取消
显示结果 
搜索替代 
您的意思是: 
cancel
6827
查看次数
2
有帮助
2
回复

2921 中国电信拨号不成功

luosw0001
Level 1
Level 1
路由器2921已经有一个专线,现在想加多一条中国电信的光纤,我找一之前的试过的模板,但是不行。
GigabitEthernet0/1连专线,GigabitEthernet0/1接内网,GigabitEthernet0/2接中国电信
配置如下:
Current configuration : 14247 bytes
!
! Last configuration change at 23:31:58 beijing Mon Aug 8 2016 by huitone
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname UC-ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local group radius
aaa authentication login noauth line none
aaa authentication login easyvpn local
aaa authentication ppp VPDN_AUTH local
aaa authorization network groupauthor local group radius
aaa authorization network easyvpn local
!
!
!
!
!
aaa session-id common
clock timezone beijing 8 0
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.0.240 192.168.0.254
ip dhcp excluded-address 192.168.0.89
ip dhcp excluded-address 192.168.0.92
ip dhcp excluded-address 192.168.0.200 192.168.0.220
!
ip dhcp pool a
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 172.16.0.99 221.5.88.88
option 43 hex f104.ac10.010f
!
!
!
ip flow-cache timeout active 10
ip domain name uc.com
ip name-server 172.16.0.99
ip name-server 114.114.114.114
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
!
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-1647751106
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1647751106
revocation-check none
rsakeypair TP-self-signed-1647751106
!
!
crypto pki certificate chain TP-self-signed-1647751106
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363437 37353131 3036301E 170D3136 30343036 31343238
32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36343737
35313130 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B634 376BE021 88334ED3 A51641B6 9E67D159 CE62A474 2E8200C3 A72CD863
385B950A 4215FB07 352402BD 965BC2CA D7A0F5F0 9C9D55AF C0D7EE15 60560D1C
1E3506F3 D9641117 B312F5D5 21AB03EE 48942421 4CEB85DD 42A74A21 2DDD211A
E405CF86 89A586BF C780DA8D ED1EAC37 104B639D 67CFB131 F333E0DF 68F9CC23
08830203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14A02750 AEB1E08C B16C9F99 F983294B DFD3EEE9 A3301D06
03551D0E 04160414 A02750AE B1E08CB1 6C9F99F9 83294BDF D3EEE9A3 300D0609
2A864886 F70D0101 05050003 81810033 4C7B4278 2E583E87 8A498767 1EAE382B
B289DBDF 19BDFCF7 B475AF18 4F8BD80E D279F25A 16B1DDB2 E4A57746 9F66A395
288EAB34 441BFAA3 8C832BF2 D6FF6334 D1DAD8E9 62CBF246 C6A77AB1 BE4144F5
B7A73787 C0740ADD 4850FC4E E6A3A190 0383D81A 4002918F 51D1ED82 2520E93B
BDFF038D 71C59350 BFA14279 F1C65A
quit
voice-card 0
!
!
voice call send-alert
voice rtp send-recv
!
voice service voip
no ip address trusted authenticate
allow-connections h323 to h323
allow-connections h323 to sip
allow-connections sip to h323
allow-connections sip to sip
no supplementary-service sip handle-replaces
redirect ip2ip
fax protocol t38 version 0 ls-redundancy 0 hs-redundancy 0 fallback none
modem passthrough nse codec g711alaw
h323
call preserve
sip
registrar server expires max 600 min 60
redirect contact order best-match
!
!
!
!
!
!
!
!
!
application
service aa flash0:/aa/its-CISCO.2.0.2.0.tcl
paramspace english language en
paramspace english index 0
param operator 8012
paramspace english location flash0:/aa/
paramspace english prefix en
param aa-pilot 9999
param welcome-prompt en_welcome.au
!
!
license udi pid CISCO2921/K9 sn FGL201510ZS
hw-module pvdm 0/0
!
!
!
!
redundancy
!
!
!
!
!
ip ssh version 2
!
class-map match-all office
match access-group name office
class-map match-all server
class-map match-all server_out
match access-group 103
class-map match-all server_in
match access-group 133
class-map match-all 3M_OUT
match access-group name office
class-map match-all 3M
match access-group 3
!
policy-map 3M
class 3M
police 4000000 conform-action transmit exceed-action drop
policy-map server_out
class server_out
police rate 2620000
conform-action transmit
exceed-action drop
violate-action drop
policy-map 3M_out
class 3M_OUT
police 40000000 conform-action transmit exceed-action drop
policy-map office
class office
police rate 5240000
conform-action transmit
exceed-action drop
violate-action drop
policy-map server_in
class server_in
police rate 2620000
conform-action transmit
exceed-action drop
violate-action drop
!
!
crypto keyring abc
pre-shared-key address 0.0.0.0 0.0.0.0 key
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group myezvpn
dns 114.114.114.114
domain cisco
pool ezvpn_ip
