取消
显示结果 
搜索替代 
您的意思是: 
cancel
6848
查看次数
0
有帮助
4
回复

ASA 点对点VPN隔几十分钟就断一次,求解

hunterxlwh
Level 1
Level 1
VPN每隔几十分钟就断一次,隔几分钟又自己连上,研究了很久也没发现哪里配置错。以下DEBUG信息能看出原因吗:
[IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, Sending keep-alive of type DPD R-U-THERE (seq number 0x5dad2b34)
Mar 27 17:35:41 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing blank hash payload
Mar 27 17:35:41 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing qm hash payload
Mar 27 17:35:41 [IKEv1]IP = 121.8.69.211, IKE_DECODE SENDING Message (msgid=7b3a21d1) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar 27 17:35:51 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, Sending keep-alive of type DPD R-U-THERE (seq number 0x5dad2b35)
Mar 27 17:35:51 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing blank hash payload
Mar 27 17:35:51 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing qm hash payload
Mar 27 17:35:51 [IKEv1]IP = 121.8.69.211, IKE_DECODE SENDING Message (msgid=c5b52d74) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar 27 17:36:01 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, Sending keep-alive of type DPD R-U-THERE (seq number 0x5dad2b36)
Mar 27 17:36:01 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing blank hash payload
Mar 27 17:36:01 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing qm hash payload
Mar 27 17:36:01 [IKEv1]IP = 121.8.69.211, IKE_DECODE SENDING Message (msgid=6e5da51f) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Mar 27 17:36:11 [IKEv1]Group = 121.8.69.211, IP = 121.8.69.211, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, IKE SA MM:6733ece9 rcv'd Terminate: state MM_ACTIVE flags 0x0021c042, refcnt 1, tuncnt 1
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, sending delete/delete with reason message
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing blank hash payload
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing IPSec delete payload
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing qm hash payload
Mar 27 17:36:11 [IKEv1]IP = 121.8.69.211, IKE_DECODE SENDING Message (msgid=b19cf09e) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, Active unit receives a delete event for remote peer 121.8.69.211.
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, IKE Deleting SA: Remote Proxy 10.1.1.0, Local Proxy 10.1.128.0
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, IKE SA MM:6733ece9 terminating: flags 0x0121c002, refcnt 0, tuncnt 0
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, sending delete/delete with reason message
IPSEC: Deleted outbound encrypt rule, SPI 0x8F461E8A
Rule ID: 0xcc7832a0
IPSEC: Deleted outbound permit rule, SPI 0x8F461E8A
Rule ID: 0xcc7a9770
IPSEC: Deleted outbound VPN context, SPI 0x8F461E8A
VPN handle: 0x02cbee2c
IPSEC: Deleted inbound decrypt rule, SPI 0x1579BD66
Rule ID: 0xcc916338
IPSEC: Deleted inbound permit rule, SPI 0x1579BD66
Rule ID: 0xcc743a90
IPSEC: Deleted inbound tunnel flow rule, SPI 0x1579BD66
Rule ID: 0xcb0148c8
IPSEC: Deleted inbound VPN context, SPI 0x1579BD66
VPN handle: 0x02cc57ec
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing blank hash payload
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing IKE delete payload
Mar 27 17:36:11 [IKEv1 DEBUG]Group = 121.8.69.211, IP = 121.8.69.211, constructing qm hash payload
Mar 27 17:36:11 [IKEv1]IP = 121.8.69.211, IKE_DECODE SENDING Message (msgid=92a5c5b2) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Mar 27 17:36:11 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x1579bd66
Mar 27 17:36:11 [IKEv1 DEBUG]Pitcher: received key delete msg, spi 0x1579bd66
Mar 27 17:36:11 [IKEv1]Group = 121.8.69.211, IP = 121.8.69.211, Session is being torn down. Reason: Lost Service
Mar 27 17:36:11 [IKEv1]Ignoring msg to mark SA with dsID 6713344 dead because SA deleted
1 个已接受解答

已接受的解答

jingjian
Spotlight
Spotlight
hunterxlwh 发表于 2017-3-28 13:11
刚发的是Cisco asa 5505的debug信息,对端是cisco asa 5510第一阶段策略是这个吗:
按理说 可以连通配置 ...

debug显示是ikev1, 5510端显示的是ikev2, 你能把两台防火墙的配置贴出来吗?

在原帖中查看解决方案

4 条回复4

jingjian
Spotlight
Spotlight
hunterxlwh 发表于 2017-3-28 13:11
刚发的是Cisco asa 5505的debug信息,对端是cisco asa 5510第一阶段策略是这个吗:
按理说 可以连通配置 ...

debug显示是ikev1, 5510端显示的是ikev2, 你能把两台防火墙的配置贴出来吗?

one-time
Level 13
Level 13
感谢您的提问!稍后会有小伙伴为您解答的!

jingjian
Spotlight
Spotlight
是第一阶段出现问题,请问对端是什么设备,另外请把第一阶段的策略贴一下

hunterxlwh
Level 1
Level 1
arvinjing 发表于 2017-3-28 11:46
是第一阶段出现问题,请问对端是什么设备,另外请把第一阶段的策略贴一下

刚发的是Cisco asa 5505的debug信息,对端是cisco asa 5510第一阶段策略是这个吗:131032xah19q1kkkagarya.png
按理说 可以连通配置应该没错的吧,就是隔一段时间就中断一下。
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接