The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы  помощь  поиск  регистрация  майллист  вход/выход  слежка  RSS
"Разрывается IPSec канал"
Вариант для распечатки  
Пред. тема | След. тема 
Форумы Маршрутизаторы CISCO и др. оборудование. (Public)
Изначальное сообщение [ Отслеживать ]

"Разрывается IPSec канал"  +/
Сообщение от rvv80 (ok) on 30-Июн-09, 21:44 
Ребята, знатоки Cisco, помогите, пожалуйста!
Периодически рвется канал IPSec между двумя Cisco-роутерами 2800 и 800 серий
Вот лог с включенным дебагом. Я понял только, что первая фаза проходит, что дальше?
BB.BB.BB.BB - ip-адрес циски с логами (800-серия)
AA.AA.AA.AA - ip-адрес другой циски (2800-серия)


Tue Jun 30 17:15:47 2009: <191>86183: Jun 30 17:15:46: ISAKMP:(2107):purging node -1323484845
Tue Jun 30 17:15:56 2009: <191>86184: Jun 30 17:15:56: ISAKMP (0:2107): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 17:15:56 2009: <191>86185: Jun 30 17:15:56: ISAKMP: set new node 486939029 to QM_IDLE      
Tue Jun 30 17:15:56 2009: <191>86186: Jun 30 17:15:56: crypto_engine: Decrypt IKE packet
Tue Jun 30 17:15:56 2009: <191>86187: Jun 30 17:15:56: crypto_engine: Generate IKE hash
Tue Jun 30 17:15:56 2009: <191>86188: Jun 30 17:15:56: ISAKMP:(2107): processing HASH payload. message ID = 486939029
Tue Jun 30 17:15:56 2009: <191>86189: Jun 30 17:15:56: ISAKMP:(2107): processing NOTIFY DPD/R_U_THERE protocol 1
Tue Jun 30 17:15:56 2009: <191>86190:     spi 0, message ID = 486939029, sa = 84945450
Tue Jun 30 17:15:56 2009: <191>86191: Jun 30 17:15:56: ISAKMP:(2107):deleting node 486939029 error FALSE reason "Informational (in) state 1"
Tue Jun 30 17:15:56 2009: <191>86192: Jun 30 17:15:56: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Tue Jun 30 17:15:56 2009: <191>86193: Jun 30 17:15:56: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:15:56 2009: <191>86194:
Tue Jun 30 17:15:56 2009: <191>86195: Jun 30 17:15:56: ISAKMP:(2107):DPD/R_U_THERE received from peer AA.AA.AA.AA, sequence 0x4246D657
Tue Jun 30 17:15:56 2009: <191>86196: Jun 30 17:15:56: ISAKMP: set new node -2099879768 to QM_IDLE      
Tue Jun 30 17:15:56 2009: <191>86197: Jun 30 17:15:56: crypto_engine: Generate IKE hash
Tue Jun 30 17:15:56 2009: <191>86198: Jun 30 17:15:56: ISAKMP:(2107):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Tue Jun 30 17:15:56 2009: <191>86199:     spi 2213298328, message ID = -2099879768
Tue Jun 30 17:15:56 2009: <191>86200: Jun 30 17:15:56: ISAKMP:(2107): seq. no 0x4246D657
Tue Jun 30 17:15:56 2009: <191>86201: Jun 30 17:15:56: crypto_engine: Encrypt IKE packet
Tue Jun 30 17:15:56 2009: <191>86202: Jun 30 17:15:56: ISAKMP:(2107): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 17:15:57 2009: <191>86203: Jun 30 17:15:56: ISAKMP:(2107):purging node -2099879768
Tue Jun 30 17:15:57 2009: <191>86204: Jun 30 17:15:56: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Tue Jun 30 17:15:57 2009: <191>86205: Jun 30 17:15:56: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:15:57 2009: <191>86206:
Tue Jun 30 17:16:01 2009: <191>86207: Jun 30 17:16:00: ISAKMP:(2107):purging node 1466803960
Tue Jun 30 17:16:07 2009: <190>86208: Jun 30 17:16:06: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 2 packets
Tue Jun 30 17:16:07 2009: <190>86209: Jun 30 17:16:06: %SEC-6-IPACCESSLOGP: list FROMINSIDE denied udp 192.168.22.114(137) -> 192.168.22.255(137), 154 packets
Tue Jun 30 17:16:09 2009: <191>86210: Jun 30 17:16:09: ISAKMP (0:2107): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 17:16:09 2009: <191>86211: Jun 30 17:16:09: ISAKMP: set new node -1871571346 to QM_IDLE      
Tue Jun 30 17:16:09 2009: <191>86212: Jun 30 17:16:09: crypto_engine: Decrypt IKE packet
Tue Jun 30 17:16:09 2009: <191>86213: Jun 30 17:16:09: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:09 2009: <191>86214: Jun 30 17:16:09: ISAKMP:(2107): processing HASH payload. message ID = -1871571346
Tue Jun 30 17:16:09 2009: <191>86215: Jun 30 17:16:09: ISAKMP:(2107): processing NOTIFY DPD/R_U_THERE protocol 1
Tue Jun 30 17:16:09 2009: <191>86216:     spi 0, message ID = -1871571346, sa = 84945450
Tue Jun 30 17:16:09 2009: <191>86217: Jun 30 17:16:09: ISAKMP:(2107):deleting node -1871571346 error FALSE reason "Informational (in) state 1"
Tue Jun 30 17:16:09 2009: <191>86218: Jun 30 17:16:09: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Tue Jun 30 17:16:09 2009: <191>86219: Jun 30 17:16:09: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:09 2009: <191>86220:
Tue Jun 30 17:16:09 2009: <191>86221: Jun 30 17:16:09: ISAKMP:(2107):DPD/R_U_THERE received from peer AA.AA.AA.AA, sequence 0x4246D658
Tue Jun 30 17:16:09 2009: <191>86222: Jun 30 17:16:09: ISAKMP: set new node 1124809414 to QM_IDLE      
Tue Jun 30 17:16:09 2009: <191>86223: Jun 30 17:16:09: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:09 2009: <191>86224: Jun 30 17:16:09: ISAKMP:(2107):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Tue Jun 30 17:16:09 2009: <191>86225:     spi 2213298328, message ID = 1124809414
Tue Jun 30 17:16:09 2009: <191>86226: Jun 30 17:16:09: ISAKMP:(2107): seq. no 0x4246D658
Tue Jun 30 17:16:09 2009: <191>86227: Jun 30 17:16:09: crypto_engine: Encrypt IKE packet
Tue Jun 30 17:16:09 2009: <191>86228: Jun 30 17:16:09: ISAKMP:(2107): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 17:16:10 2009: <191>86229: Jun 30 17:16:09: ISAKMP:(2107):purging node 1124809414
Tue Jun 30 17:16:10 2009: <191>86230: Jun 30 17:16:09: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Tue Jun 30 17:16:10 2009: <191>86231: Jun 30 17:16:09: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:10 2009: <191>86232:
Tue Jun 30 17:16:13 2009: <191>86233: Jun 30 17:16:11: ISAKMP:(2107):purging node -822301660
Tue Jun 30 17:16:22 2009: <191>86234: Jun 30 17:16:22: ISAKMP (0:2107): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 17:16:22 2009: <191>86235: Jun 30 17:16:22: ISAKMP: set new node 1118288486 to QM_IDLE      
Tue Jun 30 17:16:22 2009: <191>86236: Jun 30 17:16:22: crypto_engine: Decrypt IKE packet
Tue Jun 30 17:16:22 2009: <191>86237: Jun 30 17:16:22: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:22 2009: <191>86238: Jun 30 17:16:22: ISAKMP:(2107): processing HASH payload. message ID = 1118288486
Tue Jun 30 17:16:22 2009: <191>86239: Jun 30 17:16:22: ISAKMP:(2107): processing NOTIFY DPD/R_U_THERE protocol 1
Tue Jun 30 17:16:22 2009: <191>86240:     spi 0, message ID = 1118288486, sa = 84945450
Tue Jun 30 17:16:22 2009: <191>86241: Jun 30 17:16:22: ISAKMP:(2107):deleting node 1118288486 error FALSE reason "Informational (in) state 1"
