我们有2个站点与VPN隧道(Fortigate 60C设备)连接在一起。 在每个站点上,我都有ESXi服务器和几台虚拟机。 通常情况下,一切正常。
站点1(S1)子网为192.168.254.0/24,ESXi1上为机器A1,A2
站点2(S2)子网是192.168.253.0/24,ESXi2上的机器B1,B2
这些机器之间的所有ping通过VPN隧道正常工作。
突然,S1-A1不能再ping S2-B1,但S2-B1仍然ping S1-A1。
所有机器(虚拟机和ESXi)上的所有ping(使用IP地址)除S1-A1→S2-B1以外的所有工作。
Traceroute结果是:
S1-A1→S2-B1→通过互联网(?????)
S1-A1→S2-B2→通过VPN隧道
S2-B2→S1-A1→通过VPN隧道
S1-A1→S2-ESXi2→通过VPN隧道
机器A1是Windows 2003 R2 – SP2。 NIC上绑定了5个IP地址。 我试图禁用和启用网卡,但networkingpipe理停止响应。 只有重启才能解决问题。
route print没有改变。 网关是一样的,没有到达B2的具体路线。
arp -a没有显示任何与192.168.253.0/24相关的东西。
我不明白为什么S1-A1 – > S2-ESXi2能够工作,但是不是S1-A1 – > S2-B1,因为B2(192.168.253.18)在ESXi2(192.168.253.23)上运行。
networking接口的registry项
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0E114693-5FC8-4AA4-AB98-14CE43E24DE5}] "UseZeroBroadcast"=dword:00000000 "EnableDeadGWDetect"=dword:00000001 "EnableDHCP"=dword:00000000 "IPAddress"=hex(7):31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,32,00,35,00,\ 34,00,2e,00,31,00,35,00,00,00,31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,\ 00,32,00,35,00,34,00,2e,00,31,00,32,00,00,00,31,00,39,00,32,00,2e,00,31,00,\ 36,00,38,00,2e,00,32,00,35,00,34,00,2e,00,31,00,33,00,00,00,31,00,39,00,32,\ 00,2e,00,31,00,36,00,38,00,2e,00,32,00,35,00,34,00,2e,00,31,00,35,00,31,00,\ 00,00,31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,32,00,35,00,34,00,2e,\ 00,34,00,30,00,00,00,00,00 which is 192.168.254.15 192.168.254.12 192.168.254.13 192.168.254.151 192.168.254.40 "SubnetMask"=hex(7):32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,32,00,35,\ 00,35,00,2e,00,30,00,00,00,32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,\ 32,00,35,00,35,00,2e,00,30,00,00,00,32,00,35,00,35,00,2e,00,32,00,35,00,35,\ 00,2e,00,32,00,35,00,35,00,2e,00,30,00,00,00,32,00,35,00,35,00,2e,00,32,00,\ 35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,30,00,00,00,32,00,35,00,35,00,2e,\ 00,32,00,35,00,35,00,2e,00,32,00,35,00,35,00,2e,00,30,00,00,00,00,00 which is 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 "DefaultGateway"=hex(7):31,00,39,00,32,00,2e,00,31,00,36,00,38,00,2e,00,32,00,\ 35,00,34,00,2e,00,32,00,35,00,34,00,00,00,00,00 which is 192.168.254.254 "DefaultGatewayMetric"=hex(7):30,00,00,00,00,00 "NameServer"="192.168.254.254" "Domain"="" "RegistrationEnabled"=dword:00000001 "RegisterAdapterName"=dword:00000000 "TCPAllowedPorts"=hex(7):30,00,00,00,00,00 "UDPAllowedPorts"=hex(7):30,00,00,00,00,00 "RawIPAllowedProtocols"=hex(7):30,00,00,00,00,00 "NTEContextList"=hex(7):00,00 "DhcpClassIdBin"=hex: "DhcpServer"="255.255.255.255" "Lease"=dword:00000e10 "LeaseObtainedTime"=dword:51185713 "T1"=dword:51185e1b "T2"=dword:51186361 "LeaseTerminatesTime"=dword:51186523 "IPAutoconfigurationAddress"="0.0.0.0" "IPAutoconfigurationMask"="255.255.0.0" "IPAutoconfigurationSeed"=dword:00000000 "AddressType"=dword:00000000
因为只需要重新启动A1,所以我排除了Fortigates作为问题的一部分。
2013-09-19:再次发布。 似乎每次VPN在FortiGate之间掉落都会发生。
HOCHELAGA_2 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 64.15.130.49, wan1 C 10.10.10.0/24 is directly connected, dmz C 10.100.254.1/32 is directly connected, fat C 10.100.254.2/32 is directly connected, fat C 64.15.130.48/28 is directly connected, wan1 is directly connected, wan1 is directly connected, wan1 is directly connected, wan1 is directly connected, wan1 is directly connected, wan1 S 192.168.200.0/24 [10/0] via 10.100.254.2, fat C 192.168.250.0/24 is directly connected, internal S 192.168.252.0/24 [10/0] is directly connected, hoch st-bruno S 192.168.253.0/24 [10/0] is directly connected, HOCH-KAN C 192.168.254.0/24 is directly connected, internal is directly connected, internal is directly connected, internal HOCHELAGA_2 # diagnose ip route list tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.100.254.2/32 pref=10.100.254.1 gwy=0.0.0.0 dev=11(fat) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.48/28 pref=64.15.130.56 gwy=0.0.0.0 dev=3(wan1) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.64/26 pref=169.254.0.66 gwy=0.0.0.0 dev=16(havdlink1) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.168.200.0/24 pref=0.0.0.0 gwy=10.100.254.2 dev=11(fat) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.250.0/24 pref=192.168.250.254 gwy=0.0.0.0 dev=5(internal) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/24 pref=10.10.10.1 gwy=0.0.0.0 dev=4(dmz) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.168.252.