我在场景中遇到了路由故障转移的奇怪问题:我正在尝试通过 ospf 或 bgp 进行此故障转移,在这两种情况下,隧道都会发生相同的奇怪行为:对于 192.7.0.0 TUN,提供到 R1 的默认路由 - 主站点(我们需要所有流量)。
172.16.0.1(10.3.3.1) 10.3.3.0/30 172.16.0.2(10.3.3.2)
+-------------------------------->TUN0<--------------------------------------------+
| |
| +--------+ |
| | |EXTIP1 |
| +------------+ VPN1 +--------->IPSEC<------------+ |
| | | | | |
| v +--------+ | |
++------+ | |
| | |--------+ +--------++
LAN +--->| R1 | + | | |
192.0.0.0/24 | EXTIP3| VPN7 +------->| R7 <--+LAN
++------+ + | | |192.7.0.0/24
| ^ |--------+ +--------++
| | | |
| | | |
| | | |
| | +--------+ | |
| | | | | |
| +------------+ VPN2 |EXTIP2 | |
| | +------------->IPSEC<--------+ |
| +--------+ |
| |
| |
| PREFFERED PATCH |
+------------------------------------>TUN1<----------------------------------------+
172.16.0.3(10.3.3.5) 10.3.3.4/30 172.16.0.4(10.3.3.6)
初始启动时一切正常,当主链路 TUN1 发生故障时,会发生故障转移,几秒钟(ospf)或几分钟(bgp)后,链路收敛,网络流量通过 TUN0 正常。但是当 TUN1 恢复时,流量混乱,路由器将根据配置更改路径(TUN1 始终是提供的路径),但网络流量不通。我可以用小数据包 ping 192.7.0.0 <-> 192.0.0.0,但例如 VNC、HTTP 或其他应用程序不再起作用。我发现当 TUN1 恢复时,我将通过命令手动重置隧道链接:
sudo ip link set tun0 down
sudo ip link set tun1 down
sudo ip link set tun1 up
few seconds pause
sudo ip link set tun0 up
一切都恢复正常所以我的问题是:
这是关于故障转移实现的错误想法吗?
这是一个错误吗?
这是一个功能吗?
谢谢你的回答
R1 R7 上的 Vyatta 6.4 8.04 VPN[1|2|7] 上的 Vyatta 6.4 5.31
更新:我已从 192.0.0.0 在 TUN0 上运行了 mroute
mturoute.exe 192.7.0.162
* ICMP Fragmentation is not permitted. *
* Speed optimization is enabled. *
* Maximum payload is 10000 bytes. *
- ICMP payload of 1472 bytes is too big.
+ ICMP payload of 92 bytes succeeded.
+ ICMP payload of 782 bytes succeeded.
+ ICMP payload of 1127 bytes succeeded.
+ ICMP payload of 1299 bytes succeeded.
- ICMP payload of 1385 bytes is too big.
+ ICMP payload of 1342 bytes succeeded.
- ICMP payload of 1363 bytes is too big.
+ ICMP payload of 1352 bytes succeeded.
+ ICMP payload of 1357 bytes succeeded.
- ICMP payload of 1360 bytes is too big.
+ ICMP payload of 1358 bytes succeeded.
- ICMP payload of 1359 bytes is too big.
Path MTU: 1386 bytes.
故障转移后,TUN0->TUN1 也从 192.0.0.0
mturoute.exe 192.7.0.162
* ICMP Fragmentation is not permitted. *
* Speed optimization is enabled. *
* Maximum payload is 10000 bytes. *
- ICMP payload of 1472 bytes is too big.
+ ICMP payload of 92 bytes succeeded.
...- ICMP payload of 782 bytes failed. (IP_REQ_TIMED_OUT)
+ ICMP payload of 437 bytes succeeded.
.- ICMP payload of 609 bytes failed. (IP_REQ_TIMED_OUT)
.- ICMP payload of 523 bytes failed. (IP_REQ_TIMED_OUT)
+ ICMP payload of 480 bytes succeeded.
.- ICMP payload of 501 bytes failed. (IP_REQ_TIMED_OUT)
+ ICMP payload of 490 bytes succeeded.
+ ICMP payload of 495 bytes succeeded.
.- ICMP payload of 498 bytes failed. (IP_REQ_TIMED_OUT)
+ ICMP payload of 496 bytes succeeded.
.- ICMP payload of 497 bytes failed. (IP_REQ_TIMED_OUT)
Path MTU: 524 bytes.
我不明白为什么。
更新#2
EXTIP1、EXTIP2、EXTIP3 为 40Mbit F/O EXTIP2 和 EXTIP3 来自同一 ISP
答案1
这似乎与 pmtud 有关,在 R7 上禁用 pmtud(net.ipv4.ip_no_pmtu_disc=1)后,它似乎可以正常工作。这是关于隧道崩溃的帖子http://utcc.utoronto.ca/~cks/space/blog/linux/IPSecPacketDropProblemII
有用的 ip 命令:
ip route show table cache