Tue Jun 30 17:16:22 2009: <191>86242: Jun 30 17:16:22: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Tue Jun 30 17:16:22 2009: <191>86243: Jun 30 17:16:22: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:22 2009: <191>86244:
Tue Jun 30 17:16:22 2009: <191>86245: Jun 30 17:16:22: ISAKMP:(2107):DPD/R_U_THERE received from peer AA.AA.AA.AA, sequence 0x4246D659
Tue Jun 30 17:16:22 2009: <191>86246: Jun 30 17:16:22: ISAKMP: set new node -451916554 to QM_IDLE      
Tue Jun 30 17:16:22 2009: <191>86247: Jun 30 17:16:22: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:22 2009: <191>86248: Jun 30 17:16:22: ISAKMP:(2107):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Tue Jun 30 17:16:22 2009: <191>86249:     spi 2213298328, message ID = -451916554
Tue Jun 30 17:16:22 2009: <191>86250: Jun 30 17:16:22: ISAKMP:(2107): seq. no 0x4246D659
Tue Jun 30 17:16:22 2009: <191>86251: Jun 30 17:16:22: crypto_engine: Encrypt IKE packet
Tue Jun 30 17:16:22 2009: <191>86252: Jun 30 17:16:22: ISAKMP:(2107): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 17:16:23 2009: <191>86253: Jun 30 17:16:22: ISAKMP:(2107):purging node -451916554
Tue Jun 30 17:16:23 2009: <191>86254: Jun 30 17:16:22: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Tue Jun 30 17:16:23 2009: <191>86255: Jun 30 17:16:22: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:23 2009: <191>86256:
Tue Jun 30 17:16:23 2009: <191>86257: Jun 30 17:16:22: ISAKMP:(2107):purging node -744339648
Tue Jun 30 17:16:33 2009: <191>86258: Jun 30 17:16:33: ISAKMP (0:2107): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 17:16:33 2009: <191>86259: Jun 30 17:16:33: ISAKMP: set new node 553106236 to QM_IDLE      
Tue Jun 30 17:16:33 2009: <191>86260: Jun 30 17:16:33: crypto_engine: Decrypt IKE packet
Tue Jun 30 17:16:33 2009: <191>86261: Jun 30 17:16:33: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:33 2009: <191>86262: Jun 30 17:16:33: ISAKMP:(2107): processing HASH payload. message ID = 553106236
Tue Jun 30 17:16:33 2009: <191>86263: Jun 30 17:16:33: ISAKMP:(2107): processing NOTIFY DPD/R_U_THERE protocol 1
Tue Jun 30 17:16:33 2009: <191>86264:     spi 0, message ID = 553106236, sa = 84945450
Tue Jun 30 17:16:33 2009: <191>86265: Jun 30 17:16:33: ISAKMP:(2107):deleting node 553106236 error FALSE reason "Informational (in) state 1"
Tue Jun 30 17:16:33 2009: <191>86266: Jun 30 17:16:33: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Tue Jun 30 17:16:33 2009: <191>86267: Jun 30 17:16:33: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:33 2009: <191>86268:
Tue Jun 30 17:16:33 2009: <191>86269: Jun 30 17:16:33: ISAKMP:(2107):DPD/R_U_THERE received from peer AA.AA.AA.AA, sequence 0x4246D65A
Tue Jun 30 17:16:33 2009: <191>86270: Jun 30 17:16:33: ISAKMP: set new node 1662856346 to QM_IDLE      
Tue Jun 30 17:16:33 2009: <191>86271: Jun 30 17:16:33: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:33 2009: <191>86272: Jun 30 17:16:33: ISAKMP:(2107):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Tue Jun 30 17:16:33 2009: <191>86273:     spi 2213298328, message ID = 1662856346
Tue Jun 30 17:16:33 2009: <191>86274: Jun 30 17:16:33: ISAKMP:(2107): seq. no 0x4246D65A
Tue Jun 30 17:16:33 2009: <191>86275: Jun 30 17:16:33: crypto_engine: Encrypt IKE packet
Tue Jun 30 17:16:33 2009: <191>86276: Jun 30 17:16:33: ISAKMP:(2107): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 17:16:34 2009: <191>86277: Jun 30 17:16:33: ISAKMP:(2107):purging node 1662856346
Tue Jun 30 17:16:34 2009: <191>86278: Jun 30 17:16:33: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Tue Jun 30 17:16:34 2009: <191>86279: Jun 30 17:16:33: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:34 2009: <191>86280:
Tue Jun 30 17:16:35 2009: <191>86281: Jun 30 17:16:34: ISAKMP:(2107):purging node -259752925
Tue Jun 30 17:16:45 2009: <191>86282: Jun 30 17:16:45: ISAKMP (0:2107): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 17:16:45 2009: <191>86283: Jun 30 17:16:45: ISAKMP: set new node -900271755 to QM_IDLE      
Tue Jun 30 17:16:45 2009: <191>86284: Jun 30 17:16:45: crypto_engine: Decrypt IKE packet
Tue Jun 30 17:16:45 2009: <191>86285: Jun 30 17:16:45: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:45 2009: <191>86286: Jun 30 17:16:45: ISAKMP:(2107): processing HASH payload. message ID = -900271755
Tue Jun 30 17:16:45 2009: <191>86287: Jun 30 17:16:45: ISAKMP:(2107): processing NOTIFY DPD/R_U_THERE protocol 1
Tue Jun 30 17:16:45 2009: <191>86288:     spi 0, message ID = -900271755, sa = 84945450
Tue Jun 30 17:16:45 2009: <191>86289: Jun 30 17:16:45: ISAKMP:(2107):deleting node -900271755 error FALSE reason "Informational (in) state 1"
Tue Jun 30 17:16:45 2009: <191>86290: Jun 30 17:16:45: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Tue Jun 30 17:16:45 2009: <191>86291: Jun 30 17:16:45: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:45 2009: <191>86292:
Tue Jun 30 17:16:45 2009: <191>86293: Jun 30 17:16:45: ISAKMP:(2107):DPD/R_U_THERE received from peer AA.AA.AA.AA, sequence 0x4246D65B
Tue Jun 30 17:16:45 2009: <191>86294: Jun 30 17:16:45: ISAKMP: set new node -563160542 to QM_IDLE      
Tue Jun 30 17:16:45 2009: <191>86295: Jun 30 17:16:45: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:45 2009: <191>86296: Jun 30 17:16:45: ISAKMP:(2107):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Tue Jun 30 17:16:45 2009: <191>86297:     spi 2213298328, message ID = -563160542
Tue Jun 30 17:16:45 2009: <191>86298: Jun 30 17:16:45: ISAKMP:(2107): seq. no 0x4246D65B
Tue Jun 30 17:16:45 2009: <191>86299: Jun 30 17:16:45: crypto_engine: Encrypt IKE packet
Tue Jun 30 17:16:45 2009: <191>86300: Jun 30 17:16:45: ISAKMP:(2107): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 17:16:46 2009: <191>86301: Jun 30 17:16:45: ISAKMP:(2107):purging node -563160542
Tue Jun 30 17:16:46 2009: <191>86302: Jun 30 17:16:45: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Tue Jun 30 17:16:46 2009: <191>86303: Jun 30 17:16:45: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:46 2009: <191>86304:
Tue Jun 30 17:16:47 2009: <191>86305: Jun 30 17:16:46: ISAKMP:(2107):purging node 486939029
Tue Jun 30 17:16:57 2009: <191>86306: Jun 30 17:16:57: ISAKMP (0:2107): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 17:16:57 2009: <191>86307: Jun 30 17:16:57: ISAKMP: set new node -384570285 to QM_IDLE      
Tue Jun 30 17:16:57 2009: <191>86308: Jun 30 17:16:57: crypto_engine: Decrypt IKE packet
Tue Jun 30 17:16:57 2009: <191>86309: Jun 30 17:16:57: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:57 2009: <191>86310: Jun 30 17:16:57: ISAKMP:(2107): processing HASH payload. message ID = -384570285
