我在 ASA 上收到以下错误;
Jan 24 2012 17:15:13 ASA1 : %ASA-7-714003: IP = 1.2.3.4, IKE Responder starting QM: msg id = 5293ff7c
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713236: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=5293ff7c) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 292
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing hash payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing SA payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing nonce payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing ke payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, processing ISA_KE for PFS in phase 2
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-714011: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR ID received 1.2.3.444
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713025: Group = 1.2.3.4, IP = 1.2.3.4, Received remote Proxy Host data in ID Payload: Address 1.2.3.444, Protocol 0, Port 0
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-714011: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR ID received
5.6.7.8
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713024: Group = 1.2.3.4, IP = 1.2.3.4, Received local Proxy Host data in ID Payload: Address 5.6.7.8, Protocol 0, Port 0
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713221: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, checking map = outside_map, seq = 10...
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713222: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:1.2.3.444 dst:5.6.7.8
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713066: Group = 1.2.3.4, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: outside_dyn_map
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing IPSec SA payload
Jan 24 2012 17:15:13 ASA1 : %ASA-5-713904: Group = 1.2.3.4, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, sending notify message
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715046: Group = 1.2.3.4, IP = 1.2.3.4, constructing blank hash payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, constructing ipsec notify payload for msg id 5293ff7c
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715046: Group = 1.2.3.4, IP = 1.2.3.4, constructing qm hash payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713236: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=c34f6ff7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 24 2012 17:15:13 ASA1 : %ASA-3-713902: Group = 1.2.3.4, IP = 1.2.3.4, QM FSM error (P2 struct &0xca9c89b0, mess id 0x5293ff7c)!
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715065: Group = 1.2.3.4, IP = 1.2.3.4, IKE QM Responder FSM error history (struct &0xca9c89b0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, sending delete/delete with reason message
Jan 24 2012 17:15:13 ASA1 : %ASA-3-713902: Group = 1.2.3.4, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
我只能访问这一端,而无法访问它终止的本地 LAN IP。
与远程端操作员通话时,他可以通过隧道连接到本地 LAN IP,因此它可以正常工作,但我仍然在日志中看到错误,特别是“所有 IPSec SA 提案均不可接受!”。
通过对show isakmp sa detail
等体处于活动状态,show ipsec sa detail
我可以看到封装和解封装数据包的数据包计数器正在上升。
这是怎么回事?我应该担心日志吗?
答案1
我知道问题所在。我想我需要另一双眼睛来指出这一点,所以谢谢你。
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713222: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:1.2.3.444 dst:5.6.7.8
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713066: Group = 1.2.3.4, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: outside_dyn_map
这些行说明了一切。outside_map 定义了远程端点对等 IP,但它应该是它们的代理 IP。
谢谢您的推动 ;)