acl 110
save-password
max-logins 5
netmask 255.255.255.0
!
crypto isakmp client configuration group hcvpn
dns 114.114.114.114
domain cisco
pool HC_VPN_POOL
acl HC_VPN_ACL
save-password
max-logins 5
netmask 255.255.255.0
!
crypto isakmp client configuration group hcvpn0
pool HC_VPN_POOL
acl HC_VPN_ACL
save-password
crypto isakmp profile ppp
keyring abc
match identity address 0.0.0.0
crypto isakmp profile IsaProfile
match identity group hcvpn0
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
virtual-template 10
crypto isakmp profile VPNclient
description VPN clients profile
match identity group myezvpn
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set ccie esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile IPSecProfile
set transform-set ccie
set isakmp-profile IsaProfile
!
!
!
crypto dynamic-map dymap 20
set transform-set ccie
set isakmp-profile ppp
reverse-route
!
crypto dynamic-map ezvpn_dymap 10
set transform-set ccie
set isakmp-profile VPNclient
reverse-route
!
!
crypto map mymap 10 ipsec-isakmp dynamic ezvpn_dymap
crypto map mymap 20 ipsec-isakmp dynamic dymap
!
!
!
!
!
interface Loopback8
ip address 10.100.100.1 255.255.255.252
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip nat outside
no ip virtual-reassembly in
ip policy route-map HC_VPN_RM
duplex auto
speed auto
crypto map mymap
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
service-policy input server_in
!
interface GigabitEthernet0/2
no ip address
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dialer1
ip address negotiated
ip mtu 1492
encapsulation ppp
dialer pool 1
dialer-group 1
ppp lcp predictive
ppp authentication chap pap callin
ppp chap hostname 02008540566@163.gd
ppp chap password 0 EATBVKID
ppp pap sent-username 02008540566@163.gd password 0 EATBVKID
ppp ipcp address accept
no cdp enable
!
ip local pool ezvpn_ip 10.100.100.100 10.100.100.200
ip local pool HC_VPN_POOL 10.100.100.208 10.100.100.215
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-export source GigabitEthernet0/1
ip flow-export version 5
ip flow-export destination 172.16.1.10 9991
!
ip nat inside source list nat interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.179 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.0.181 80 interface GigabitEthernet0/0 81
ip nat inside source static tcp 192.168.0.180 80 interface GigabitEthernet0/0 82
ip route 0.0.0.0 0.0.0.0 157.122.53.225
ip route 10.200.200.0 255.255.255.0 192.168.0.253
ip route 172.16.0.0 255.255.252.0 192.168.0.253
ip route 172.16.4.0 255.255.255.0 192.168.0.253
!
ip access-list extended HC_VPN_ACL
permit ip 172.16.0.0 0.0.3.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 112.96.0.0 0.0.255.255 any
permit ip 120.80.48.0 0.0.0.255 any
ip access-list extended HC_VPN_RM_ACL
permit ip 10.100.100.208 0.0.0.7 any
ip access-list extended nat
deny ip 10.200.200.0 0.0.0.255 10.100.100.0 0.0.0.255
deny ip any 10.0.8.0 0.0.0.255
deny ip host 192.168.0.133 any
deny ip 172.16.0.0 0.0.3.255 10.100.100.0 0.0.0.255
deny ip 192.168.0.0 0.0.0.255 10.100.100.0 0.0.0.255
permit ip 10.200.200.0 0.0.0.255 any
permit ip 172.16.0.0 0.0.3.255 any
permit ip 192.168.0.0 0.0.0.255 any
permit ip 10.100.100.208 0.0.0.7 any
ip access-list extended office
permit ip any any
deny ip any any
!
logging history critical
logging trap debugging
logging host 192.168.0.17
dialer-list 1 protocol ip permit
arp 192.168.0.89 bcae.c543.fa68 ARPA
arp 192.168.0.92 4437.e69d.5066 ARPA
!
route-map HC_VPN_RM permit 10
match ip address HC_VPN_RM_ACL
set ip next-hop 10.100.100.2
!
!
snmp-server group cisco v3 auth
snmp-server group cisco v3 priv
snmp-server community cisco RW
no snmp-server enable traps entity-sensor threshold
access-list 1 permit any
access-list 3 permit 192.168.0.133
access-list 23 permit 10.10.10.0 0.0.0.127
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 permit ip any host 192.168.0.133
access-list 103 deny ip any any
access-list 110 permit ip 172.16.0.0 0.0.3.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 10.200.200.0 0.0.0.255 any
access-list 111 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 deny ip any any fragments
access-list 120 permit ip any any
access-list 133 permit ip host 192.168.0.133 any
!
!
!
control-plane
!
!
voice-port 0/0/0
supervisory disconnect dualtone mid-call
cptone CN
timeouts call-disconnect 1
timeouts wait-release 1
caller-id enable
!
voice-port 0/0/1