Tue Jun 30 17:16:57 2009: <191>86311: Jun 30 17:16:57: ISAKMP:(2107): processing NOTIFY DPD/R_U_THERE protocol 1
Tue Jun 30 17:16:57 2009: <191>86312:     spi 0, message ID = -384570285, sa = 84945450
Tue Jun 30 17:16:57 2009: <191>86313: Jun 30 17:16:57: ISAKMP:(2107):deleting node -384570285 error FALSE reason "Informational (in) state 1"
Tue Jun 30 17:16:57 2009: <191>86314: Jun 30 17:16:57: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Tue Jun 30 17:16:57 2009: <191>86315: Jun 30 17:16:57: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:57 2009: <191>86316:
Tue Jun 30 17:16:57 2009: <191>86317: Jun 30 17:16:57: ISAKMP:(2107):DPD/R_U_THERE received from peer AA.AA.AA.AA, sequence 0x4246D65C
Tue Jun 30 17:16:57 2009: <191>86318: Jun 30 17:16:57: ISAKMP: set new node 1158874429 to QM_IDLE      
Tue Jun 30 17:16:57 2009: <191>86319: Jun 30 17:16:57: crypto_engine: Generate IKE hash
Tue Jun 30 17:16:57 2009: <191>86320: Jun 30 17:16:57: ISAKMP:(2107):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Tue Jun 30 17:16:57 2009: <191>86321:     spi 2213298328, message ID = 1158874429
Tue Jun 30 17:16:57 2009: <191>86322: Jun 30 17:16:57: ISAKMP:(2107): seq. no 0x4246D65C
Tue Jun 30 17:16:57 2009: <191>86323: Jun 30 17:16:57: crypto_engine: Encrypt IKE packet
Tue Jun 30 17:16:57 2009: <191>86324: Jun 30 17:16:57: ISAKMP:(2107): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 17:16:58 2009: <191>86325: Jun 30 17:16:57: ISAKMP:(2107):purging node 1158874429
Tue Jun 30 17:16:58 2009: <191>86326: Jun 30 17:16:57: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Tue Jun 30 17:16:58 2009: <191>86327: Jun 30 17:16:57: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:16:58 2009: <191>86328:
Tue Jun 30 17:17:00 2009: <191>86329: Jun 30 17:16:59: ISAKMP:(2107):purging node -1871571346
Tue Jun 30 17:17:07 2009: <190>86330: Jun 30 17:17:06: %SEC-6-IPACCESSLOGP: list FROMINSIDE denied udp 192.168.22.104(137) -> 192.168.22.255(137), 3 packets
Tue Jun 30 17:17:09 2009: <191>86331: Jun 30 17:17:09: ISAKMP (0:2107): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 17:17:09 2009: <191>86332: Jun 30 17:17:09: ISAKMP: set new node 1371984385 to QM_IDLE      
Tue Jun 30 17:17:09 2009: <191>86333: Jun 30 17:17:09: crypto_engine: Decrypt IKE packet
Tue Jun 30 17:17:09 2009: <191>86334: Jun 30 17:17:09: crypto_engine: Generate IKE hash
Tue Jun 30 17:17:09 2009: <191>86335: Jun 30 17:17:09: ISAKMP:(2107): processing HASH payload. message ID = 1371984385
Tue Jun 30 17:17:09 2009: <191>86336: Jun 30 17:17:09: ISAKMP:(2107): processing NOTIFY DPD/R_U_THERE protocol 1
Tue Jun 30 17:17:09 2009: <191>86337:     spi 0, message ID = 1371984385, sa = 84945450
Tue Jun 30 17:17:09 2009: <191>86338: Jun 30 17:17:09: ISAKMP:(2107):deleting node 1371984385 error FALSE reason "Informational (in) state 1"
Tue Jun 30 17:17:09 2009: <191>86339: Jun 30 17:17:09: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Tue Jun 30 17:17:09 2009: <191>86340: Jun 30 17:17:09: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:17:09 2009: <191>86341:
Tue Jun 30 17:17:09 2009: <191>86342: Jun 30 17:17:09: ISAKMP:(2107):DPD/R_U_THERE received from peer AA.AA.AA.AA, sequence 0x4246D65D
Tue Jun 30 17:17:09 2009: <191>86343: Jun 30 17:17:09: ISAKMP: set new node -504146568 to QM_IDLE      
Tue Jun 30 17:17:09 2009: <191>86344: Jun 30 17:17:09: crypto_engine: Generate IKE hash
Tue Jun 30 17:17:09 2009: <191>86345: Jun 30 17:17:09: ISAKMP:(2107):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Tue Jun 30 17:17:09 2009: <191>86346:     spi 2213298328, message ID = -504146568
Tue Jun 30 17:17:09 2009: <191>86347: Jun 30 17:17:09: ISAKMP:(2107): seq. no 0x4246D65D
Tue Jun 30 17:17:09 2009: <191>86348: Jun 30 17:17:09: crypto_engine: Encrypt IKE packet
Tue Jun 30 17:17:09 2009: <191>86349: Jun 30 17:17:09: ISAKMP:(2107): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 17:17:10 2009: <191>86350: Jun 30 17:17:09: ISAKMP:(2107):purging node -504146568
Tue Jun 30 17:17:10 2009: <191>86351: Jun 30 17:17:09: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Tue Jun 30 17:17:10 2009: <191>86352: Jun 30 17:17:09: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:17:10 2009: <191>86353:
Tue Jun 30 17:17:13 2009: <191>86354: Jun 30 17:17:12: ISAKMP:(2107):purging node 1118288486
Tue Jun 30 17:17:23 2009: <191>86355: Jun 30 17:17:23: ISAKMP (0:2107): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 17:17:23 2009: <191>86356: Jun 30 17:17:23: ISAKMP: set new node 2012346208 to QM_IDLE      
Tue Jun 30 17:17:23 2009: <191>86357: Jun 30 17:17:23: crypto_engine: Decrypt IKE packet
Tue Jun 30 17:17:23 2009: <191>86358: Jun 30 17:17:23: crypto_engine: Generate IKE hash
Tue Jun 30 17:17:23 2009: <191>86359: Jun 30 17:17:23: ISAKMP:(2107): processing HASH payload. message ID = 2012346208
Tue Jun 30 17:17:23 2009: <191>86360: Jun 30 17:17:23: ISAKMP:(2107): processing NOTIFY DPD/R_U_THERE protocol 1
Tue Jun 30 17:17:23 2009: <191>86361:     spi 0, message ID = 2012346208, sa = 84945450
Tue Jun 30 17:17:23 2009: <191>86362: Jun 30 17:17:23: ISAKMP:(2107):deleting node 2012346208 error FALSE reason "Informational (in) state 1"
Tue Jun 30 17:17:23 2009: <191>86363: Jun 30 17:17:23: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Tue Jun 30 17:17:23 2009: <191>86364: Jun 30 17:17:23: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:17:23 2009: <191>86365:
Tue Jun 30 17:17:23 2009: <191>86366: Jun 30 17:17:23: ISAKMP:(2107):DPD/R_U_THERE received from peer AA.AA.AA.AA, sequence 0x4246D65E
Tue Jun 30 17:17:23 2009: <191>86367: Jun 30 17:17:23: ISAKMP: set new node -358622422 to QM_IDLE      
Tue Jun 30 17:17:23 2009: <191>86368: Jun 30 17:17:23: crypto_engine: Generate IKE hash
Tue Jun 30 17:17:23 2009: <191>86369: Jun 30 17:17:23: ISAKMP:(2107):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Tue Jun 30 17:17:23 2009: <191>86370:     spi 2213298328, message ID = -358622422
Tue Jun 30 17:17:23 2009: <191>86371: Jun 30 17:17:23: ISAKMP:(2107): seq. no 0x4246D65E
Tue Jun 30 17:17:23 2009: <191>86372: Jun 30 17:17:23: crypto_engine: Encrypt IKE packet
Tue Jun 30 17:17:23 2009: <191>86373: Jun 30 17:17:23: ISAKMP:(2107): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 17:17:23 2009: <191>86374: Jun 30 17:17:23: ISAKMP:(2107):purging node -358622422
Tue Jun 30 17:17:23 2009: <191>86375: Jun 30 17:17:23: ISAKMP:(2107):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Tue Jun 30 17:17:23 2009: <191>86376: Jun 30 17:17:23: ISAKMP:(2107):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 17:17:23 2009: <191>86377:
Tue Jun 30 17:17:23 2009: <191>86378: Jun 30 17:17:23: ISAKMP:(2107):purging node 553106236

