服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 思科ASA站点到站点VPN丢弃
Intereting Posts
完全合格的域名,dhcp dnssearch后缀和尾随点 在BIND中为内部networking覆盖一些DNS条目 腻子:pscp文件传输更改权限 有关selectstring的powershell问题 什么是通过反向代理设置https节点服务器而不使用Apache或Nginx的最佳实践 定时开启风扇 为什么从控制器报告的WWN和Linux系统之间有一个转变? Linux:内存是免费的,但使用交换。 为什么? networkingdevise swapon之后的Linux错误-a:找不到设备 如何诊断为什么端口广播“ZeroWindow”状态 分布式编程模型的networking规划 什么工具用于这个性能testing? 将子域名指向不同的主机,但保留虚名url 移动到新服务器后传输文件所有权?

思科ASA站点到站点VPN丢弃

我有三个地点,多伦多(1.1.1.1),密西沙加(2.2.2.2)和旧金山(3.3.3.3)。 所有这三个站点都具有ASA 5520.所有站点通过两个站点到站点之间的每个其他站点的VPN链接连接在一起。

我的问题是多伦多和旧金山之间的隧道非常不稳定,每40分钟降低到60分钟。 多伦多和密西沙加之间的隧道(configuration相同)是没有问题的。

我也注意到,我的ping但是ASA认为隧道还在运行。

这里是隧道的configuration。

多伦多(1.1.1.1) 

crypto map Outside_map 1 match address Outside_cryptomap crypto map Outside_map 1 set peer 3.3.3.3 crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA crypto map Outside_map 1 set ikev2 ipsec-proposal AES256 group-policy GroupPolicy_3.3.3.3 internal group-policy GroupPolicy_3.3.3.3 attributes vpn-idle-timeout none vpn-tunnel-protocol ikev1 ikev2 tunnel-group 3.3.3.3 type ipsec-l2l tunnel-group 3.3.3.3 general-attributes default-group-policy GroupPolicy_3.3.3.3 tunnel-group 3.3.3.3 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive disable ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****

旧金山(3.3.3.3) 

 crypto map Outside_map0 2 match address Outside_cryptomap_1 crypto map Outside_map0 2 set peer 1.1.1.1 crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA crypto map Outside_map0 2 set ikev2 ipsec-proposal AES256 group-policy GroupPolicy_1.1.1.1 internal group-policy GroupPolicy_1.1.1.1 attributes vpn-idle-timeout none vpn-tunnel-protocol ikev1 ikev2 tunnel-group 1.1.1.1 type ipsec-l2l tunnel-group 1.1.1.1 general-attributes default-group-policy GroupPolicy_1.1.1.1 tunnel-group 1.1.1.1 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive disable ikev2 remote-authentication pre-shared-key ***** ikev2 local-authentication pre-shared-key *****

我不知所措 有任何想法吗?

更新: 

 # show crypto isakmp sa IKEv1 SAs: Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2 1 IKE Peer: 3.3.3.3 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE 2 IKE Peer: 2.2.2.2 Type : L2L Role : responder Rekey : no State : MM_ACTIVE There are no IKEv2 SAs # show crypto ipsec sa interface: Outside Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1 access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.99.0.0 255.255.255.0 local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.99.0.0/255.255.255.0/0/0) current_peer: 74.200.4.148 #pkts encaps: 30948, #pkts encrypt: 30948, #pkts digest: 30948 #pkts decaps: 28516, #pkts decrypt: 28516, #pkts verify: 28516 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 30948, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: EFADD3D6 current inbound spi : 756AB014 inbound esp sas: spi: 0x756AB014 (1969926164) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (4372005/17024) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xEFADD3D6 (4021146582) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (4369303/17024) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1 access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0) current_peer: 2.2.2.2 #pkts encaps: 18777146, #pkts encrypt: 18777329, #pkts digest: 18777329 #pkts decaps: 23208489, #pkts decrypt: 23208489, #pkts verify: 23208489 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 18777328, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: D2002A5B current inbound spi : 2E1F7B20 inbound esp sas: spi: 0x2E1F7B20 (773815072) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (3224936/17000) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0xD2002A5B (3523226203) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (2120164/17000) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1 access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.110.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.110.0.0/255.255.0.0/0/0) current_peer: 2.2.2.2 #pkts encaps: 1289226, #pkts encrypt: 1289226, #pkts digest: 1289226 #pkts decaps: 1594987, #pkts decrypt: 1594987, #pkts verify: 1594987 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 1289226, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 27 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 45B5CECD current inbound spi : 862EB1DB inbound esp sas: spi: 0x862EB1DB (2251207131) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (4318958/16999) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x45B5CECD (1169542861) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1015808, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (4360717/16999) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001 Crypto map tag: External_map, seq num: 1, local addr: 1.1.1.1 access-list Outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.10.0.0 255.255.0.0 local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0) remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0) current_peer: 3.3.3.3 #pkts encaps: 3444336, #pkts encrypt: 3444336, #pkts digest: 3444336 #pkts decaps: 1756137, #pkts decrypt: 1756137, #pkts verify: 1756137 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 3444336, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 3.3.3.3/0 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 6B0981E6 current inbound spi : 2F85EB3C inbound esp sas: spi: 0x2F85EB3C (797305660) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1245184, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (3944948/12647) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x6B0981E6 (1795785190) transform: esp-aes-256 esp-md5-hmac no compression in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1245184, crypto-map: External_map sa timing: remaining key lifetime (kB/sec): (364451/12647) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001

    我认为这可能是keepalive被禁用,如果没有stream量或stream量路由的另一种方式,它可能会导致隧道下降到不活动。 尝试删除目标上的隧道(清除isakmp sa $ PEERIP)然后在源上运行debugging,看看它是否尝试重新build立连接。 http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#crypto_isakmp