IPSec不能通过备份接口工作。
IPSec不能通过备份接口工作。
提问于 2020-01-09 12:36:51
思科ASA 5506-X连接到两个ISP -主和备用通道,接口outside_1和outside_2。IPSec通过outside_1工作,但不通过outside_2工作,如果outside_1下降。此时互联网的工作,意味着SLA的正确工作。我查过了包追踪器:
数据包追踪器在tcp 10.20.2.8中
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside_1) source static LAN LAN destination static MSKNET MSKNET
Additional Information:
NAT divert to egress interface outside_1
Untranslate 172.31.10.9/80 to 172.31.10.9/80
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside_1) source static LAN LAN destination static MSKNET MSKNET
Additional Information:
Static translate 10.20.2.8/80 to 10.20.2.8/80
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside_1
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule但是:
S* 0.0.0.0 0.0.0.0 1/0 via,outside_2
IPSec流量仅通过outside_1。
配置:
ASA Version 9.8(2)
!
interface GigabitEthernet1/1
description PRIMARY_CHANNEL
mac-address cccc.dddd.bbbb
nameif outside_1
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/2
description STANDBY_CHANNEL
mac-address aaaa.4444.5555
nameif outside_2
security-level 0
ip address dhcp setroute
!
interface GigabitEthernet1/3
nameif inside
security-level 100
ip address 10.20.2.1 255.255.255.0
!
object network INTERNET-1
subnet 10.20.2.0 255.255.255.0
description PRIMARY_CHANNEL
object network INTERNET-2
subnet 10.20.2.0 255.255.255.0
description STANDBY_CHANNEL
object network LAN
subnet 10.20.2.0 255.255.255.0
!
access-list moscow_ipsec extended permit ip object LAN object-group MSKNET
pager lines 24
logging asdm informational
mtu outside_1 1500
mtu outside_2 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside_1) source static LAN LAN destination static MSKNET MSKNET
nat (inside,outside_2) source static LAN LAN destination static MSKNET MSKNET
!
object network INTERNET-1
nat (inside,outside_1) dynamic interface
object network INTERNET-2
nat (inside,outside_2) dynamic interface
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
sla monitor 1
type echo protocol ipIcmpEcho 11.22.33.44 interface outside_1
num-packets 3
timeout 500
frequency 3
sla monitor schedule 1 life forever start-time now
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map MSK 10 match address moscow_ipsec
crypto map MSK 10 set pfs
crypto map MSK 10 set peer 11.22.33.44
crypto map MSK 10 set ikev1 transform-set ESP-AES-256-SHA
crypto map MSK interface outside_1
crypto map MSK interface outside_2
crypto ca trustpool policy
crypto isakmp nat-traversal 10
crypto ikev1 enable outside_1
crypto ikev1 enable outside_2
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
!
track 1 rtr 1 reachability
tunnel-group 11.22.33.44 type ipsec-l2l
tunnel-group 11.22.33.44 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!UPD:从outside_1和IPSec上删除电缆启动:
KEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 11.22.33.44
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs 但时间不长:
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 11.22.33.44
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
There are no IKEv2 SAs来自另一边:
Session Type: LAN-to-LAN
Connection : 99.99.99.99
Index : 12009 IP Addr : 99.99.99.99
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 223 Bytes Rx : 0
Login Time : 16:27:25 MSK Thu Jan 9 2020
Duration : 0h:00m:20s UPD2:防火墙重新启动,链接outside_1关闭,IPSec启动。
Session Type: LAN-to-LAN
Connection : 99.99.99.99
Index : 12014 IP Addr : 99.99.99.99
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 20065 Bytes Rx : 12338
Login Time : 16:43:55 MSK Thu Jan 9 2020
Duration : 0h:06m:05s回答 1
Network Engineering用户
回答已采纳
发布于 2020-01-09 16:09:42
您以前的自动nat正在强迫通信到outside_1。请尝试将两个nat (inside,outside_#)语句更改为一个单一的nat (inside,any)规则。
(我有一个类似的设置,可以故意将SMTP流量驱动到特定的接口--和地址。)
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/64445
复制相关文章
相似问题
腾讯云开发者