Высказать мнение | Ответить | Правка | Cообщить модератору

 Оглавление

Сообщения по теме [Сортировка по времени | RSS]


1. "Разрывается IPSec канал"  +/
Сообщение от ilya (ok) on 01-Июл-09, 09:02 
>Ребята, знатоки Cisco, помогите, пожалуйста!
>Периодически рвется канал IPSec между двумя Cisco-роутерами 2800 и 800 серий
>Вот лог с включенным дебагом. Я понял только, что первая фаза проходит,
>что дальше?
>BB.BB.BB.BB - ip-адрес циски с логами (800-серия)
>AA.AA.AA.AA - ip-адрес другой циски (2800-серия)
>
>

Судя по логу - это работа протокла DPD, причем штатная.
1. Покажите конфиги с обоих сторон
2. После обрыва - как долго восстанавливается канал? Что способстувует поднятию канала?
3. Пробовали мониторить доступность внешнего  интерфейса циски 800 с 2800? Т.е. есть 100% уверенность что косяк не провайдера?
4. посмотрите дебаг установки тунеля ipsec

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

2. "Разрывается IPSec канал"  +/
Сообщение от rvv80 (ok) on 01-Июл-09, 10:20 
Вот лог установки IPSec с циски 800:

Tue Jun 30 16:49:45 2009: <191>83933: Jun 30 16:49:44: crypto_engine: Generate public/private keypair
Tue Jun 30 16:53:35 2009: <191>83944: Jun 30 16:53:34: ISAKMP (0:2106): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>83945: Jun 30 16:53:34: ISAKMP: set new node 394346856 to QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>83946: Jun 30 16:53:34: crypto_engine: Decrypt IKE packet
Tue Jun 30 16:53:35 2009: <191>83947: Jun 30 16:53:34: crypto_engine: Generate IKE hash
Tue Jun 30 16:53:35 2009: <191>83948: Jun 30 16:53:34: ISAKMP:(2106): processing HASH payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83949: Jun 30 16:53:34: ISAKMP:(2106): processing SA payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83950: Jun 30 16:53:34: ISAKMP:(2106):Checking IPSec proposal 1
Tue Jun 30 16:53:35 2009: <191>83951: Jun 30 16:53:34: ISAKMP: transform 1, ESP_AES
Tue Jun 30 16:53:35 2009: <191>83952: Jun 30 16:53:34: ISAKMP:   attributes in transform:
Tue Jun 30 16:53:35 2009: <191>83953: Jun 30 16:53:34: ISAKMP:      encaps is 1 (Tunnel)
Tue Jun 30 16:53:35 2009: <191>83954: Jun 30 16:53:34: ISAKMP:      SA life type in seconds
Tue Jun 30 16:53:35 2009: <191>83955: Jun 30 16:53:34: ISAKMP:      SA life duration (VPI) of  0x0 0x1 0x51 0x80
Tue Jun 30 16:53:35 2009: <191>83956: Jun 30 16:53:34: ISAKMP:      SA life type in kilobytes
Tue Jun 30 16:53:35 2009: <191>83957: Jun 30 16:53:34: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
Tue Jun 30 16:53:35 2009: <191>83958: Jun 30 16:53:34: ISAKMP:      authenticator is HMAC-SHA
Tue Jun 30 16:53:35 2009: <191>83959: Jun 30 16:53:34: ISAKMP:      key length is 128
Tue Jun 30 16:53:35 2009: <191>83960: Jun 30 16:53:34: ISAKMP:      group is 2
Tue Jun 30 16:53:35 2009: <191>83961: Jun 30 16:53:34: CryptoEngine0: validate proposal
Tue Jun 30 16:53:35 2009: <191>83962: Jun 30 16:53:34: ISAKMP:(2106):atts are acceptable.
Tue Jun 30 16:53:35 2009: <191>83963: Jun 30 16:53:34: IPSEC(validate_proposal_request): proposal part #1
Tue Jun 30 16:53:35 2009: <191>83964: Jun 30 16:53:34: IPSEC(validate_proposal_request): proposal part #1,
Tue Jun 30 16:53:35 2009: <191>83965:   (key eng. msg.) INBOUND
Tue Jun 30 16:53:35 2009: <191>83966: local= BB.BB.BB.BB, remote= AA.AA.AA.AA,
Tue Jun 30 16:53:35 2009: <191>83967:     local_proxy= 192.168.22.0/255.255.255.0/0/0 (type=4),
Tue Jun 30 16:53:35 2009: <191>83968:     remote_proxy= 192.168.0.0/255.255.255.0/0/0 (type=4),
Tue Jun 30 16:53:35 2009: <191>83969:     protocol= ESP, transform= esp-aes esp-sha-hmac  (Tunnel),
Tue Jun 30 16:53:35 2009: <191>83970:     lifedur= 0s and 0kb,
Tue Jun 30 16:53:35 2009: <191>83971:     spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
Tue Jun 30 16:53:35 2009: <191>83972: Jun 30 16:53:34: Crypto mapdb : proxy_match
Tue Jun 30 16:53:35 2009: <191>83973:     src addr     : 192.168.22.0
Tue Jun 30 16:53:35 2009: <191>83974:     dst addr     : 192.168.0.0
Tue Jun 30 16:53:35 2009: <191>83975:     protocol     : 0
Tue Jun 30 16:53:35 2009: <191>83976:     src port     : 0
Tue Jun 30 16:53:35 2009: <191>83977:     dst port     : 0
Tue Jun 30 16:53:35 2009: <191>83978: Jun 30 16:53:34: ISAKMP:(2106): processing NONCE payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83979: Jun 30 16:53:34: ISAKMP:(2106): processing KE payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83980: Jun 30 16:53:34: crypto_engine: Create DH shared secret
Tue Jun 30 16:53:35 2009: <191>83981: Jun 30 16:53:34: crypto_engine: Modular Exponentiation
Tue Jun 30 16:53:35 2009: <191>83982: Jun 30 16:53:34: ISAKMP:(2106): processing ID payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83983: Jun 30 16:53:34: ISAKMP:(2106): processing ID payload. message ID = 394346856
Tue Jun 30 16:53:35 2009: <191>83984: Jun 30 16:53:34: ISAKMP:(2106):QM Responder gets spi
Tue Jun 30 16:53:35 2009: <191>83985: Jun 30 16:53:34: ISAKMP:(2106):Node 394346856, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Tue Jun 30 16:53:35 2009: <191>83986: Jun 30 16:53:34: ISAKMP:(2106):Old State = IKE_QM_READY  New State = IKE_QM_SPI_STARVE
Tue Jun 30 16:53:35 2009: <191>83987: Jun 30 16:53:34: crypto_engine: Generate IKE hash
