站点到站点VPN监视器状态在主动防火墙上为“启动”,在被动防火墙上为“关闭”
2813
Created On 04/06/22 02:55 AM - Last Modified 01/03/25 14:07 PM
Symptom
- 站点到站点VPN监视器状态在主动防火墙上为“启动”,但在被动防火墙上显示“关闭”。
- 例如,在此输出中,我们可以看到隧道ID 7 和 8 在被动防火墙上处于“关闭”状态
- 活动防火墙上的VPN流输出:
> show vpn flow
total tunnels configured: 8
filter - type IPSec, state any
total IPSec tunnel configured: 8
total IPSec tunnel shown: 8
id name state monitor local-ip peer-ip tunnel-i/f
-- ---- ----- ------- -------- ------- ----------
1 VPN-FWSING01 active up 10.16.192.126 10.18.199.14 tunnel.1
2 VPN-FWSING02 active up 10.16.192.126 10.18.199.22 tunnel.2
5 VPN-FWCEFI active up 10.16.192.110 10.50.182.206 tunnel.3
4 VPN-FWGERL active up 10.16.192.110 10.24.133.4 tunnel.4
6 VPN-FWBORD active up 10.16.192.110 10.24.136.4 tunnel.5
7 VPN-FWBAST active up 10.16.192.110 10.24.16.4 tunnel.6
8 VPN-FWAJAC active up 10.16.192.110 10.24.2.4 tunnel.7
9 VPN-FWPLCF init down 10.16.192.110 10.50.198.204 tunnel.8
- 被动防火墙上的VPN流输出:
> show vpn flow
total tunnels configured: 8
filter - type IPSec, state any
total IPSec tunnel configured: 8
total IPSec tunnel shown: 8
id name state monitor local-ip peer-ip tunnel-i/f
-- ---- ----- ------- -------- ------- ----------
1 VPN-FWSING01 active up 10.16.192.126 10.18.199.14 tunnel.1
2 VPN-FWSING02 active up 10.16.192.126 10.18.199.22 tunnel.2
5 VPN-FWCEFI active up 10.16.192.110 10.50.182.206 tunnel.3
4 VPN-FWGERL active up 10.16.192.110 10.24.133.4 tunnel.4
6 VPN-FWBORD active up 10.16.192.110 10.24.136.4 tunnel.5
7 VPN-FWBAST active down 10.16.192.110 10.24.16.4 tunnel.6
8 VPN-FWAJAC active down 10.16.192.110 10.24.2.4 tunnel.7
9 VPN-FWPLCF init down 10.16.192.110 10.50.198.204 tunnel.8
Environment
- Palo Alto 防火墙
- 支持的 PAN OS
- IP安全VPN
Cause
- VPN 隧道监视器未在被动防火墙上刷新,并停留在最后的状态“关闭”。
- 主动防火墙与被动防火墙之间的 SPI 不匹配如下所示。
- 活动防火墙上的IPSec SA状态:
>show vpn ipsec-sa GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec) -------------- ---- ------------ --------------- --------- ------- -------- ------------ ---------------- 1 1 10.18.199.14 VPN-FWSING01(FWSING01) ESP/A256/SHA256 D956EA0F F954FBDB 3600/Unlimited 3454 2 2 10.18.199.22 VPN-FWSING02(FWSING02) ESP/A256/SHA256 E75AB051 C75863BB 3600/Unlimited 3429 4 4 10.24.133.4 VPN-FWGERL(FWGERL00A11401-FWGERL0A0E0701) ESP/A256/SHA256 A4289A3C 9C4D6B34 3600/Unlimited 3513 3 5 10.50.182.206 VPN-FWCEFI(FWCEFI00AP3201-FWCEFI00AP1001) ESP/A256/SHA256 EDFA3DB9 ACB90772 3600/Unlimited 3006 5 6 10.24.136.4 VPN-FWBORD(FWBORD0A1S6101-FWBORD0A1S0401) ESP/A256/SHA256 A98B6650 EE1CCC94 3600/Unlimited 3470 6 7 10.24.16.4 VPN-FWBAST(FWBAST00A01601-FWBAST0A1S2601) ESP/A256/SHA256 A9FA47D6 ECC0306F 3600/Unlimited 3171 7 8 10.24.2.4 VPN-FWAJAC(FWAJAC0A1S1201-FWAJAC0A1S1101) ESP/A256/SHA256 96BDC835 DB437AAC 3600/Unlimited 1044
- 被动防火墙上的IPSec SA状态:
>show vpn ipsec-sa
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec)
-------------- ---- ------------ --------------- --------- ------- -------- ------------ ----------------
1 1 10.18.199.14 VPN-FWSING01(FWSING01) ESP/A256/SHA256 D956EA0F F954FBDB 3600/Unlimited 2185
2 2 10.18.199.22 VPN-FWSING02(FWSING02) ESP/A256/SHA256 E75AB051 C75863BB 3600/Unlimited 2160
4 4 10.24.133.4 VPN-FWGERL(FWGERL00A11401-FWGERL0A0E0701) ESP/A256/SHA256 A4289A3C 9C4D6B34 3600/Unlimited 2244
3 5 10.50.182.206 VPN-FWCEFI(FWCEFI00AP3201-FWCEFI00AP1001) ESP/A256/SHA256 EDFA3DB9 ACB90772 3600/Unlimited 1737
5 6 10.24.136.4 VPN-FWBORD(FWBORD0A1S6101-FWBORD0A1S0401) ESP/A256/SHA256 A98B6650 EE1CCC94 3600/Unlimited 2201
6 7 10.24.16.4 VPN-FWBAST(FWBAST00A01601-FWBAST0A1S2601) ESP/A256/SHA256 A9FA47D6 ECC0306F 3600/Unlimited 1902
7 8 10.24.2.4 VPN-FWAJAC(FWAJAC0A1S1201-FWAJAC0A1S1101) ESP/A256/SHA256 EADEC3AA 89679FFD 3600/Unlimited 2815
Resolution
- 在活动防火墙上使用以下CLI 命令手动同步防火墙之间的运行时会话状态。
- >>请求高可用性同步到远程运行时统计
- VPN监视器状态将同步,并且它将在辅助防火墙上“启动”。
> show vpn flow
total tunnels configured: 8
filter - type IPSec, state any
total IPSec tunnel configured: 8
total IPSec tunnel shown: 8
id name state monitor local-ip peer-ip tunnel-i/f
-- ---- ----- ------- -------- ------- ----------
1 VPN-FWSING01 active up 10.16.192.126 10.18.199.14 tunnel.1
2 VPN-FWSING02 active up 10.16.192.126 10.18.199.22 tunnel.2
5 VPN-FWCEFI active up 10.16.192.110 10.50.182.206 tunnel.3
4 VPN-FWGERL active up 10.16.192.110 10.24.133.4 tunnel.4
6 VPN-FWBORD active up 10.16.192.110 10.24.136.4 tunnel.5
7 VPN-FWBAST active up 10.16.192.110 10.24.16.4 tunnel.6
8 VPN-FWAJAC active up 10.16.192.110 10.24.2.4 tunnel.7
9 VPN-FWPLCF init down 10.16.192.110 10.50.198.204 tunnel.8