supervisory disconnect dualtone mid-call
cptone CN
timeouts call-disconnect 1
timeouts wait-release 1
caller-id enable
!
!
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
dial-peer voice 1 pots
preference 1
service aa
destination-pattern 9T
incoming called-number .
port 0/0/0
!
dial-peer voice 2 pots
preference 2
service aa
destination-pattern 9T
incoming called-number .
port 0/0/1
!
dial-peer voice 7 voip
preference 1
destination-pattern 8...
session protocol sipv2
session target ipv4:172.16.0.100
dtmf-relay rtp-nte
fax rate disable
no vad
!
dial-peer voice 8 voip
preference 2
destination-pattern 8...
session protocol sipv2
session target ipv4:172.16.0.101
dtmf-relay rtp-nte
fax rate disable
no vad
!
dial-peer voice 9 voip
preference 3
destination-pattern 8...
session protocol sipv2
session target ipv4:172.16.0.102
dtmf-relay rtp-nte
fax rate disable
no vad
!
dial-peer voice 100 voip
service aa
destination-pattern 9999
session target ipv4:192.168.0.1
incoming called-number 9999
dtmf-relay rtp-nte
codec g711ulaw
no vad
!
dial-peer voice 20 voip
destination-pattern 7...
session protocol sipv2
session target ipv4:10.200.200.100
dtmf-relay rtp-nte
fax rate disable
no vad
!
!
!
!
gatekeeper
shutdown
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username privilege 15 secret 0
Replace and with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username privilege 15 secret 0
no username cisco
Replace and with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
exec-timeout 5 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input all
line vty 5 15
privilege level 15
transport input all
line vty 16 1114
transport input all
!
scheduler allocate 20000 1000
ntp master 1
ntp server 3.asia.pool.ntp.org
ntp server 1.asia.pool.ntp.org minpoll 10
ntp server 2.asia.pool.ntp.org
ntp server 0.asia.pool.ntp.org
!
end
端口信息
UC-ROUTER#show interfaces gigabitEthernet 0/2
GigabitEthernet0/2 is up, line protocol is up
Hardware is CN Gigabit Ethernet, address is 003a.7d1a.7d92 (bia 003a.7d1a.7d92)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full Duplex, 100Mbps, media type is RJ45
output flow-control is XON, input flow-control is XON
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:03, output 00:00:06, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
533 packets input, 50102 bytes, 0 no buffer
Received 533 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog, 0 multicast, 0 pause input
351 packets output, 21145 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
533 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier, 0 pause output
0 output buffer failures, 0 output buffers swapped out
UC-ROUTER#show interfaces DIaler 1
Dialer1 is up, line protocol is up (spoofing)
Hardware is Unknown
Internet address will be negotiated using IPCP
MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation PPP, LCP Closed, loopback not set
Keepalive set (10 sec)
DTR is pulsed for 1 seconds on reset
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:46:28
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 packets output, 0 bytes
debug信息
UC-ROUTER#SHOw DEBUgging
PPP:
PPP authentication debugging is on
PPP authorization debugging is on
PPP protocol errors debugging is on
PPP protocol negotiation debugging is on
PPP packet display debugging is on
PPP Negotiation Elogs debugging is on
PPP Keepalive Elogs debugging is on
PPP Detailed Elogs debugging is on
PPPoE:
PPPoE protocol events debugging is on
PPPoE data packets debugging is on
PPPoE control packets debugging is on
PPPoE protocol errors debugging is on
PPPoE elog debugging is on
debug输出只有以下内容
Aug 8 15:50:26.730: padi timer expired
Aug 8 15:50:26.730: Sending PADI: Interface = GigabitEthernet0/2
Aug 8 15:50:26.730: pppoe_send_padi:
contiguous pak, size 60
FF FF FF FF FF FF 00 3A 7D 1A 7D 92 88 63 11 09
00 00 00 10 01 01 00 00 01 03 00 08 48 00 00 01
00 00 26 29 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00
日志信息
*Aug 8 14:59:06.623: %PA-3-PA_INIT_FAILED: Performance Agent failed to initialize (Missing Data License)
*Aug 8 14:59:11.539: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Aug 8 14:59:11.539: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to up
*Aug 8 14:59:11.539: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
*Aug 8 14:59:14.543: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
*Aug 8 14:59:55.779: %LINK-3-UPDOWN: Interface Virtual-Access1, changed state to up
