标准VPN隧道拍打由于多个IKE会议。
3415
Created On 01/31/23 05:12 AM - Last Modified 05/22/25 21:54 PM
Symptom
标准VPN(第三者VPN) 隧道不断拍打。
- 每当一个IKErekey 会话发生,multiple_ike_session 事件被创建,这导致标准 VPN 发生波动。
- 以下是在警报中看到的,即扩展状态显示“multiple_ike_session”,原因为“down”
- 当您从以下命令运行以下命令时,您将看到以下日志 CLI
debug logs dump tunnelmgr debug logs dump tunnelmgr | grep "yyyy-mm-dd"
2023-01-27T14:01:54.872 inf tunnelmgr 4430 tunnelmgr SetServiceLinkStatus sl:sl1, state:{extended_state:multiple_ike_session, local_ip:64.129.7
2.156, remote_ip:4.53.41.66, state:down}
2023-01-27T14:02:33.872 inf tunnelmgr 4430 tunnelmgr SetServiceLinkStatus sl:sl1, state:{extended_state:multiple_ike_session, local_ip:64.129.7
2.156, remote_ip:4.53.41.66, state:down}
2023-01-27T14:03:09.872 inf tunnelmgr 4430 tunnelmgr SetServiceLinkStatus sl:sl1, state:{extended_state:multiple_ike_session, local_ip:64.129.7
- 当您运行以下命令时CLI,您将看到“扩展状态:multiple_ike_session”
dump servicelink summary all dump interface status <interface> dump servicelink summary slname=<name of the tunnel>例子;
FLS-USA90062-01# dump servicelink summary all
-------------- SERVICE LINKS ----------------------------------
Total : 1
TotalUP : 1
TotalDown : 0
---------------------------------------------------------------
SlDev SlName Status ExtState ParentDev LocalIP Peer Type IpsecProfile
---------------------------------------------------------------
sl1 FLS_VPN_Tunnel up tunnel_up eth2 64.129.72.156 4.53.41.66 IPsec FLS_IPSEC_Profile_USA9
0062
FLS-USA90062-01# dump interface status FLS_VPN_Tunnel
Interface : FLS_VPN_Tunnel
Device : sl1
ID : 1669909635099013945
State : down
Last Change : 2023-01-27 15:36:54.887 (13.128s ago)
Address : 10.255.255.10/30
Route : 0.0.0.0/0 via 10.255.255.10 metric 0
Extended State : multiple_ike_session
Remote IP : 4.53.41.66
Local IP : 64.129.72.156
DPDK Controlled : false
FLS-USA90062-01# dump servicelink status slname=FLS_VPN_Tunnel
ServiceLink : sl1
Interface : FLS_VPN_Tunnel
Description :
ID : 1674835650155005745
Type : service_link (ipsec)
Admin State : up
Alarms : enabled
NetworkContextID :
IpfixCollectorContextID :
IpfixFilterContextID :
Scope : local
Directed Broadcast : false
MTU : 1400
IP : static
Address : 10.255.255.10/30
Parent Interface : internet 1
Parent Device : eth2
Peer : 4.53.41.66
Service Endpoint : FLS_FW
IPSec Profile : FLS_IPSEC_Profile_USA90062
Authentication Type : psk
Local ID Type : local_ip
Key Exchange : ikev2
IKE Reauth : no
IKE Lifetime : 4 hours
IKE Remote Port : 500
IKE DH Group/Encryption/Hash : ecp256/aes128/sha256
ESP Lifetime : 1 hours
ESP Encapsulation : Auto
ESP DH Group/Encryption/Hash : ecp256/aes128/sha256
DPD Enabled : yes
DPD Delay : 1
DPD Timeout : 5
Authentication Override
Authentication Type : psk
Local ID Type : local_ip
Device : sl1
State : up
Last Change : 2023-01-27 17:27:02.967 (83h41m37s ago)
Address : 10.255.255.10/30
Route : 0.0.0.0/0 via 10.255.255.10 metric 0
Extended State : multiple_ike_session
IPSec Algo : AES_CBC_128_HMAC_SHA2_256_128
Ike Algo : AES_CBC_128HMAC_SHA2_256_128
Remote IP : 4.53.41.66
Local IP : 64.129.72.156
IkeLastRekeyed : 2023-01-31 04:39:26.589020385 +0000 UTC
IkeNextRekey : 2023-01-31 08:37:00.589021465 +0000 UTC
IPsecLastRekeyed: 2023-01-31 04:36:07.897312962 +0000 UTC
IPsecNextRekey : 2023-01-31 05:29:44.897314592 +0000 UTC
DPDK Controlled : false
Peer configured on interface
Ipv4Addr: 4.53.41.66
---------------------------------------------------------------
Liveliness probe status
---------------------------------------------------------------
liveliness probe not present
Environment
棱镜SDWAN/ CloudGenix
Cause
的两端VPN隧道处于活动模式(客户已在他们的隧道一侧启用活动模式)。
Resolution
在构建 IPSec 隧道时,我们需要在隧道的另一端(客户端)启用被动模式。 端点应该只是被动/响应者。 将客户端(即供应商)的模式从主动模式更改为被动模式,以便隧道出现。