|
最近在使用华为的Quidway系列路由器产品的时候,遇到了一次奇怪的故障,跟大家分享一下前因后果。
情况是这样的,北京和上海之间通过路由器建立了IPSec VPN,北京新上了电信的线,为了上海到北京更快更高更强!决定将VPN建立到北京的电信链路上,于是更改了两端的IP地址。
#
ike peer peer pre-shared-key ****
remote-address 219.143.x.x
local-address 116.228.x.x
#
#
ike peer peer pre-shared-key ****
remote-address 116.228.x.x
local-address 219.143.x.x
#
修改完毕,
reset ipsec sa
reset ike sa
坐等建立连接,1分钟...2分钟...5分钟...fuck....看来无法建立成功,检查回话状态
<Quidway>dis ike sa
Total IKE phase-1 SAs: 0
connection-id peer flag phase doi
----------------------------------------------------------
38 219.143.x.x RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
<MSR5040>dis ike sa
total phase-1 SAs: 0
connection-id peer flag phase doi
----------------------------------------------------------
28599 116.228.x.x RD 2 IPSEC
28598 <unnamed> RD 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT
竟然建立ike sa失败,检查配置,一切正常,很奇怪,无奈开启debugging
-----------北京路由器--------------
<MSR5040>terminal debugging
Info: Current terminal debugging is on.
<MSR5040>terminal monitor
Info: Current terminal monitor is on.
<MSR5040>debugging ike all
<MSR5040>
*Oct 16 15:43:11:409 2012 MSR5040 IKE/7/DEBUG: message send:
*Oct 16 15:43:11:409 2012 MSR5040 IKE/7/DEBUG: ICOOKIE: 0xf348aed30c37f270
*Oct 16 15:43:11:409 2012 MSR5040 IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*Oct 16 15:43:11:410 2012 MSR5040 IKE/7/DEBUG: NEXT_PAYLOAD: SA
*Oct 16 15:43:11:410 2012 MSR5040 IKE/7/DEBUG: VERSION: 16
*Oct 16 15:43:11:410 2012 MSR5040 IKE/7/DEBUG: EXCH_TYPE: ID_PROT
*Oct 16 15:43:11:410 2012 MSR5040 IKE/7/DEBUG: FLAGS: [ ]
*Oct 16 15:43:11:411 2012 MSR5040 IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*Oct 16 15:43:11:411 2012 MSR5040 IKE/7/DEBUG: LENGTH: 124
<MSR5040>
请求信息无误,并且已经产生SA,问题应该不是处在北京路由器上,检查上海路由器。
-----------上海路由器--------------
<Quidway>terminal debugging
Info: Current terminal debugging is on.
<Quidway>terminal monitor
Info: Current terminal monitor is on.
<Quidway>debugging ike all
<Quidway>
*0.24561482 Quidway IKE/7/DEBUG:add transport: adding 8408fac4
*0.24561483 Quidway IKE/7/DEBUG:transport reference: transport 8408fac4 now has 1references
*0.24561485 Quidway IKE/7/DEBUG:message alloc: allocated 84087264
*0.24561486 Quidway IKE/7/DEBUG:message_recv: message 84087264
*0.24561488 Quidway IKE/7/DEBUG: ICOOKIE: 0xf348aed30c37f270
*0.24561489 Quidway IKE/7/DEBUG: RCOOKIE: 0x0000000000000000
*0.24561491 Quidway IKE/7/DEBUG: NEXT_PAYLOAD: SA
*0.24561492 Quidway IKE/7/DEBUG: VERSION: 16
*0.24561493 Quidway IKE/7/DEBUG: EXCH_TYPE: ID_PROT
*0.24561494 Quidway IKE/7/DEBUG: FLAGS: [ ]
http://www.luyouqiwang.com/14690/
*0.24561497 Quidway IKE/7/DEBUG: MESSAGE_ID: 0x00000000
*0.24561498 Quidway IKE/7/DEBUG: LENGTH: 124
*0.24561500 Quidway IKE/7/DEBUG:message dump: iovec 0:
*0.24561501 Quidway IKE/7/DEBUG:f348aed3 0c37f270 00000000 00000000 01100200 00000000 0000007c 0d000038
*0.24561503 Quidway IKE/7/DEBUG:00000001 00000001 0000002c 01010001 00000024 00010000 80010001 80020002
*0.24561505 Quidway IKE/7/DEBUG:80030001 80040001 800b0001 000c0004 00015180 0d000014 90cb8091 3ebb696e
*0.24561507 Quidway IKE/7/DEBUG:086381b5 ec427b1f 00000014 4485152d 18b6bbcd 0be8a846 9579ddcc
*0.24561509 Quidway IKE/7/DEBUG:exchange lookup from cookie: icookie f348aed30c37f270
*0.24561511 Quidway IKE/7/DEBUG:message parse payloads: payload SA
*0.24561512 Quidway IKE/7/DEBUG:message parse payloads: payload VENDOR
*0.24561517 Quidway IKE/7/DEBUG:message parse payloads: payload VENDOR
*0.24561518 Quidway IKE/7/DEBUG:validate payload SA of message 84087264
*0.24561520 Quidway IKE/7/DEBUG: DOI: 1
*0.24561521 Quidway IKE/7/DEBUG:exchange_setup_p1: no ike peer configuration found for peer "111.207.x.x,116.228.x.x"
*0.24561524 Quidway IKE/7/DEBUG:message free: freeing 84087264
*0.24561525 Quidway IKE/7/DEBUG:release transport: transport 8408fac4 had 1references
*0.24561527 Quidway IKE/7/DEBUG:release transport:: freeing 8408fac4
*0.24561528 Quidway IKE/7/DEBUG:transport reference: transport 840889c4 now has 2references
*0.24561530 Quidway IKE/7/DEBUG:transport reference: transport 84088564 now has 2references
*0.24561532 Quidway IKE/7/DEBUG:transport reference: transport 84088424 now has 2references
*0.24561537 Quidway IKE/7/DEBUG:release transport: transport 840889c4 had 2references
*0.24561539 Quidway IKE/7/DEBUG:release transport: transport 84088564 had 2references
*0.24561541 Quidway IKE/7/DEBUG:release transport: transport 84088424 had 2references
问题浮出水面,红色的信息显示的IP地址是错误的,是变更前的IP地址!peer 的IP地址已经变更了,这里依然再使用变更前的IP地址在建立连接,这不是坑爹呢么……问题应该就是这里了,再次配置,依然无效,无奈重启上海路由器,问题解决。
此问题告诉我们,即使是路由器也并不是时时刻刻都能配置即时生效,排除故障要持有怀疑一切的态度,万万不能存有经验主义的错误观念! | 