Tue Jun 30 16:53:35 2009: <191>83988: Jun 30 16:53:34: crypto_engine: Generate IKE QM keys
Tue Jun 30 16:53:35 2009: <191>83989: Jun 30 16:53:34: crypto_engine: Create IPSec SA (by keys)
Tue Jun 30 16:53:35 2009: <191>83990: Jun 30 16:53:34: crypto_engine: Generate IKE QM keys
Tue Jun 30 16:53:35 2009: <191>83991: Jun 30 16:53:34: crypto_engine: Create IPSec SA (by keys)
Tue Jun 30 16:53:35 2009: <191>83992: Jun 30 16:53:34: crypto engine: deleting DH phase 2 SW:68
Tue Jun 30 16:53:35 2009: <191>83993: Jun 30 16:53:34: crypto_engine: Delete DH shared secret
Tue Jun 30 16:53:35 2009: <191>83994: Jun 30 16:53:34: crypto engine: deleting DH SW:66
Tue Jun 30 16:53:35 2009: <191>83995: Jun 30 16:53:34: ISAKMP:(2106): Creating IPSec SAs
Tue Jun 30 16:53:35 2009: <191>83996: Jun 30 16:53:34:         inbound SA from AA.AA.AA.AA to BB.BB.BB.BB (f/i)  0/ 0
Tue Jun 30 16:53:35 2009: <191>83997:         (proxy 192.168.0.0 to 192.168.22.0)
Tue Jun 30 16:53:35 2009: <191>83998: Jun 30 16:53:34:         has spi 0xF6CB4C26 and conn_id 0
Tue Jun 30 16:53:35 2009: <191>83999: Jun 30 16:53:34:         lifetime of 86400 seconds
Tue Jun 30 16:53:35 2009: <191>84000: Jun 30 16:53:34:         lifetime of 4608000 kilobytes
Tue Jun 30 16:53:35 2009: <191>84001: Jun 30 16:53:34:         outbound SA from BB.BB.BB.BB to AA.AA.AA.AA (f/i) 0/0
Tue Jun 30 16:53:35 2009: <191>84002:         (proxy 192.168.22.0 to 192.168.0.0)
Tue Jun 30 16:53:35 2009: <191>84003: Jun 30 16:53:34:         has spi  0x8D3CAECD and conn_id 0
Tue Jun 30 16:53:35 2009: <191>84004: Jun 30 16:53:34:         lifetime of 86400 seconds
Tue Jun 30 16:53:35 2009: <191>84005: Jun 30 16:53:34:         lifetime of 4608000 kilobytes
Tue Jun 30 16:53:35 2009: <191>84006: Jun 30 16:53:34: crypto_engine: Encrypt IKE packet
Tue Jun 30 16:53:35 2009: <191>84007: Jun 30 16:53:34: ISAKMP:(2106): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>84008: Jun 30 16:53:34: ISAKMP:(2106):Node 394346856, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
Tue Jun 30 16:53:35 2009: <191>84009: Jun 30 16:53:34: ISAKMP:(2106):Old State = IKE_QM_SPI_STARVE  New State = IKE_QM_R_QM2
Tue Jun 30 16:53:35 2009: <191>84010: Jun 30 16:53:34: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Tue Jun 30 16:53:35 2009: <191>84011: Jun 30 16:53:34: Crypto mapdb : proxy_match
Tue Jun 30 16:53:35 2009: <191>84012:     src addr     : 192.168.22.0
Tue Jun 30 16:53:35 2009: <191>84013:     dst addr     : 192.168.0.0
Tue Jun 30 16:53:35 2009: <191>84014:     protocol     : 0
Tue Jun 30 16:53:35 2009: <191>84015:     src port     : 0
Tue Jun 30 16:53:35 2009: <191>84016:     dst port     : 0
Tue Jun 30 16:53:35 2009: <191>84017: Jun 30 16:53:34: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer AA.AA.AA.AA
Tue Jun 30 16:53:35 2009: <191>84018: Jun 30 16:53:34: IPSEC(create_sa): sa created,
Tue Jun 30 16:53:35 2009: <191>84019:   (sa) sa_dest= BB.BB.BB.BB, sa_proto= 50,
Tue Jun 30 16:53:35 2009: <191>84020:     sa_spi= 0xF6CB4C26(4140518438),
Tue Jun 30 16:53:35 2009: <191>84021:     sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 39
Tue Jun 30 16:53:35 2009: <191>84022: Jun 30 16:53:34: IPSEC(create_sa): sa created
Tue Jun 30 16:53:35 2009: <191>84023: ,
Tue Jun 30 16:53:35 2009: <191>84024:   (sa) sa_dest= AA.AA.AA.AA, sa_proto= 50,
Tue Jun 30 16:53:35 2009: <191>84025:     sa_spi= 0x8D3CAECD(2369564365),
Tue Jun 30 16:53:35 2009: <191>84026:     sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 40
Tue Jun 30 16:53:35 2009: <191>84027: Jun 30 16:53:34: IPSEC(early_age_out_sibling): sibling outbound SPI 2F491DAD expiring in 30 seconds
Tue Jun 30 16:53:35 2009: <191>84028: Jun 30 16:53:34: ISAKMP: set new node -677888029 to QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>84029: Jun 30 16:53:34: crypto_engine: Generate IKE hash
Tue Jun 30 16:53:35 2009: <191>84030: Jun 30 16:53:34: crypto_engine: Encrypt IKE packet
Tue Jun 30 16:53:35 2009: <191>84031: Jun 30 16:53:34: ISAKMP:(2106): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>84032: Jun 30 16:53:34: ISAKMP:(2106):purging node -677888029
Tue Jun 30 16:53:35 2009: <191>84033: Jun 30 16:53:34: ISAKMP:(2106):Input = IKE_MESG_FROM_IPSEC, IKE_PHASE2_DEL
Tue Jun 30 16:53:35 2009: <191>84034: Jun 30 16:53:34: ISAKMP:(2106):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Tue Jun 30 16:53:35 2009: <191>84035:
Tue Jun 30 16:53:35 2009: <191>84036: Jun 30 16:53:35: crypto_engine: Delete DH
Tue Jun 30 16:53:35 2009: <191>84037: Jun 30 16:53:35: ISAKMP (0:2106): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) QM_IDLE      
Tue Jun 30 16:53:35 2009: <191>84038: Jun 30 16:53:35: crypto_engine: Decrypt IKE packet
Tue Jun 30 16:53:35 2009: <191>84039: Jun 30 16:53:35: crypto_engine: Generate IKE hash
Tue Jun 30 16:53:35 2009: <191>84040: Jun 30 16:53:35: ISAKMP:(2106):deleting node 394346856 error FALSE reason "QM done (await)"
Tue Jun 30 16:53:35 2009: <191>84041: Jun 30 16:53:35: ISAKMP:(2106):Node 394346856, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Tue Jun 30 16:53:35 2009: <191>84042: Jun 30 16:53:35: ISAKMP:(2106):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE

