Tôi đã cấu hình một trang web từ xa có hai địa chỉ IP cho các đồng nghiệp VPN của trung tâm dữ liệu - một chính (1.1.1.1), một bản sao lưu (2.2.2.2). Khi ngang hàng chính không thành công, trang web từ xa sẽ phát hiện lỗi bằng DPD (sau khoảng 15 giây). Nó rơi nước mắt, sau đó tiến hành thử kết nối lại với đồng nghiệp chính! Sau khoảng 30 giây không có phản hồi, cuối cùng nó cũng thử ngang hàng dự phòng và kết nối ngay lập tức. Có ai khác nhìn thấy điều này không, và có cách nào để tránh sự chờ đợi 30 giây không cần thiết này không?!
(Phiên bản mã là 8.2 (5), cấu hình bên dưới)
TÌM HIỂU TRANG WEB CHÁY:
crypto ipsec transform-set L2L-VPN-TRANSFORM esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy L2L-VPN-POLICY
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *****
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 general-attributes
default-group-policy L2L-VPN-POLICY
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
!
crypto map OUTSIDE-MAP 1 match address ATOS-DC-ENCRYPTION-DOMAIN
crypto map OUTSIDE-MAP 1 set pfs
crypto map OUTSIDE-MAP 1 set peer 1.1.1.1 2.2.2.2
crypto map OUTSIDE-MAP 1 set transform-set L2L-VPN-TRANSFORM
crypto map OUTSIDE-MAP 1 set security-association lifetime seconds 3600
crypto map OUTSIDE-MAP 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE-MAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
DC FIREWALLS (CẢ HAI CÙNG):
crypto ipsec transform-set L2L-VPN-TRANSFORM esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
!
tunnel-group DefaultL2LGroup general-attributes
default-group-policy L2L-VPN-POLICY
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *****
!
crypto dynamic-map REMOTE-DYNMAP 1 set pfs
crypto dynamic-map REMOTE-DYNMAP 1 set transform-set L2L-VPN-TRANSFORM
crypto dynamic-map REMOTE-DYNMAP 1 set security-association lifetime seconds 3600
crypto dynamic-map REMOTE-DYNMAP 1 set security-association lifetime kilobytes 4608000
crypto dynamic-map REMOTE-DYNMAP 1 set reverse-route
crypto map OUTSIDE-MAP 1 ipsec-isakmp dynamic REMOTE-DYNMAP
crypto map OUTSIDE-MAP interface OUTSIDE
crypto isakmp enable OUTSIDE
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Nhật ký cho thấy sự thất bại và sự chậm trễ:
Jun 18 2013 00:52:46: %ASA-5-111008: User 'enable_15' executed the 'clear logging buffer' command.
Jun 18 2013 00:54:37: %ASA-3-713123: Group = 1.1.1.1, IP = 1.1.1.1, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Jun 18 2013 00:54:37: %ASA-5-713259: Group = 1.1.1.1, IP = 1.1.1.1, Session is being torn down. Reason: Lost Service
Jun 18 2013 00:54:37: %ASA-4-113019: Group = 1.1.1.1, Username = 1.1.1.1, IP = 1.1.1.1, Session disconnected. Session Type: IPsec, Duration: 0h:03m:00s, Bytes xmt: 480192, Bytes rcv: 478992, Reason: Lost Service
Jun 18 2013 00:54:37: %ASA-5-713041: IP = 1.1.1.1, IKE Initiator: New Phase 1, Intf OUTSIDE, IKE Peer 1.1.1.1 local Proxy Address 10.233.224.4, remote Proxy Address 1.1.1.1, Crypto map (OUTSIDE-MAP)
Jun 18 2013 00:54:39: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:41: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:43: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:45: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:47: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:48: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:49: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:51: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:53: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:55: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:57: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:54:59: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:55:01: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:55:03: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:55:05: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:55:07: %ASA-3-713042: IKE Initiator unable to find policy: Intf INSIDE-TRANSIT, Src: 10.60.1.1, Dst: 10.250.1.1
Jun 18 2013 00:55:09: %ASA-5-713041: IP = 2.2.2.2, IKE Initiator: New Phase 1, Intf OUTSIDE, IKE Peer 2.2.2.2 local Proxy Address 10.233.224.4, remote Proxy Address 2.2.2.2, Crypto map (OUTSIDE-MAP)
Jun 18 2013 00:55:09: %ASA-5-713119: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 1 COMPLETED
Jun 18 2013 00:55:09: %ASA-5-713049: Group = 2.2.2.2, IP = 2.2.2.2, Security negotiation complete for LAN-to-LAN Group (2.2.2.2) Initiator, Inbound SPI = 0xd21ad657, Outbound SPI = 0xd7d9c25a
Jun 18 2013 00:55:09: %ASA-5-713120: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 2 COMPLETED (msgid=1949f878)
Jun 18 2013 00:55:09: %ASA-5-713041: Group = 2.2.2.2, IP = 2.2.2.2, IKE Initiator: New Phase 2, Intf INSIDE-TRANSIT, IKE Peer 2.2.2.2 local Proxy Address 10.60.0.0, remote Proxy Address 10.0.0.0, Crypto map (OUTSIDE-MAP)
Jun 18 2013 00:55:09: %ASA-5-713049: Group = 2.2.2.2, IP = 2.2.2.2, Security negotiation complete for LAN-to-LAN Group (2.2.2.2) Initiator, Inbound SPI = 0xd4218cd3, Outbound SPI = 0xf9a8108b
Jun 18 2013 00:55:09: %ASA-5-713120: Group = 2.2.2.2, IP = 2.2.2.2, PHASE 2 COMPLETED (msgid=c0a82858)