Cisco ASA 站点到站点 VPN 断开连接

tag-icon tag-icon cisco cisco-asa cisco-vpn
Cisco ASA 站点到站点 VPN 断开连接

我有三个站点,多伦多 (1.1.1.1)、密西沙加 (2.2.2.2) 和旧金山 (3.3.3.3)。这三个站点都配有 ASA 5520。所有站点都通过两个站点到站点 VPN 链接相互连接。

我的问题是多伦多和旧金山之间的隧道非常不稳定,每隔 40 到 60 分钟就会掉线一次。多伦多和密西沙加之间的隧道(配置方式相同)没有掉线,很稳定。

我还注意到我的 ping 丢失了,但是 ASA 认为隧道仍然正常运行。

这是隧道的配置。

多伦多 (1.1.1.1)

crypto map Outside_map 1 match address Outside_cryptomap
crypto map Outside_map 1 set peer 3.3.3.3 
crypto map Outside_map 1 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map 1 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_3.3.3.3 internal
group-policy GroupPolicy_3.3.3.3 attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 3.3.3.3 type ipsec-l2l
tunnel-group 3.3.3.3 general-attributes
 default-group-policy GroupPolicy_3.3.3.3
tunnel-group 3.3.3.3 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

旧金山 (3.3.3.3)

crypto map Outside_map0 2 match address Outside_cryptomap_1
crypto map Outside_map0 2 set peer 1.1.1.1 
crypto map Outside_map0 2 set ikev1 transform-set ESP-AES-256-MD5 ESP-AES-256-SHA
crypto map Outside_map0 2 set ikev2 ipsec-proposal AES256

group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
 vpn-idle-timeout none
 vpn-tunnel-protocol ikev1 ikev2

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive disable
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****

我很困惑。有什么想法吗?

更新:

# show crypto isakmp sa

 IKEv1 SAs:

    Active SA: 2
     Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
 Total IKE SA: 2

 1   IKE Peer: 3.3.3.3
     Type    : L2L             Role    : initiator 
     Rekey   : no              State   : MM_ACTIVE 
 2   IKE Peer: 2.2.2.2
     Type    : L2L             Role    : responder 
     Rekey   : no              State   : MM_ACTIVE 

 There are no IKEv2 SAs



 # show crypto ipsec sa
 interface: Outside
     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.99.0.0 255.255.255.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.99.0.0/255.255.255.0/0/0)
       current_peer: 74.200.4.148

       #pkts encaps: 30948, #pkts encrypt: 30948, #pkts digest: 30948
       #pkts decaps: 28516, #pkts decrypt: 28516, #pkts verify: 28516
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 30948, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: EFADD3D6
       current inbound spi : 756AB014

     inbound esp sas:
       spi: 0x756AB014 (1969926164)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4372005/17024)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0xEFADD3D6 (4021146582)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4369303/17024)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.100.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.100.0.0/255.255.0.0/0/0)
       current_peer: 2.2.2.2

       #pkts encaps: 18777146, #pkts encrypt: 18777329, #pkts digest: 18777329
       #pkts decaps: 23208489, #pkts decrypt: 23208489, #pkts verify: 23208489
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 18777328, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 1, #pre-frag failures: 0, #fragments created: 2
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: D2002A5B
       current inbound spi : 2E1F7B20

     inbound esp sas:
       spi: 0x2E1F7B20 (773815072)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (3224936/17000)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0xD2002A5B (3523226203)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (2120164/17000)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 3, local addr: 1.1.1.1

       access-list Outside_cryptomap_1 extended permit ip 10.0.0.0 255.255.0.0 10.110.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.110.0.0/255.255.0.0/0/0)
       current_peer: 2.2.2.2

       #pkts encaps: 1289226, #pkts encrypt: 1289226, #pkts digest: 1289226
       #pkts decaps: 1594987, #pkts decrypt: 1594987, #pkts verify: 1594987
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 1289226, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 27
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: 45B5CECD
       current inbound spi : 862EB1DB

     inbound esp sas:
       spi: 0x862EB1DB (2251207131)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4318958/16999)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0x45B5CECD (1169542861)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1015808, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (4360717/16999)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

     Crypto map tag: External_map, seq num: 1, local addr: 1.1.1.1

       access-list Outside_cryptomap extended permit ip 10.0.0.0 255.255.0.0 10.10.0.0 255.255.0.0 
       local ident (addr/mask/prot/port): (10.0.0.0/255.255.0.0/0/0)
       remote ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
       current_peer: 3.3.3.3

       #pkts encaps: 3444336, #pkts encrypt: 3444336, #pkts digest: 3444336
       #pkts decaps: 1756137, #pkts decrypt: 1756137, #pkts verify: 1756137
       #pkts compressed: 0, #pkts decompressed: 0
       #pkts not compressed: 3444336, #pkts comp failed: 0, #pkts decomp failed: 0
       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
       #send errors: 0, #recv errors: 0

       local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 3.3.3.3/0
       path mtu 1500, ipsec overhead 74, media mtu 1500
       current outbound spi: 6B0981E6
       current inbound spi : 2F85EB3C

     inbound esp sas:
       spi: 0x2F85EB3C (797305660)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1245184, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (3944948/12647)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0xFFFFFFFF 0xFFFFFFFF
     outbound esp sas:
       spi: 0x6B0981E6 (1795785190)
          transform: esp-aes-256 esp-md5-hmac no compression 
          in use settings ={L2L, Tunnel, PFS Group 2, }
          slot: 0, conn_id: 1245184, crypto-map: External_map
          sa timing: remaining key lifetime (kB/sec): (364451/12647)
          IV size: 16 bytes
          replay detection support: Y
          Anti replay bitmap: 
           0x00000000 0x00000001

答案1

我认为可能是因为 Keepalive 被禁用了,如果没有流量或流量正在路由到其他方向,则可能导致隧道因不活动而断开。尝试在目标上断开隧道(clear isakmp sa $PEERIP),然后在源上运行调试,看看它是否正在尝试重新建立连接。 http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#crypto_isakmp

相关内容