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=9(hoch st-bruno) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->192.168.253.0/24 pref=0.0.0.0 gwy=0.0.0.0 dev=10(HOCH-KAN) tab=254 vf=0 scope=253 type=1 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.254.0/24 pref=192.168.254.254 gwy=0.0.0.0 dev=5(internal) tab=254 vf=0 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=64.15.130.49 dev=3(wan1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.63/32 pref=64.15.130.56 gwy=0.0.0.0 dev=3(wan1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.255.255.255/32 pref=127.0.0.1 gwy=0.0.0.0 dev=7(root) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.1/32 pref=10.10.10.1 gwy=0.0.0.0 dev=4(dmz) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.0/32 pref=10.10.10.1 gwy=0.0.0.0 dev=4(dmz) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.100.254.1/32 pref=10.100.254.1 gwy=0.0.0.0 dev=11(fat) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.59/32 pref=64.15.130.59 gwy=0.0.0.0 dev=2(wan2) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.254.2/32 pref=192.168.254.254 gwy=0.0.0.0 dev=5(internal) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.58/32 pref=64.15.130.56 gwy=0.0.0.0 dev=3(wan1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.66/32 pref=169.254.0.66 gwy=0.0.0.0 dev=16(havdlink1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.250.0/32 pref=192.168.250.254 gwy=0.0.0.0 dev=5(internal) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.254.1/32 pref=192.168.254.254 gwy=0.0.0.0 dev=5(internal) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.57/32 pref=64.15.130.56 gwy=0.0.0.0 dev=3(wan1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.254.0/32 pref=192.168.254.254 gwy=0.0.0.0 dev=5(internal) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.56/32 pref=64.15.130.56 gwy=0.0.0.0 dev=3(wan1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.64/32 pref=169.254.0.66 gwy=0.0.0.0 dev=16(havdlink1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.54/32 pref=64.15.130.56 gwy=0.0.0.0 dev=3(wan1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->169.254.0.127/32 pref=169.254.0.66 gwy=0.0.0.0 dev=16(havdlink1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.53/32 pref=64.15.130.56 gwy=0.0.0.0 dev=3(wan1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.52/32 pref=64.15.130.56 gwy=0.0.0.0 dev=3(wan1) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->10.10.10.255/32 pref=10.10.10.1 gwy=0.0.0.0 dev=4(dmz) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/32 pref=127.0.0.1 gwy=0.0.0.0 dev=7(root) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.254.254/32 pref=192.168.254.254 gwy=0.0.0.0 dev=5(internal) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.250.255/32 pref=192.168.250.254 gwy=0.0.0.0 dev=5(internal) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.1/32 pref=127.0.0.1 gwy=0.0.0.0 dev=7(root) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->64.15.130.48/32 pref=64.15.130.56 gwy=0.0.0.0 dev=3(wan1) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.250.254/32 pref=192.168.250.254 gwy=0.0.0.0 dev=5(internal) tab=255 vf=0 scope=253 type=3 proto=2 prio=0 0.0.0.0/0.0.0.0/0->192.168.254.255/32 pref=192.168.254.254 gwy=0.0.0.0 dev=5(internal) tab=255 vf=0 scope=254 type=2 proto=2 prio=0 0.0.0.0/0.0.0.0/0->127.0.0.0/8 pref=127.0.0.1 gwy=0.0.0.0 dev=7(root)
PING在服务器上成功
diagnose sniffer packet any "host 192.168.253.23" 4 23.232067 internal in 192.168.254.15 -> 192.168.253.23: icmp: echo request 23.232329 HOCH-KAN out 192.168.254.15 -> 192.168.253.23: icmp: echo request 23.248800 HOCH-KAN in 192.168.253.23 -> 192.168.254.15: icmp: echo reply 23.248932 internal out 192.168.253.23 -> 192.168.254.15: icmp: echo reply
PING在服务器上失败
diagnose sniffer packet any "host 192.168.253.18" 4 8.212249 internal in 192.168.254.15 -> 192.168.253.18: icmp: echo request 8.212479 wan1 out 64.15.130.56 -> 192.168.253.18: icmp: echo request 10.508155 internal in 192.168.254.15.1113 -> 192.168.253.18.139: syn 1271941747 10.508436 wan1 out 64.15.130.56.42334 -> 192.168.253.18.139: syn 1271941747 11.706287 internal in 192.168.254.15.1112 -> 192.168.253.18.445: syn 341420858 11.706540 wan1 out 64.15.130.56.42332 -> 192.168.253.18.445: syn 341420858
为什么同一networking上的服务器所采用的路由不同? 我不使用任何RIP,OSPF,BGP路由。 没有政策路线。 Juste VPN之间的静态路由。 没有什么显示192.168.253.23的dynamic路由,Fortigate决定将其路由到wan1接口。
有什么我可以检查下次发生?
预先感谢
对不起,如果不完全清楚,法语是我的母语
S.
我们终于find了原因。 它与Fortigate ICMP会话超时问题有关。 当VPNclosures时,ICMP会话被标记为直接通过接口而不是VPN隧道。 但是,当VPN恢复时,通过path的会话不会被修改,直到现场时间变为零。 如果持续ping,那么活动时间永远不会为零。
为低优先级的远程子网添加一个“黑洞”路由,使得数据包胜出;进入默认路由(接口)。 相反,它会去黑洞的路线,并在那里下降。 当隧道处于UP状态时,恢复发送具有更高优先级的路由的stream量。