ASA 隧道建立但不通过流量

网络工程 思科 防火墙 网络安全 隧道
2021-07-07 14:45:02

我有两个办公室(IP 1.2.3.4 的维多利亚和 IP 5.6.7.8 的多伦多),每个办公室都有运行 Strongswan 的 pfSense,每个办公室都有一条 IKEv2 IPSec 隧道返回 IP 9.8.7.6 的 Cisco ASA 5512。我最近将 ASA 上的软件从 9.4.2(11) 更新到 9.4.3(4),没有出现问题。两条隧道都恢复正常运行了 1 天 17 小时,但是(两边没有任何配置更改)维多利亚隧道现在已经停止通行。

隧道建立没有问题,但show ipsec sa告诉我没有流量通过。重新启动隧道没有区别。

ASA1# show ipsec sa peer 1.2.3.4
peer address: 1.2.3.4
    Crypto map tag: OUTSIDE_map, seq num: 1, local addr: 9.8.7.6

      access-list OUTSIDE_cryptomap_2 extended permit ip 192.168.242.0 255.255.255.0 192.168.244.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.242.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.244.0/255.255.255.0/0/0)
      current_peer: 1.2.3.4


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 1428, #pkts decrypt: 1428, #pkts verify: 1428
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 9.8.7.6/500, remote crypto endpt.: 1.2.3.4/500
      path mtu 1500, ipsec overhead 55(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: CB3A6309
      current inbound spi : 5E3D8A13

    inbound esp sas:
      spi: 0x5E3D8A13 (1581091347)
         transform: esp-aes-gcm-256 esp-null-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
         slot: 0, conn_id: 167936, crypto-map: OUTSIDE_map
         sa timing: remaining key lifetime (sec): 2676
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xCB3A6309 (3409601289)
         transform: esp-aes-gcm-256 esp-null-hmac no compression 
         in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
         slot: 0, conn_id: 167936, crypto-map: OUTSIDE_map
         sa timing: remaining key lifetime (sec): 2676
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

寻找丢弃的数据包的数据包捕获给了我这个,但没有告诉我正在应用什么规则。

939: 20:11:44.438591 0023.ab3f.8255 24e9.b315.cddf 0x0800 Length: 89
      192.168.244.114.51353 > 192.168.242.200.53:  [no cksum] udp 47 [tos 0x10]  (ttl 63, id 8826) Drop-reason: (acl-drop) Flow is denied by configured rule

下面是一些相关的配置;据我所知,两个办公室都是一样的。如果有人对这里可能发生的事情有任何建议,我将不胜感激!

ASA1# show running-config crypto map
crypto map OUTSIDE_map 1 match address OUTSIDE_cryptomap_2
crypto map OUTSIDE_map 1 set pfs group14
crypto map OUTSIDE_map 1 set peer 1.2.3.4
crypto map OUTSIDE_map 1 set ikev2 ipsec-proposal AESGCM
crypto map OUTSIDE_map 1 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 1 set nat-t-disable
crypto map OUTSIDE_map 2 match address OUTSIDE_cryptomap_3
crypto map OUTSIDE_map 2 set pfs group14
crypto map OUTSIDE_map 2 set peer 5.6.7.8
crypto map OUTSIDE_map 2 set ikev2 ipsec-proposal AESGCM
crypto map OUTSIDE_map 2 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 2 set nat-t-disable
crypto map OUTSIDE_map interface OUTSIDE

ASA1# show running-config access-list OUTSIDE_cryptomap_2
access-list OUTSIDE_cryptomap_2 extended permit ip object NOC-network object Victoria-network

ASA1# show running-config access-list OUTSIDE_cryptomap_3
access-list OUTSIDE_cryptomap_3 extended permit ip object NOC-network object Toronto-network

ASA1# show running-config nat
nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Victoria-network Victoria-network no-proxy-arp route-lookup
nat (INSIDE,OUTSIDE) source static NOC-network NOC-network destination static Toronto-network Toronto-network no-proxy-arp route-lookup

