我在 Pix 506e 6.3(3) 和运行 9.0(3)6 的 ASA 5510 之间有一个 site-2-site vpn 隧道。我可以控制配置的两边。
在我们对最初运行 8.4(2) 的 ASA 进行固件更新之前,此隧道运行良好。我有 3 条隧道终止于我们的 ASA,设备 pix 506e 型号上的对等 Ips 有问题,我不知道为什么。我将特别关注一个隧道,希望有人能帮我修复它,我可以尝试将修复应用到其他两个运行中。
症状如下:
隧道将出现第 1 阶段和第 2 阶段。一切都会正常工作一段时间,然后隧道将下降。我在 ASA 的日志中一遍又一遍地看到这一点
隧道管理器未能建立 L2L SA。所有配置的 IKE 版本都无法建立隧道
如果我进入 ASA 并删除加密映射,然后重新添加它。隧道重新启动并再次在可变的时间内保持活动状态。当我说变量时,我的意思是它可以熬夜工作长达半天或短至 15 分钟。
在中断期间,如果我在 pix 上执行 show isakmp sa,我会得到以下信息
pix# show isakmp sa
Total : 6
Embryonic : 0
dst src state pending created
2.2.2.2 1.1.1.1 QM_IDLE 0 115
2.2.2.2 1.1.1.1 QM_IDLE 0 254
2.2.2.2 1.1.1.1 QM_IDLE 0 123
2.2.2.2 1.1.1.1 QM_IDLE 0 108
2.2.2.2 1.1.1.1 QM_IDLE 0 224
2.2.2.2 1.1.1.1 QM_IDLE 0 129
在 ASA 上执行相同的 cmd 会让我
IKE Peer: 2.2.2.2
Type : L2L Role : initiator
Rekey : no State : MM_WAIT_MSG2
如果我想立即恢复隧道,我可以从 ASA 中删除加密映射,然后重新添加它,一切都会再次工作一段时间。我应该检查什么?
我现在应该注意 pix 上的 isakmp 配置和 ASA 上的 ikev1 之间有什么区别吗?当 ASA 在 8.4(2) 上时,一切都正常工作,这仅发生在我的隧道上,这些隧道在运行 6.3(3) 的 PIX 506 e 设备上终止。这是我知道的一个线索,我只是不明白我应该看什么来弄清楚如何解决它。
此示例配置中的 PRODUCTION-NET 将是 192.168.11.0/24
ASA 5520
object-group network POGO
network-object host 172.232.x.x
access-list POGO extended permit ip object PRODUCTION-NET object-group POGO
nat (inside,outside) source static PRODUCTION-NET PRODUCTION-NET destination static POGO POGO
crypto map vpn-tunnel 320 match address POGO
crypto map vpn-tunnel 320 set peer 2.2.2.2
crypto map vpn-tunnel 320 set ikev1 transform-set ESP-AES-128-MD5
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy VPN-TUNNEL-POLICY
tunnel-group 2.2.2.2 ipsec-attributes
ikev1 pre-shared-key cisco123
isakmp keepalive threshold 30 retry 10
像素506e
object-group network POGO_VPN
network-object host 172.232.x.x
access-list DSW permit ip object-group POGO_VPN 192.168.11.0 255.255.255.0
crypto ipsec transform-set AES128 esp-aes esp-md5-hmac
crypto map pcmap 320 ipsec-isakmp
crypto map pcmap 320 match address POGO
crypto map pcmap 320 set peer 1.1.1.1
crypto map pcmap 320 set transform-set AES128
crypto map pcmap client configuration address initiate
crypto map pcmap client configuration address respond
crypto map pcmap interface outside
isakmp enable outside
isakmp key ******** address 1.1.1.1 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp keepalive 30 10
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption aes
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
在调试加密 isakmp 上,我看到这种情况在 ASA 端发生中断时发生。在远程 pix 端,它不显示任何日志
ASA isakmp 调试 J
un 18 12:31:23 [IKEv1]IP = 2.2.2.2, IKE Initiator: New Phase 1, Intf inside, IKE Peer 2.2.2.2 local Proxy Address 192.168.11.0, remote Proxy Address 172.233.240.226, Crypto map (vpn-tunnel)
Jun 18 12:31:23 [IKEv1 DEBUG]IP = 2.2.2.2, constructing ISAKMP SA payload
Jun 18 12:31:23 [IKEv1 DEBUG]IP = 2.2.2.2, constructing NAT-Traversal VID ver 02 payload
Jun 18 12:31:23 [IKEv1 DEBUG]IP = 2.2.2.2, constructing NAT-Traversal VID ver 03 payload
Jun 18 12:31:23 [IKEv1 DEBUG]IP = 2.2.2.2, constructing NAT-Traversal VID ver RFC payload
Jun 18 12:31:23 [IKEv1 DEBUG]IP = 2.2.2.2, constructing Fragmentation VID + extended capabilities payload
Jun 18 12:31:23 [IKEv1]IP = 2.2.2.2, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 672
Jun 18 12:31:30 [IKEv1]IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 18 12:31:30 [IKEv1]IP = 2.2.2.2, Queuing KEY-ACQUIRE messages to be processed when P1 SA is complete.
Jun 18 12:31:31 [IKEv1]IP = 2.2.2.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 672
Jun 18 12:31:39 [IKEv1]IP = 2.2.2.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 672
Jun 18 12:31:47 [IKEv1]IP = 2.2.2.2, IKE_DECODE RESENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 672
Jun 18 12:31:55 [IKEv1 DEBUG]IP = 2.2.2.2, IKE MM Initiator FSM error history (struct &0x74d097c8) <state>, <event>: MM_DONE, EV_ERROR-->MM_WAIT_MSG2, EV_RETRY-->MM_WAIT_MSG2, EV_TIMEOUT-->MM_WAIT_MSG2, NullEvent-->MM_SND_MSG1, EV_SND_MSG-->MM_SND_MSG1, EV_START_TMR-->MM_SND_MSG1, EV_RESEND_MSG-->MM_WAIT_MSG2, EV_RETRY
Jun 18 12:31:55 [IKEv1 DEBUG]IP = 2.2.2.2, IKE SA MM:e7fa4a37 terminating: flags 0x01000022, refcnt 0, tuncnt 0
Jun 18 12:31:55 [IKEv1 DEBUG]IP = 2.2.2.2, sending delete/delete with reason message
在 PIX 上调试 isakmp
PEER_REAPER_TIMERshow isakmp sa
Total : 2
Embryonic : 0
dst src state pending created
2.2.2.2 1.1.1.1 QM_IDLE 0 6
2.2.2.2 1.1.1.1 QM_IDLE 0 117
dswpix(config)#
PEER_REAPER_TIMER
PEER_REAPER_TIMER
REAPER_TIMER
ISADB: reaper checking SA 0x10232bc, conn_id = 0
ISADB: reaper checking SA 0xfe9a44, conn_id = 0
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
REAPER_TIMER
ISADB: reaper checking SA 0x10232bc, conn_id = 0
ISADB: reaper checking SA 0xfe9a44, conn_id = 0
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
PEER_REAPER_TIMER
REAPER_TIMER
ISADB: reaper checking SA 0x10232bc, conn_id = 0
ISADB: reaper checking SA 0xfe9a44, conn_id = 0debug crypto ipsec 200