Cisco ASA Menjatuhkan VPN ke Situs


9

Saya memiliki tiga situs, Toronto (1.1.1.1), Mississauga (2.2.2.2) dan San Francisco (3.3.3.3). Ketiga situs memiliki ASA 5520. Semua situs terhubung bersama dengan dua tautan VPN situs-ke-situs antara satu sama lain lokasi.

Masalah saya adalah bahwa terowongan antara Toronto dan San Francisco sangat tidak stabil, turun setiap 40 menit hingga 60 menit. Terowongan antara Toronto dan Mississauga (yang dikonfigurasi dengan cara yang sama) baik-baik saja tanpa tetes.

Saya juga memperhatikan bahwa ping saya jatuh tetapi ASA berpikir bahwa terowongan masih menyala dan berjalan.

Ini adalah konfigurasi terowongan.

Toronto (1.1.1.1)

crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 3.3.3.3 
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
 default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

San Francisco (3.3.3.3)

crypto map Outside_map0 2 match address Outside_cryptomap_1
crypto map Outside_map0 2 set peer 1.1.1.1 
crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map0 2 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

Saya bingung. Ada ide?

Memperbarui:

# show crypto isakmp sa

 IKEv1 SAs:

    Active SA: 2
     Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 Total IKE SA: 2

 1   IKE Peer: 3.3.3.3
     Type    : L2L             Role    : initiator 
     Rekey   : no              State   : MM_ACTIVE 
 2   IKE Peer: 2.2.2.2
     Type    : L2L             Role    : responder 
     Rekey   : no              State   : MM_ACTIVE 

 There are no IKEv2 SAs



 # show crypto ipsec sa
 interface: Outside
     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.99.0.0 255.255.255.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.99.0.0/255.255.255.0/0/0)
       current_peer: 74.200.4.148

       #pkts encaps: 30948, #pkts encrypt: 30948, #pkts digest: 30948
       #pkts decaps: 28516, #pkts decrypt: 28516, #pkts verify: 28516
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 30948, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: EFADD3D6
       current inbound spi : 756AB014

     inbound esp sas:
       spi: 0x756AB014 (1969926164)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4372005/17024)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0xEFADD3D6 (4021146582)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4369303/17024)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
       current_peer: 2.2.2.2

       #pkts encaps: 18777146, #pkts encrypt: 18777329, #pkts digest: 18777329
       #pkts decaps: 23208489, #pkts decrypt: 23208489, #pkts verify: 23208489
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 18777328, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: D2002A5B
       current inbound spi : 2E1F7B20

     inbound esp sas:
       spi: 0x2E1F7B20 (773815072)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (3224936/17000)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0xD2002A5B (3523226203)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (2120164/17000)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.110.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.110.0.0/255.255.0.0/0/0)
       current_peer: 2.2.2.2

       #pkts encaps: 1289226, #pkts encrypt: 1289226, #pkts digest: 1289226
       #pkts decaps: 1594987, #pkts decrypt: 1594987, #pkts verify: 1594987
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 1289226, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 27
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: 45B5CECD
       current inbound spi : 862EB1DB

     inbound esp sas:
       spi: 0x862EB1DB (2251207131)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4318958/16999)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0x45B5CECD (1169542861)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4360717/16999)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 1, local addr: 1.1.1.1

       access-list Outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.10.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
       current_peer: 3.3.3.3

       #pkts encaps: 3444336, #pkts encrypt: 3444336, #pkts digest: 3444336
       #pkts decaps: 1756137, #pkts decrypt: 1756137, #pkts verify: 1756137
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 3444336, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 3.3.3.3/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: 6B0981E6
       current inbound spi : 2F85EB3C

     inbound esp sas:
       spi: 0x2F85EB3C (797305660)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1245184, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (3944948/12647)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0x6B0981E6 (1795785190)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1245184, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (364451/12647)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

Apakah Anda kehilangan ping melalui internet publik?
Jeremy

Tidak, publik baik dari kedua lokasi.
ScottAdair

2
Seperti apa outputnya show crypto isakmp sadan show crypto ipsec sabagaimana masalah itu terjadi? Saya kira Anda sedang membersihkan SA untuk memperbaikinya, benar? Ada alasan khusus mengapa Anda menonaktifkan deteksi rekan mati? Dan yang terakhir: versi kode apa ini?
Shane Madden

Semua sistem menjalankan 8.4 (2) dan ASDM 6.4 (5). Output perintah di atas. Tunnel mengatakan bahwa sudah habis, tetapi tidak ada lalu lintas yang melewati. Tidak ada alasan khusus untuk menonaktifkan teman mati, hanya mencoba hal-hal sore ini.
ScottAdair

Menarik, ASA di SF mengira terowongan itu turun, tetapi ASA di TO menganggapnya sudah habis ..
ScottAdair

Jawaban:


Dengan menggunakan situs kami, Anda mengakui telah membaca dan memahami Kebijakan Cookie dan Kebijakan Privasi kami.
Licensed under cc by-sa 3.0 with attribution required.