Вроде бы все в норме, судя по логу устанавливается и вторая фаза, но канала нет...

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

3. "Разрывается IPSec канал"  +/
Сообщение от rvv80 (ok) on 01-Июл-09, 10:29 
Дальше в логах такое:

..........
Tue Jun 30 16:56:55 2009: <191>84239: Jun 30 16:56:55: ISAKMP:(0): no idb in request
Tue Jun 30 16:56:55 2009: <191>84240: Jun 30 16:56:55: ISAKMP:(0): SA request profile is (NULL)
Tue Jun 30 16:56:55 2009: <191>84241: Jun 30 16:56:55: ISAKMP: Found a peer struct for AA.AA.AA.AA, peer port 500
Tue Jun 30 16:56:55 2009: <191>84242: Jun 30 16:56:55: ISAKMP: Locking peer struct 0x841AE4AC, refcount 2 for isakmp_initiator
Tue Jun 30 16:56:55 2009: <191>84243: Jun 30 16:56:55: ISAKMP: local port 500, remote port 500
Tue Jun 30 16:56:55 2009: <191>84244: Jun 30 16:56:55: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 84945450
Tue Jun 30 16:56:55 2009: <191>84245: Jun 30 16:56:55: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Tue Jun 30 16:56:55 2009: <191>84246: Jun 30 16:56:55: ISAKMP:(0):found peer pre-shared key matching AA.AA.AA.AA
Tue Jun 30 16:56:55 2009: <191>84247: Jun 30 16:56:55: ISAKMP:(0): constructed NAT-T vendor-07 ID
Tue Jun 30 16:56:55 2009: <191>84248: Jun 30 16:56:55: ISAKMP:(0): constructed NAT-T vendor-03 ID
Tue Jun 30 16:56:55 2009: <191>84249: Jun 30 16:56:55: ISAKMP:(0): constructed NAT-T vendor-02 ID
Tue Jun 30 16:56:55 2009: <191>84250: Jun 30 16:56:55: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Tue Jun 30 16:56:55 2009: <191>84251: Jun 30 16:56:55: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1
Tue Jun 30 16:56:55 2009: <191>84252:
Tue Jun 30 16:56:55 2009: <191>84253: Jun 30 16:56:55: ISAKMP:(0): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (I) MM_NO_STATE
Tue Jun 30 16:56:55 2009: <191>84254: Jun 30 16:56:55: ISAKMP:(2106):deleting SA reason "No reason" state (I) QM_IDLE       (peer AA.AA.AA.AA)
Tue Jun 30 16:56:55 2009: <191>84255: Jun 30 16:56:55: ISAKMP: Unlocking peer struct 0x841AE4AC for isadb_mark_sa_deleted(), count 1
Tue Jun 30 16:56:55 2009: <191>84256: Jun 30 16:56:55: ISAKMP:(2106):deleting node 653500214 error FALSE reason "IKE deleted"
Tue Jun 30 16:56:55 2009: <191>84257: Jun 30 16:56:55: ISAKMP:(2106):deleting node 1687837244 error FALSE reason "IKE deleted"
Tue Jun 30 16:56:55 2009: <191>84258: Jun 30 16:56:55: ISAKMP:(2106):deleting node -2133408964 error FALSE reason "IKE deleted"
Tue Jun 30 16:56:55 2009: <191>84259: Jun 30 16:56:55: ISAKMP:(2106):deleting node -1738275505 error FALSE reason "IKE deleted"
Tue Jun 30 16:56:55 2009: <191>84260: Jun 30 16:56:55: crypto engine: deleting IKE SA SW:106
Tue Jun 30 16:56:55 2009: <191>84261: Jun 30 16:56:55: crypto_engine: Delete IKE SA
Tue Jun 30 16:56:55 2009: <191>84262: Jun 30 16:56:55: ISAKMP:(2106):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Tue Jun 30 16:56:55 2009: <191>84263: Jun 30 16:56:55: ISAKMP:(2106):Old State = IKE_DEST_SA  New State = IKE_DEST_SA
Tue Jun 30 16:56:55 2009: <191>84264:
Tue Jun 30 16:56:55 2009: <191>84265: Jun 30 16:56:55: crypto engine: deleting DH SW:64
Tue Jun 30 16:56:55 2009: <191>84266: Jun 30 16:56:55: crypto_engine: Delete DH
Tue Jun 30 16:56:55 2009: <191>84267: Jun 30 16:56:55: crypto_engine: Create DH
Tue Jun 30 16:56:55 2009: <191>84268: Jun 30 16:56:55: crypto_engine: Modular Exponentiation
Tue Jun 30 16:56:55 2009: <191>84269: Jun 30 16:56:55: ISAKMP (0:2106): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) MM_NO_STATE
Tue Jun 30 16:56:55 2009: <191>84270: Jun 30 16:56:55: ISAKMP (0:0): received packet from AA.AA.AA.AA dport 500 sport 500 Global (I) MM_NO_STATE
Tue Jun 30 16:56:55 2009: <191>84271: Jun 30 16:56:55: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
............................

