
access-list 102 deny ip any 192.168.0.0 0.0.255.255
access-list 102 permit ip any any
no cdp run
!
route-map sla permit 10
match ip address sla
set ip next-hop <isp-gw>
set interface Null0
!
control-plane
!
line con 0
logging synchronous
login local
line vty 0 4
exec-timeout 20 0
logging synchronous
login local

vpn-gw1 配置：

interface Tunnel0
ip address 192.168.101.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nat enable
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 300
ip virtual-reassembly in
ip tcp adjust-mss 1360
delay 1050
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpn

vpn-gw2 配置：

interface Tunnel1
ip address 192.168.103.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nat enable
ip nhrp map multicast dynamic
ip nhrp network-id 300000
ip nhrp holdtime 300
ip virtual-reassembly in
ip tcp adjust-mss 1360
delay 1000
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 300000
tunnel protection ipsec profile vpn