我们有两个站点在两个防火墙之间运行ASA 5520。 最近我们遇到了负载下VPN失败的问题。 日志说在计算DH校验和方面有问题。 似乎没有什么办法来纠正这个问题,甚至拆除和完全重buildVPN也没有什么区别。 但是,如果两个防火墙重新启动,VPN立即回来! 思科规格说,VPN的最大容量为225Mbps,日志表明stream量已经达到了220Mbps的峰值,所以非常好。 我们已经在采取措施将stream量从vpn上移开,但仍然想要理解为什么问题首先发生。 有没有其他人看到这个问题?
日志:
这是日志条目(IP的obsfucated)。 最后几行然后开始重复
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-5-750002: Local:xxx.xxx.xxx.125:500 Remote:xxx.xxx.xxx.126:500 Username:Unknown Received a IKE_INIT_SA request Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-4-750003: Local:xxx.xxx.xxx.125:500 Remote:xxx.xxx.xxx.126:500 Username:Unknown Negotiation aborted due to ERROR: Failed to compute the DH value Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = Man-Ext_map. Map Sequence Number = 1. Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-4-752011: IKEv1 Doesn't have a transform set specified Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = Man-Ext_map. Map Sequence Number = 1. Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-4-752011: IKEv1 Doesn't have a transform set specified Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-5-750001: Local:xxx.xxx.xxx.125:500 Remote:xxx.xxx.xxx.126:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: xxx.xxx.xxx.241-xxx.xxx.xxx.241 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: xxx.xxx.xxx.11-xxx.xxx.xxx.11 Protocol: 0 Port Range: 0-65535 Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = Man-Ext_map. Map Sequence Number = 1. Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= Man-Ext_map. Map Sequence Number = 1.