Что за хрень...?

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

4. "Разрывается IPSec канал"  +/
Сообщение от rvv80 (ok) on 01-Июл-09, 10:37 
Конфиги на цисках следующие:

=================================================
Конфиг циски 800:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 10800
crypto isakmp key PRESHARED_KEY address AA.AA.AA.AA no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 periodic
!
!
crypto ipsec transform-set CENTR esp-aes esp-sha-hmac
!
crypto map CENTR 10 ipsec-isakmp
set peer AA.AA.AA.AA
set security-association lifetime seconds 86400
set transform-set CENTR
set pfs group2
match address IPSec

interface FastEthernet4
ip address BB.BB.BB.BB 255.255.255.240
ip access-group FROMOUTSIDE in
ip nat outside
ip inspect FROMINSIDE out
no ip virtual-reassembly
duplex auto
speed auto
crypto map CENTR

============================================================================

Конфиг циски 2800:

crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 10800
crypto isakmp key PRESHARED_KEY address BB.BB.BB.BB no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 120 periodic
!
!
crypto ipsec transform-set BRANCH esp-aes esp-sha-hmac
!
crypto map BRANCH 10 ipsec-isakmp
set peer BB.BB.BB.BB
set security-association lifetime seconds 86400
set transform-set BRANCH
set pfs group2
match address IPSec

interface FastEthernet0/1
ip address AA.AA.AA.AA 255.255.255.128
ip access-group FROMOUTSIDE in
ip inspect FW out
ip ips IDS in
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
crypto map BRANCH

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

5. "Разрывается IPSec канал"  +/
Сообщение от rvv80 (ok) on 01-Июл-09, 10:44 
После обрыва связи канал IPSec поднимается после перезагрузки циски. Провайдер - Корбина, мягко сказать предоставляет не очень стабильный канал (циска 800 стоит на складе, а там инет - радиорелейка). Во время падения IPSec-канала инет на складе есть (юзера по web-страничкам бегают), внешний интерфейс пингуется из офиса. Понятно, что для http стабильность канала менее важна, но все же...
Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

6. "Разрывается IPSec канал"  +/
Сообщение от ilya (ok) on 06-Июл-09, 08:13 
>После обрыва связи канал IPSec поднимается после перезагрузки циски. Провайдер - Корбина,
>мягко сказать предоставляет не очень стабильный канал (циска 800 стоит на
>складе, а там инет - радиорелейка). Во время падения IPSec-канала инет
>на складе есть (юзера по web-страничкам бегают), внешний интерфейс пингуется из
>офиса. Понятно, что для http стабильность канала менее важна, но все
>же...

Это единственный тунель или есть аналогичные 800е циски? Это к вопросу версии ИОСа, меняли/не меняли - помогло/нет?

Если ручками сбросить тунель с двух сторон после того как он отвалился (clear crypto...  ) связь восстанавливается?

И я бы попробовал сделать минимальный конфиг (без pfs, без spi-recovery, может бы снял бы с интерфейса IPS и Inspect)

Ну и смотреть еще раз дебаг ipsec без ike с двух сторон. и наборот.

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

7. "Разрывается IPSec канал"  +/
Сообщение от serg_b email(??) on 08-Июл-09, 10:57 
800-ая серия не очень хорошо ведёт с шифрованием AES, лучше использовать 3des.
И вместо перезагрузки циски попробуйте клиронуть криптосессию, а потом запустить пинг с одного рутера на другой.
clear crypto session
ping BB.BB.BB.BB source AA.AA.AA.AA
Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

8. "Разрывается IPSec канал"  +/
Сообщение от rvv80 (ok) on 17-Июл-09, 11:37 
>800-ая серия не очень хорошо ведёт с шифрованием AES, лучше использовать 3des.
>
>И вместо перезагрузки циски попробуйте клиронуть криптосессию, а потом запустить пинг с
>одного рутера на другой.
>clear crypto session
>ping BB.BB.BB.BB source AA.AA.AA.AA

Спасибо, большое за совет. Сейчас попробую, я и сам подумывал о смене типе шифрования, но только потому, что в рабочих конфигах с IPsec в инете везде используется 3des. А раз случались траблы у 800-й с AES, то теперь точно поробую.

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

9. "Разрывается IPSec канал"  +/
Сообщение от rvv80 (ok) on 17-Июл-09, 12:24 
>[оверквотинг удален]
>ИОСа, меняли/не меняли - помогло/нет?
>
>Если ручками сбросить тунель с двух сторон после того как он отвалился
>(clear crypto...  ) связь восстанавливается?
>
>И я бы попробовал сделать минимальный конфиг (без pfs, без spi-recovery, может
>бы снял бы с интерфейса IPS и Inspect)
>
>Ну и смотреть еще раз дебаг ipsec без ike с двух сторон.
>и наборот.

