我们有两个站点运行 ASA 5520,两个防火墙之间有 VPN。最近我们遇到了 VPN 在负载下失败的问题。日志表明在计算 DH 校验和时存在问题。似乎没有任何方法可以纠正此问题,即使拆除并完全重建 VPN 也无济于事。但如果重新启动两个防火墙,VPN 就会立即恢复!思科规格表明 VPN 的最大容量为 225Mbps,日志表明流量已达到 220Mbps 的峰值,因此几乎已达到最大值。我们已经采取措施将流量从 VPN 中移出,但仍想了解问题发生的原因。有其他人见过这个问题吗?
日志:
这是日志条目(IP 已模糊化)。最后几行开始重复
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-5-750002: Local:xxx.xxx.xxx.125:500 Remote:xxx.xxx.xxx.126:500 Username:Unknown Received a IKE_INIT_SA request
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-4-750003: Local:xxx.xxx.xxx.125:500 Remote:xxx.xxx.xxx.126:500 Username:Unknown Negotiation aborted due to ERROR: Failed to compute the DH value
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = Man-Ext_map. Map Sequence Number = 1.
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-4-752011: IKEv1 Doesn't have a transform set specified
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-5-752003: Tunnel Manager dispatching a KEY_ACQUIRE message to IKEv2. Map Tag = Man-Ext_map. Map Sequence Number = 1.
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-4-752011: IKEv1 Doesn't have a transform set specified
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-5-750001: Local:xxx.xxx.xxx.125:500 Remote:xxx.xxx.xxx.126:500 Username:Unknown Received request to establish an IPsec tunnel; local traffic selector = Address Range: xxx.xxx.xxx.241-xxx.xxx.xxx.241 Protocol: 0 Port Range: 0-65535; remote traffic selector = Address Range: xxx.xxx.xxx.11-xxx.xxx.xxx.11 Protocol: 0 Port Range: 0-65535
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-4-752012: IKEv2 was unsuccessful at setting up a tunnel. Map Tag = Man-Ext_map. Map Sequence Number = 1.
Jul 2 07:58:17 firewallJul 02 2012 07:58:17: %ASA-3-752015: Tunnel Manager has failed to establish an L2L SA. All configured IKE versions failed to establish the tunnel. Map Tag= Man-Ext_map. Map Sequence Number = 1.