ASA1# show running-config tunnel-group 
tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
 default-group-policy GroupPolicy_Victoria
tunnel-group 1.2.3.4 ipsec-attributes
 ikev1 pre-shared-key *****
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
tunnel-group 5.6.7.8 type ipsec-l2l
tunnel-group 5.6.7.8 general-attributes
 default-group-policy GroupPolicy_Toronto
tunnel-group 5.6.7.8 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 15 retry 2
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

ASA1# show running-config crypto ikev2
crypto ikev2 policy 2
 encryption aes-gcm-256
 integrity null
 group 21 24
 prf sha512
 lifetime seconds 28800
crypto ikev2 policy 3
 encryption aes-256
 integrity sha512
 group 21 24
 prf sha512
 lifetime seconds 28800
crypto ikev2 enable OUTSIDE

ASA1# show running-config crypto ipsec
crypto ipsec ikev2 ipsec-proposal AES256-SHA512
 protocol esp encryption aes-256
 protocol esp integrity sha-512
crypto ipsec ikev2 ipsec-proposal AESGCM
 protocol esp encryption aes-gcm-256
 protocol esp integrity sha-512
crypto ipsec ikev2 sa-strength-enforcement
crypto ipsec security-association pmtu-aging infinite

#ASA1 show running-config all sysopt
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp OUTSIDE
no sysopt noproxyarp INSIDE
no sysopt noproxyarp DMZ1
no sysopt noproxyarp management
1个回答

如果您的 ASA 上有一个“胜过”有效活动 SPI 的陈旧 SPI,您的场景看起来非常相似。坏消息是,如果是这种情况……您只能通过重新启动 ASA 本身来纠正此问题。

您可以尝试运行数据包跟踪器来模拟流量并检查您是否在输出中看到“VPN 加密阶段”。如果您这样做了,但流量未能加密,则它可能与不活动的陈旧 SPI 匹配。

您还可以使用show asp table classify crypto和查找加密域上的匹配项。您不希望看到多个具有相同cs_id. 看这个例子:(注意他们的网络是如何完全相同的,但他们有不同的cs_id,只有一个有点击数?)

in  id=0x7fff370d6450, priority=70, domain=ipsec-tunnel-flow, deny=false
    hits=17302, user_data=0x8e0d6a4, **cs_id=0x7fff36c15af0**, reverse, flags=0x0, protocol=0
    src ip/id=10.202.140.0, mask=255.255.255.0, port=0, tag=0
    dst ip/id=10.202.126.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

in  id=0x7fff3d48dda0, priority=70, domain=ipsec-tunnel-flow, deny=false
    hits=0, user_data=0xaaf9b0c, **cs_id=0x7fff38d9d080**, reverse, flags=0x0, protocol=0
    src ip/id=10.202.140.0, mask=255.255.255.0, port=0, tag=0
    dst ip/id=10.202.126.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
    input_ifc=outside, output_ifc=any

上面的示例是我直接从对与您描述的完全相同的问题进行故障排除中获取的内容,在这种情况下,重新启动更正了问题。我还遇到了一个问题,即同一防火墙停止在活动隧道上传递流量,只有少数主机的封装和去封装。弹跳隧道解决了这个问题。

这些问题仅在将他们的 VPN 升级到 IKEv2 后才开始。我怀疑如果您在 IKEv2 上经常重新设置隧道,那么您似乎很可能遇到 SPI 问题。您可能想尝试增加第二阶段隧道的生命周期,因为您现在已将其设置为 3600(我的客户每 4 分钟达到第二阶段隧道的默认数据生命周期并重新生成密钥,因此我将数据生命周期设置为无限制)

其它你可能感兴趣的问题
上一篇在 TCAM 与 RAM 中搜索 下一篇IPv6 - RA 前缀和标志