Туннель один, прошивку меняли до меня. У цисок одинаковые прошивки Version 12.4(6)T
Разные только ROM: System Bootstrap, Version 12.3(8r)YI2 - у циски 800, Version 12.4(1r) [hqluong 1r] - у циски 2800

Делал clear crypto isakmp - не помогало, следующий раз попробую clear crypto session.
Без spi-recovery туннель валился намного чаще, IPS могу попробовать снять, а без Inspect придется увеличивать кол-во разрешающиих правил акцесс-листа файервола на вход... Как-то не хочется, это точно может повлиять на стабильность? Или 800-я настолько слабенькая, что Inspect может ее сильно грузить?
PFS точно попробую отключить, фиг с ней, с безопасностью...
Только вот возник вопрос: у какой SA должен быть больше lifetime у IKE или у IPSEC? Как вы ообычно настраиваете?
Кстати, вот повторяющиеся с момента обрыва IPSec куски лога с обоих роутеров (в конфиге пока ничего не менял, случилось после 2 недель непрерывной работы):

CISCO 2800 (офис)

Thu Jul 16 22:37:04 2009: <191>300372: Jul 16 22:37:04: ISAKMP: DPD received KMI message.
Thu Jul 16 22:37:04 2009: <191>300373: Jul 16 22:37:04: ISAKMP: set new node -1148139301 to QM_IDLE      
Thu Jul 16 22:37:04 2009: <191>300374: Jul 16 22:37:04: crypto_engine: Generate IKE hash
Thu Jul 16 22:37:04 2009: <191>300375: Jul 16 22:37:04: ISAKMP:(0):Sending NOTIFY DPD/R_U_THERE protocol 1
Thu Jul 16 22:37:04 2009: <191>300376:     spi 1156021184, message ID = -1148139301
Thu Jul 16 22:37:04 2009: <191>300377: Jul 16 22:37:04: ISAKMP:(0): seq. no 0x39034512
Thu Jul 16 22:37:04 2009: <191>300378: Jul 16 22:37:04: crypto_engine: Encrypt IKE packet
Thu Jul 16 22:37:04 2009: <191>300379: Jul 16 22:37:04: ISAKMP:(0): sending packet to AA.AA.AA.AA my_port 500 peer_port 500 (R) QM_IDLE      
Thu Jul 16 22:37:04 2009: <191>300380: Jul 16 22:37:04: ISAKMP:(0):purging node -1148139301
Thu Jul 16 22:37:04 2009: <191>300381: Jul 16 22:37:04: ISAKMP (0:0): received packet from AA.AA.AA.AA dport 500 sport 500 Global (R) QM_IDLE      
Thu Jul 16 22:37:04 2009: <191>300382: Jul 16 22:37:04: ISAKMP: set new node 990883089 to QM_IDLE      
Thu Jul 16 22:37:04 2009: <191>300383: Jul 16 22:37:04: crypto_engine: Decrypt IKE packet
Thu Jul 16 22:37:04 2009: <191>300384: Jul 16 22:37:04: crypto_engine: Generate IKE hash
Thu Jul 16 22:37:04 2009: <191>300385: Jul 16 22:37:04: ISAKMP:(0): processing HASH payload. message ID = 990883089
Thu Jul 16 22:37:04 2009: <191>300386: Jul 16 22:37:04: ISAKMP:(0): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
Thu Jul 16 22:37:04 2009: <191>300387:     spi 0, message ID = 990883089, sa = 44C3022C
Thu Jul 16 22:37:04 2009: <191>300388: Jul 16 22:37:04: ISAKMP:(0): DPD/R_U_THERE_ACK received from peer AA.AA.AA.AA, sequence 0x39034512
Thu Jul 16 22:37:04 2009: <191>300389: Jul 16 22:37:04: ISAKMP:(0):deleting node 990883089 error FALSE reason "Informational (in) state 1"
Thu Jul 16 22:37:04 2009: <191>300390: Jul 16 22:37:04: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Thu Jul 16 22:37:05 2009: <191>300391: Jul 16 22:37:04: ISAKMP:(0):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Thu Jul 16 22:37:05 2009: <191>300392:
Thu Jul 16 22:37:28 2009: <191>300397: Jul 16 22:37:26: ISAKMP:(0):purging node -1200801116


====================================================================================================================================================================
CISCO 800 (склад)


Thu Jul 16 22:37:04 2009: <191>65962: Jul 16 22:37:04: ISAKMP (0:2132): received packet from BB.BB.BB.BB dport 500 sport 500 Global (I) QM_IDLE      
Thu Jul 16 22:37:04 2009: <191>65963: Jul 16 22:37:04: ISAKMP: set new node -1148139301 to QM_IDLE      
Thu Jul 16 22:37:04 2009: <191>65964: Jul 16 22:37:04: crypto_engine: Decrypt IKE packet
Thu Jul 16 22:37:04 2009: <191>65965: Jul 16 22:37:04: crypto_engine: Generate IKE hash
Thu Jul 16 22:37:04 2009: <191>65966: Jul 16 22:37:04: ISAKMP:(2132): processing HASH payload. message ID = -1148139301
Thu Jul 16 22:37:04 2009: <191>65967: Jul 16 22:37:04: ISAKMP:(2132): processing NOTIFY DPD/R_U_THERE protocol 1
Thu Jul 16 22:37:04 2009: <191>65968:     spi 0, message ID = -1148139301, sa = 83D51578
Thu Jul 16 22:37:04 2009: <191>65969: Jul 16 22:37:04: ISAKMP:(2132):deleting node -1148139301 error FALSE reason "Informational (in) state 1"
Thu Jul 16 22:37:04 2009: <191>65970: Jul 16 22:37:04: ISAKMP:(2132):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Thu Jul 16 22:37:04 2009: <191>65971: Jul 16 22:37:04: ISAKMP:(2132):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Thu Jul 16 22:37:04 2009: <191>65972:
Thu Jul 16 22:37:04 2009: <191>65973: Jul 16 22:37:04: ISAKMP:(2132):DPD/R_U_THERE received from peer BB.BB.BB.BB, sequence 0x39034512
Thu Jul 16 22:37:04 2009: <191>65974: Jul 16 22:37:04: ISAKMP: set new node 990883089 to QM_IDLE      
Thu Jul 16 22:37:04 2009: <191>65975: Jul 16 22:37:04: crypto_engine: Generate IKE hash
Thu Jul 16 22:37:04 2009: <191>65976: Jul 16 22:37:04: ISAKMP:(2132):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
Thu Jul 16 22:37:04 2009: <191>65977:     spi 2214845672, message ID = 990883089
Thu Jul 16 22:37:04 2009: <191>65978: Jul 16 22:37:04: ISAKMP:(2132): seq. no 0x39034512
Thu Jul 16 22:37:04 2009: <191>65979: Jul 16 22:37:04: crypto_engine: Encrypt IKE packet
Thu Jul 16 22:37:04 2009: <191>65980: Jul 16 22:37:04: ISAKMP:(2132): sending packet to BB.BB.BB.BB my_port 500 peer_port 500 (I) QM_IDLE      
Thu Jul 16 22:37:05 2009: <191>65981: Jul 16 22:37:04: ISAKMP:(2132):purging node 990883089
Thu Jul 16 22:37:05 2009: <191>65982: Jul 16 22:37:04: ISAKMP:(2132):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Thu Jul 16 22:37:05 2009: <191>65983: Jul 16 22:37:04: ISAKMP:(2132):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
Thu Jul 16 22:37:05 2009: <191>65984:
Thu Jul 16 22:37:27 2009: <191>65988: Jul 16 22:37:26: ISAKMP:(2132):purging node -1367888443

Высказать мнение | Ответить | Правка | Наверх | Cообщить модератору

Архив | Удалить

Индекс форумов | Темы | Пред. тема | След. тема




Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру