服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 一小时后,ASA5505-Checkpoint的VPN失败
Intereting Posts
AD域别名 通过PowerShell自动执行WSUS Web服务器每天失去6个小时的带宽 一个用户的Windows 7文件夹redirect失败 使用PowerShell在多台服务器上设置RDS 如何确保stunnel发送所有中间CA证书? Linux-Vserver:如何在vserver和主机上升级Debian 5.0到6.0? Mdaemon v6.8.5和Postini交付问题 mkdir不能使用sudo和shell选项 任务执行时,Windows 2008任务计划程序不显示cmd窗口 Windows Server 2008 R2 – RDSH – 三星通用打印驱动程序的registry膨胀 检查Windows COA产品密钥 访问先前定义types的已声明实例中的variables ssh – > UNIX屏幕和键盘映射(特别是macbook删除键) ELB_5xx错误,但没有应用程序错误

一小时后,ASA5505-Checkpoint的VPN失败

我有一个IPsec站点站点VPN设​​置和工作,但是,一旦连接build立了一个多小时,我遇到了问题。 一个小时后,ASDM仍然认为VPN已连接,连接持续时间继续增加,但是一旦UI尝试向下发送数据,隧道就会被拆除,并随着从防火墙发送到客户机的第一个数据包一起重新创build我们的networking。 我已经开启了日志logging,接下来的两行看起来是最有趣的: 

Session Disconnected. ... Reason: crypto map policy not found ... Connection terminated for peer 213.123.59.222. Reason: Peer Terminate Remote Proxy 78.129.136.64, Local Proxy 171.28.18.50

213.123.59.222是他们的外部IP为检查点框,78.129.136.64是我们的本地networking上发送数据的机器,171.28.18.50是他们的networking上的机器,我试图发送数据。

我的超时configuration如下: 

 timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 group-policy DfltGrpPolicy attributes vpn-idle-timeout 180 vpn-tunnel-protocol IPSec svc

我想了解问题是在我们的(ASA5505)还是客户防火墙(Checkpoint)上configuration的。 在我与他们联系之前,还有什么事情可以检查我的身边吗?

更新:当我show configuration我的访问列表和encryption映射如下(对不起,如果有缺less的线条和有趣的名字,像'鲍勃',我有点不在我的深度,发现它有点试用和错误的设置VPN向上!): 

 access-list basic extended permit tcp any any eq 3389 access-list basic extended permit tcp any any eq ssh access-list basic extended permit tcp any any eq www access-list basic extended permit tcp any any eq https access-list basic remark MySQL access-list basic extended permit tcp any any eq 3306 access-list allow extended permit ip any any access-list NoNAT extended permit ip 78.129.136.64 255.255.255.240 10.199.2.0 255.255.255.0 access-list SiteAtoSiteB extended permit ip 78.129.136.64 255.255.255.240 10.199.2.0 255.255.255.0 access-list SiteAtoSiteB extended permit tcp 78.129.136.64 255.255.255.240 host 171.28.18.50 eq telnet access-list bob standard permit host 171.28.18.50 ... crypto map SiteToSiteVPN 10 match address SiteAtoSiteB crypto map SiteToSiteVPN 10 set pfs crypto map SiteToSiteVPN 10 set peer 213.123.59.222 crypto map SiteToSiteVPN 10 set transform-set SiteAToSiteBtransform crypto map SiteToSiteVPN 10 set security-association lifetime seconds 28800 crypto map SiteToSiteVPN 10 set security-association lifetime kilobytes 4608000 crypto map SiteToSiteVPN interface Outside

对不起,我想我误解了Shane的评论,也许这个信息是在错误声明中。 发送hr后的第一条数据时生成的日志logging是: 

 Teardown local-host Outside:171.28.18.50 duration 1:59:35 Teardown TCP connection 27792859 for Outside:171.28.18.50/23 to Inside:78.129.136.66/48572 duration 1:59:35 bytes 86765 Tunnel has been torn down Ignoring msg to mark SA with dsID 72404992 dead because SA deleted Group = 213.123.59.222, Username = 213.123.59.222, IP = 213.123.59.222, Session disconnected. Session Type: IPsec, Duration: 1h:59m:53s, Bytes xmt: 45646, Bytes rcv: 53194, Reason: crypto map policy not found Pitcher: received key delete msg, spi 0xf025f6b Pitcher: received key delete msg, spi 0x7447991f Pitcher: received key delete msg, spi 0x7447991f IP = 213.123.59.222, IKE_DECODE SENDING Message (msgid=27f78398) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Group = 213.123.59.222, IP = 213.123.59.222, constructing qm hash payload Group = 213.123.59.222, IP = 213.123.59.222, constructing IKE delete payload Group = 213.123.59.222, IP = 213.123.59.222, constructing blank hash payload IPSEC: An outbound LAN-to-LAN SA (SPI= 0x0F025F6B) between 87.117.211.90 and 213.123.59.222 (user= 213.123.59.222) has been deleted. IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7447991F) between 87.117.211.90 and 213.123.59.222 (user= 213.123.59.222) has been deleted. Group = 213.123.59.222, IP = 213.123.59.222, sending delete/delete with reason message Group = 213.123.59.222, IP = 213.123.59.222, IKE SA MM:a6daae8d terminating: flags 0x01000002, refcnt 0, tuncnt 0 Group = 213.123.59.222, IP = 213.123.59.222, IKE SA MM:a6daae8d rcv'd Terminate: state MM_ACTIVE flags 0x00000042, refcnt 1, tuncnt 0 Group = 213.123.59.222, IP = 213.123.59.222, IKE Deleting SA: Remote Proxy 171.28.18.50, Local Proxy 78.129.136.64 Group = 213.123.59.222, IP = 213.123.59.222, Active unit receives a delete event for remote peer 213.123.59.222. Group = 213.123.59.222, IP = 213.123.59.222, Connection terminated for peer 213.123.59.222. Reason: Peer Terminate Remote Proxy 78.129.136.64, Local Proxy 171.28.18.50 Group = 213.123.59.222, IP = 213.123.59.222, processing delete Group = 213.123.59.222, IP = 213.123.59.222, processing hash payload IP = 213.123.59.222, IKE_DECODE RECEIVED Message (msgid=b3da5da4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68 Built inbound UDP connection 27794863 for Outside:213.123.59.222/500 (213.123.59.222/500) to identity:87.117.211.90/500 (87.117.211.90/500) Built local-host Outside:213.123.59.222

这是Cisco + CP VPN的常见问题。 请检查双方的SA寿命到期设置,我相信Check Point的28800秒和Cisco的86400(或其他方式)