사이트 간 VPN 모니터 상태 활성 방화벽에서는 "업"이고 수동 방화벽 에서는 "다운"입니다.
2839
Created On 04/06/22 02:55 AM - Last Modified 01/03/25 14:08 PM
Symptom
- 사이트 간 VPN 모니터 상태 는 활성 방화벽 에서는 "작동"이지만 수동 방화벽 에서는 "작동 중지"로 표시됩니다.
- 예를 들어, 이 출력에서 터널 ID 7 및 8이 수동 방화벽 에서 "다운" 상태임을 확인할 수 있습니다.
- 활성 방화벽의 VPN 흐름 출력:
> show vpn flow
total tunnels configured: 8
filter - type IPSec, state any
total IPSec tunnel configured: 8
total IPSec tunnel shown: 8
id name state monitor local-ip peer-ip tunnel-i/f
-- ---- ----- ------- -------- ------- ----------
1 VPN-FWSING01 active up 10.16.192.126 10.18.199.14 tunnel.1
2 VPN-FWSING02 active up 10.16.192.126 10.18.199.22 tunnel.2
5 VPN-FWCEFI active up 10.16.192.110 10.50.182.206 tunnel.3
4 VPN-FWGERL active up 10.16.192.110 10.24.133.4 tunnel.4
6 VPN-FWBORD active up 10.16.192.110 10.24.136.4 tunnel.5
7 VPN-FWBAST active up 10.16.192.110 10.24.16.4 tunnel.6
8 VPN-FWAJAC active up 10.16.192.110 10.24.2.4 tunnel.7
9 VPN-FWPLCF init down 10.16.192.110 10.50.198.204 tunnel.8
- 수동 방화벽의 VPN 흐름 출력:
> show vpn flow
total tunnels configured: 8
filter - type IPSec, state any
total IPSec tunnel configured: 8
total IPSec tunnel shown: 8
id name state monitor local-ip peer-ip tunnel-i/f
-- ---- ----- ------- -------- ------- ----------
1 VPN-FWSING01 active up 10.16.192.126 10.18.199.14 tunnel.1
2 VPN-FWSING02 active up 10.16.192.126 10.18.199.22 tunnel.2
5 VPN-FWCEFI active up 10.16.192.110 10.50.182.206 tunnel.3
4 VPN-FWGERL active up 10.16.192.110 10.24.133.4 tunnel.4
6 VPN-FWBORD active up 10.16.192.110 10.24.136.4 tunnel.5
7 VPN-FWBAST active down 10.16.192.110 10.24.16.4 tunnel.6
8 VPN-FWAJAC active down 10.16.192.110 10.24.2.4 tunnel.7
9 VPN-FWPLCF init down 10.16.192.110 10.50.198.204 tunnel.8
Environment
- 팔로 알토 방화벽
- 지원되는 PAN-OS
- IPSEC VPN
Cause
- VPN 터널 모니터 수동 방화벽 에서 새로고침 되지 않아 마지막 상태 "중단"으로 고정되었습니다.
- 아래에는 활성 및 수동 방화벽 간의 SPI 불일치가 표시되어 있습니다.
- 활성 방화벽의 IPSec SA 상태 :
>show vpn ipsec-sa GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec) -------------- ---- ------------ --------------- --------- ------- -------- ------------ ---------------- 1 1 10.18.199.14 VPN-FWSING01(FWSING01) ESP/A256/SHA256 D956EA0F F954FBDB 3600/Unlimited 3454 2 2 10.18.199.22 VPN-FWSING02(FWSING02) ESP/A256/SHA256 E75AB051 C75863BB 3600/Unlimited 3429 4 4 10.24.133.4 VPN-FWGERL(FWGERL00A11401-FWGERL0A0E0701) ESP/A256/SHA256 A4289A3C 9C4D6B34 3600/Unlimited 3513 3 5 10.50.182.206 VPN-FWCEFI(FWCEFI00AP3201-FWCEFI00AP1001) ESP/A256/SHA256 EDFA3DB9 ACB90772 3600/Unlimited 3006 5 6 10.24.136.4 VPN-FWBORD(FWBORD0A1S6101-FWBORD0A1S0401) ESP/A256/SHA256 A98B6650 EE1CCC94 3600/Unlimited 3470 6 7 10.24.16.4 VPN-FWBAST(FWBAST00A01601-FWBAST0A1S2601) ESP/A256/SHA256 A9FA47D6 ECC0306F 3600/Unlimited 3171 7 8 10.24.2.4 VPN-FWAJAC(FWAJAC0A1S1201-FWAJAC0A1S1101) ESP/A256/SHA256 96BDC835 DB437AAC 3600/Unlimited 1044
- 수동 방화벽의 IPSec SA 상태 :
>show vpn ipsec-sa
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec)
-------------- ---- ------------ --------------- --------- ------- -------- ------------ ----------------
1 1 10.18.199.14 VPN-FWSING01(FWSING01) ESP/A256/SHA256 D956EA0F F954FBDB 3600/Unlimited 2185
2 2 10.18.199.22 VPN-FWSING02(FWSING02) ESP/A256/SHA256 E75AB051 C75863BB 3600/Unlimited 2160
4 4 10.24.133.4 VPN-FWGERL(FWGERL00A11401-FWGERL0A0E0701) ESP/A256/SHA256 A4289A3C 9C4D6B34 3600/Unlimited 2244
3 5 10.50.182.206 VPN-FWCEFI(FWCEFI00AP3201-FWCEFI00AP1001) ESP/A256/SHA256 EDFA3DB9 ACB90772 3600/Unlimited 1737
5 6 10.24.136.4 VPN-FWBORD(FWBORD0A1S6101-FWBORD0A1S0401) ESP/A256/SHA256 A98B6650 EE1CCC94 3600/Unlimited 2201
6 7 10.24.16.4 VPN-FWBAST(FWBAST00A01601-FWBAST0A1S2601) ESP/A256/SHA256 A9FA47D6 ECC0306F 3600/Unlimited 1902
7 8 10.24.2.4 VPN-FWAJAC(FWAJAC0A1S1201-FWAJAC0A1S1101) ESP/A256/SHA256 EADEC3AA 89679FFD 3600/Unlimited 2815
Resolution
- 다음 CLI 커맨드 사용하여 활성 방화벽 간의 런타임 세션 상태 수동으로 동기화 .
- > 고가용성 동기화-원격 런타임-통계 요청
- VPN 모니터 상태 동기화 되고 보조 방화벽 에서 "작동" 상태로 표시됩니다.
> show vpn flow
total tunnels configured: 8
filter - type IPSec, state any
total IPSec tunnel configured: 8
total IPSec tunnel shown: 8
id name state monitor local-ip peer-ip tunnel-i/f
-- ---- ----- ------- -------- ------- ----------
1 VPN-FWSING01 active up 10.16.192.126 10.18.199.14 tunnel.1
2 VPN-FWSING02 active up 10.16.192.126 10.18.199.22 tunnel.2
5 VPN-FWCEFI active up 10.16.192.110 10.50.182.206 tunnel.3
4 VPN-FWGERL active up 10.16.192.110 10.24.133.4 tunnel.4
6 VPN-FWBORD active up 10.16.192.110 10.24.136.4 tunnel.5
7 VPN-FWBAST active up 10.16.192.110 10.24.16.4 tunnel.6
8 VPN-FWAJAC active up 10.16.192.110 10.24.2.4 tunnel.7
9 VPN-FWPLCF init down 10.16.192.110 10.50.198.204 tunnel.8