一小时后 ASA5505-Checkpoint 的 VPN 失效

tag-icon tag-icon vpn cisco-asa site-to-site-vpn checkpoint
一小时后 ASA5505-Checkpoint 的 VPN 失效

我已设置并运行 IPsec 站点到站点 VPN,但是一旦建立连接超过一小时,就会出现问题。一小时后,ASDM 仍然认为 VPN 已连接,并且连接持续时间继续增加,但是,只要 UI 尝试向下发送数据,隧道就会被拆除并重新创建,同时从我们的防火墙向网络上的客户端计算机发送第一个数据包。我已打开日志记录,以下两行看起来最有趣:

Session Disconnected. ... Reason: crypto map policy not found
...
Connection terminated for peer 213.123.59.222.  Reason: Peer Terminate  Remote Proxy 78.129.136.64, Local Proxy 171.28.18.50

213.123.59.222 是检查点箱的外部 IP,78.129.136.64 是我们本地网络上发送数据的机器,171.28.18.50 是他们网络上我试图向其发送数据的机器。

我的超时配置如下:

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
group-policy DfltGrpPolicy attributes
 vpn-idle-timeout 180
 vpn-tunnel-protocol IPSec svc

我想了解问题出在我们的配置上(ASA5505)还是客户的防火墙(Checkpoint)。在联系他们之前,我这边还有什么可以检查的吗?

更新:当我执行时,show configuration我的访问列表和加密图如下(抱歉,如果有缺少的行和像‘bob’这样的有趣的名字,我有点不知所措,并且发现设置 VPN 有点反复试验!):

access-list basic extended permit tcp any any eq 3389 
access-list basic extended permit tcp any any eq ssh 
access-list basic extended permit tcp any any eq www 
access-list basic extended permit tcp any any eq https 
access-list basic remark MySQL
access-list basic extended permit tcp any any eq 3306 
access-list allow extended permit ip any any 
access-list NoNAT extended permit ip 78.129.136.64 255.255.255.240 10.199.2.0 255.255.255.0 
access-list SiteAtoSiteB extended permit ip 78.129.136.64 255.255.255.240 10.199.2.0     255.255.255.0 
access-list SiteAtoSiteB extended permit tcp 78.129.136.64 255.255.255.240 host 171.28.18.50 eq telnet 
access-list bob standard permit host 171.28.18.50 
...
crypto map SiteToSiteVPN 10 match address SiteAtoSiteB
crypto map SiteToSiteVPN 10 set pfs 
crypto map SiteToSiteVPN 10 set peer 213.123.59.222 
crypto map SiteToSiteVPN 10 set transform-set SiteAToSiteBtransform
crypto map SiteToSiteVPN 10 set security-association lifetime seconds 28800
crypto map SiteToSiteVPN 10 set security-association lifetime kilobytes 4608000
crypto map SiteToSiteVPN interface Outside

抱歉,我想我误解了 Shane 的评论,也许这个信息在错误语句中。发送 hr 后的第一条数据时生成的日志语句是:

Teardown local-host Outside:171.28.18.50 duration 1:59:35
Teardown TCP connection 27792859 for Outside:171.28.18.50/23 to Inside:78.129.136.66/48572 duration 1:59:35 bytes 86765 Tunnel has been torn down
Ignoring msg to mark SA with dsID 72404992 dead because SA deleted
Group = 213.123.59.222, Username = 213.123.59.222, IP = 213.123.59.222, Session disconnected. Session Type: IPsec, Duration: 1h:59m:53s, Bytes xmt: 45646, Bytes rcv: 53194, Reason: crypto map policy not found
Pitcher: received key delete msg, spi 0xf025f6b
Pitcher: received key delete msg, spi 0x7447991f
Pitcher: received key delete msg, spi 0x7447991f
IP = 213.123.59.222, IKE_DECODE SENDING Message (msgid=27f78398) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Group = 213.123.59.222, IP = 213.123.59.222, constructing qm hash payload
Group = 213.123.59.222, IP = 213.123.59.222, constructing IKE delete payload
Group = 213.123.59.222, IP = 213.123.59.222, constructing blank hash payload
IPSEC: An outbound LAN-to-LAN SA (SPI= 0x0F025F6B) between 87.117.211.90 and 213.123.59.222 (user= 213.123.59.222) has been deleted.
IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7447991F) between 87.117.211.90 and 213.123.59.222 (user= 213.123.59.222) has been deleted.
Group = 213.123.59.222, IP = 213.123.59.222, sending delete/delete with reason message
Group = 213.123.59.222, IP = 213.123.59.222, IKE SA MM:a6daae8d terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Group = 213.123.59.222, IP = 213.123.59.222, IKE SA MM:a6daae8d rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Group = 213.123.59.222, IP = 213.123.59.222, IKE Deleting SA: Remote Proxy 171.28.18.50, Local Proxy 78.129.136.64
Group = 213.123.59.222, IP = 213.123.59.222, Active unit receives a delete event for remote peer 213.123.59.222.
Group = 213.123.59.222, IP = 213.123.59.222, Connection terminated for peer 213.123.59.222.  Reason: Peer Terminate  Remote Proxy 78.129.136.64, Local Proxy 171.28.18.50
Group = 213.123.59.222, IP = 213.123.59.222, processing delete
Group = 213.123.59.222, IP = 213.123.59.222, processing hash payload
IP = 213.123.59.222, IKE_DECODE RECEIVED Message (msgid=b3da5da4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Built inbound UDP connection 27794863 for Outside:213.123.59.222/500 (213.123.59.222/500) to identity:87.117.211.90/500 (87.117.211.90/500)
Built local-host Outside:213.123.59.222

答案1

这是 Cisco + CP VPN 的常见问题。请检查双方的 SA 有效期设置,我认为 Check Point 的 SA 有效期为 28800 秒,而 Cisco 的 SA 有效期为 86400 秒(反之亦然)

相关内容