取消
显示结果 
搜索替代 
您的意思是: 
cancel
5622
查看次数
2
有帮助
5
回复

思科asa双出口 做vpn出现 vpn不间歇中断

fishlonely
Level 1
Level 1
电信和联通两个出口 都做不同的vpn
不定时会出现 联通 和电信两个vpn中断 ,之后会自动恢复
配置如下:
sh run
: Saved
:
: Serial Number: JAD2237050X
: Hardware: ASA5508, 8192 MB RAM, CPU Atom C2000 series 2000 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
hostname ciscoasa
enable password $sha512$5000$eTDOJHs10fEJaARtWTTZWg==$/cYRVCW9XPSn07qcNv0f6A== pbkdf2
names
!
interface GigabitEthernet1/1
nameif outside_dx
security-level 0
ip address *.*.*.230 255.255.255.252
!
interface GigabitEthernet1/2
nameif outside_lt
security-level 0
ip address *.*.*.198 255.255.255.252
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone CST 8
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any_dx
subnet 0.0.0.0 0.0.0.0
object network obj_any_lt
subnet 0.0.0.0 0.0.0.0
object service t8082
service tcp destination eq 8082
object service t5588
service tcp destination eq 5588
object service t11521
service tcp destination eq 11521
object service t11522
service tcp destination eq 11522
object service t11523
service tcp destination eq 11523
object service t11524
service tcp destination eq 11524
object service t6547
service tcp destination eq 6547
object service t3399
service tcp destination eq 3399
object service t1234
service tcp destination eq 1234
object service t8081
service tcp destination eq 8081
object service t8099
service tcp destination eq 8099
object service t8088
service tcp destination eq 8088
object service t8055
service tcp destination eq 8055
object service t8072
service tcp destination eq 8072
object service t3355
service tcp destination eq 3355
object service t4434
service tcp destination eq 4434
object service t3388
service tcp destination eq 3388
object service w-t9088
service tcp destination eq 9088
object service w-t9099
service tcp destination eq 9099
object service w-t9055
service tcp destination eq 9055
object service w-t6666
service tcp destination eq 6666
object network obj-192.168.1.174
host 192.168.1.174
object network obj-192.168.1.175
host 192.168.1.175
object network obj-192.168.1.176
host 192.168.1.176
object network obj-192.168.1.213
host 192.168.1.213
object network obj-192.168.1.88
host 192.168.1.88
object network obj-outside-dx
host *.*.*.230
object network obj-outside-lt
host *.*.*.198
object service t80
service tcp destination eq www
object network obj-vpn192.168.96.0
subnet 192.168.96.0 255.255.240.0
object network obj-vpn192.168.48.0
subnet 192.168.48.0 255.255.240.0
object network obj-lan192.168.0.0
subnet 192.168.0.0 255.255.240.0
object network obj-vpn192.168.16.0
subnet 192.168.16.0 255.255.240.0
object service t5599
service tcp destination eq 5599
object network obj-192.168.8.88
host 192.168.8.88
access-list to-cyzyl extended permit ip 192.168.0.0 255.255.240.0 192.168.96.0 255.255.240.0
access-list to-vpn1 extended permit ip 192.168.0.0 255.255.240.0 192.168.16.0 255.255.240.0
pager lines 24
logging enable
logging monitor informational
logging buffered informational
logging trap informational
logging asdm informational
logging flash-bufferwrap
mtu outside_dx 1500
mtu outside_lt 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
object network obj_any
nat (any,outside_dx) dynamic interface
object network obj_any_dx
nat (inside,outside_dx) dynamic interface
object network obj_any_lt
nat (inside,outside_lt) dynamic interface
access-group out2in in interface outside_dx
access-group out2in in interface outside_lt
route outside_dx 0.0.0.0 0.0.0.0 58.56.131.229 1
route outside_lt 0.0.0.0 0.0.0.0 27.223.8.197 200
route outside_lt *.*.*238 255.255.255.255 27.223.8.197 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable 10448
http 192.168.1.0 255.255.255.0 outside_lt
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside_dx
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set my-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set my-set-1 esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map l2l 2 match address to-cyzyl
crypto map l2l 2 set peer *.*.*78
crypto map l2l 2 set ikev1 transform-set my-set
crypto map l2l interface outside_dx
crypto map lan2lan 3 match address to-vpn1
crypto map lan2lan 3 set peer *.*.*238
crypto map lan2lan 3 set ikev1 transform-set my-set-1
crypto map lan2lan interface outside_lt
crypto ca trustpool policy
crypto isakmp identity address
crypto isakmp disconnect-notify
crypto ikev1 enable outside_dx
crypto ikev1 enable outside_lt
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 28800
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 outside_dx
ssh 0.0.0.0 0.0.0.0 outside_lt
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd auto_config outside_dx
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port number-of-rate 3
threat-detection statistics protocol number-of-rate 3
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
port 10443
anyconnect enable
cache
disable
error-recovery disable
dynamic-access-policy-record DfltAccessPolicy
username test password $sha512$5000$oS4/YXQV4n7xcNHppky1Tw==$jrMD11XGlCu+HOzUdHfM5Q== pbkdf2
username ldskyway password $sha512$5000$/7iRHP1HVsjJAKYefWZYcg==$9sPSuyxLi3VQ8sE6qpnfCg== pbkdf2
tunnel-group *.*.*78 type ipsec-l2l
tunnel-group *.*.*78 ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group *.*.*238 type ipsec-l2l
tunnel-group *.*.*238 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
5 条回复5

bo chen
Spotlight
Spotlight
我公司也是这个现象,一般在VPN首次连接上1分钟之内进行重连。后面基本上就不会再断了。后来联系思科说是公网线路抖动容易出现该现象。{:2_27:}

fishlonely
Level 1
Level 1
CSCO12178277 发表于 2018-11-10 22:55
我公司也是这个现象,一般在VPN首次连接上1分钟之内进行重连。后面基本上就不会再断了。后来联系思科说是公 ...

这个案例第一次配置 出现
的具体现象是 vpn隧道还存在 经过的流量包明显减少 两端的网络不能访问
有个疑问 对于 ikev1同时应用于两个出口 是否存在问题

Mansur
Spotlight
Spotlight
本帖最后由 maguanghua2013 于 2018-11-11 11:05 编辑
CSCO12178277 发表于 2018-11-10 22:55
我公司也是这个现象,一般在VPN首次连接上1分钟之内进行重连。后面基本上就不会再断了。后来联系思科说是公 ...

你这个现象我公司的sslvpn也出现过,不过只是小部分的win10设备,大部分win10,0macbook和手机都没问题,建议升级下客户端,用anyconnect 4.5或者4.6
L2L的一般就是公网问题了

bo chen
Spotlight
Spotlight
maguanghua2013 发表于 2018-11-11 11:03
你这个现象我公司的sslvpn也出现过,不过只是小部分的win10设备,大部分win10,0macbook和手机都没问题, ...

我这WIN10 WIN7都这样 无所谓了 能接受

song zhang
Level 1
Level 1
debug 看下第一阶段和第二阶段报错原因
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接