Saya memiliki tiga situs, Toronto (1.1.1.1), Mississauga (2.2.2.2) dan San Francisco (3.3.3.3). Ketiga situs memiliki ASA 5520. Semua situs terhubung bersama dengan dua tautan VPN situs-ke-situs antara satu sama lain lokasi.
Masalah saya adalah bahwa terowongan antara Toronto dan San Francisco sangat tidak stabil, turun setiap 40 menit hingga 60 menit. Terowongan antara Toronto dan Mississauga (yang dikonfigurasi dengan cara yang sama) baik-baik saja tanpa tetes.
Saya juga memperhatikan bahwa ping saya jatuh tetapi ASA berpikir bahwa terowongan masih menyala dan berjalan.
Ini adalah konfigurasi terowongan.
Toronto (1.1.1.1)
crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 3.3.3.3
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256
group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
San Francisco (3.3.3.3)
crypto map Outside_map0 2 match address Outside_cryptomap_1
crypto map Outside_map0 2 set peer 1.1.1.1
crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map0 2 set ikev2 ipsec-proposal AES256
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
vpn-idle-timeout none
vpn-tunnel-protocol ikev1 ikev2
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
Saya bingung. Ada ide?
Memperbarui:
# show crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 3.3.3.3
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
2 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
# show crypto ipsec sa
interface: Outside
Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.99.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.99.0.0/255.255.255.0/0/0)
current_peer: 74.200.4.148
#pkts encaps: 30948, #pkts encrypt: 30948, #pkts digest: 30948
#pkts decaps: 28516, #pkts decrypt: 28516, #pkts verify: 28516
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 30948, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: EFADD3D6
current inbound spi : 756AB014
inbound esp sas:
spi: 0x756AB014 (1969926164)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4372005/17024)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xEFADD3D6 (4021146582)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4369303/17024)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 18777146, #pkts encrypt: 18777329, #pkts digest: 18777329
#pkts decaps: 23208489, #pkts decrypt: 23208489, #pkts verify: 23208489
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 18777328, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: D2002A5B
current inbound spi : 2E1F7B20
inbound esp sas:
spi: 0x2E1F7B20 (773815072)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3224936/17000)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xD2002A5B (3523226203)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (2120164/17000)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1
access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.110.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.110.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1289226, #pkts encrypt: 1289226, #pkts digest: 1289226
#pkts decaps: 1594987, #pkts decrypt: 1594987, #pkts verify: 1594987
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1289226, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 27
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 45B5CECD
current inbound spi : 862EB1DB
inbound esp sas:
spi: 0x862EB1DB (2251207131)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4318958/16999)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x45B5CECD (1169542861)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1015808, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (4360717/16999)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Crypto map tag: External_map, seq num: 1, local addr: 1.1.1.1
access-list Outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.10.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
current_peer: 3.3.3.3
#pkts encaps: 3444336, #pkts encrypt: 3444336, #pkts digest: 3444336
#pkts decaps: 1756137, #pkts decrypt: 1756137, #pkts verify: 1756137
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3444336, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 3.3.3.3/0
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6B0981E6
current inbound spi : 2F85EB3C
inbound esp sas:
spi: 0x2F85EB3C (797305660)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1245184, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (3944948/12647)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x6B0981E6 (1795785190)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 1245184, crypto-map: External_map
sa timing: remaining key lifetime (kB/sec): (364451/12647)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Apakah Anda kehilangan ping melalui internet publik?
—
Jeremy
Tidak, publik baik dari kedua lokasi.
—
ScottAdair
Seperti apa outputnya
—
Shane Madden
show crypto isakmp sadan show crypto ipsec sabagaimana masalah itu terjadi? Saya kira Anda sedang membersihkan SA untuk memperbaikinya, benar? Ada alasan khusus mengapa Anda menonaktifkan deteksi rekan mati? Dan yang terakhir: versi kode apa ini?
Semua sistem menjalankan 8.4 (2) dan ASDM 6.4 (5). Output perintah di atas. Tunnel mengatakan bahwa sudah habis, tetapi tidak ada lalu lintas yang melewati. Tidak ada alasan khusus untuk menonaktifkan teman mati, hanya mencoba hal-hal sore ini.
—
ScottAdair
Menarik, ASA di SF mengira terowongan itu turun, tetapi ASA di TO menganggapnya sudah habis ..
—
ScottAdair