Aug 8 15:00:14.991: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:00:20.999: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/0, changed state to up
Aug 8 15:00:21.263: %LINK-3-UPDOWN: Interface Foreign Exchange Office 0/0/1, changed state to up
Aug 8 15:05:32.075: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:06:57.230: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:07:57.878: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0x77451321(2001015585), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:08:57.878: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0x77451321(2001015585), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:09:58.856: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:10:58.903: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:12:00.937: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:13:08.863: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0x77451321(2001015585), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:14:08.866: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0x77451321(2001015585), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:15:08.868: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0x77451321(2001015585), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:16:09.178: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:17:09.417: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:18:09.951: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:19:13.953: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:20:14.240: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:21:15.126: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:22:15.165: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:23:17.884: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0x77451321(2001015585), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:24:17.887: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0x77451321(2001015585), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:25:17.886: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0x77451321(2001015585), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:26:17.902: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0x77451321(2001015585), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:27:18.333: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:28:18.800: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:29:21.220: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:29:27.664: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to down
Aug 8 15:29:41.564: %LINK-3-UPDOWN: Interface GigabitEthernet0/2, changed state to up
Aug 8 15:30:21.340: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:31:21.495: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:31:57.819: %LINK-3-UPDOWN: Interface Dialer1, changed state to up
Aug 8 15:32:21.975: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:33:22.218: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:34:22.758: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:35:28.069: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:36:30.013: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:37:31.664: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:38:32.195: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:39:32.419: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:40:33.914: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:41:37.789: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:42:39.741: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
Aug 8 15:43:18.864: %CRYPTO-4-IKMP_NO_SA: IKE message from 115.200.229.162 has no SA and is not an initialization offer
Aug 8 15:43:41.512: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=157.122.53.228, prot=50, spi=0xB493DCC2(3029589186), srcaddr=115.200.229.162, input interface=GigabitEthernet0/0
show tech信息见附件
感谢你的帮助:):):)
1 个已接受解答

已接受的解答

YilinChen
Spotlight
Spotlight
关键点:
1. interface Dialer1 接口下没有ip nat outside;
2. 看配置 gi0/0 接专线,也是有做NAT的,所以如果要实现多接口NAT,全局模式下的ip nat inisde soure 命令必须基于route-map 的nat配置方式才能实现;

在原帖中查看解决方案

2 条回复2

YilinChen
Spotlight
Spotlight
关键点:
1. interface Dialer1 接口下没有ip nat outside;
2. 看配置 gi0/0 接专线,也是有做NAT的,所以如果要实现多接口NAT,全局模式下的ip nat inisde soure 命令必须基于route-map 的nat配置方式才能实现;

Yanli Sun
Community Manager
Community Manager
45金钱,楼主好大手笔,帮你置顶高亮 :)
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接