Всем привет, может кто сталкивался.
Ситуация следующая: Есть 2821, на ней терминируются порядка 100 ipsec тунелей site-to-site.
Все реализовано на crypto map. все прекрасно и все хорошо работает уже не один месяц, но.... в какой то момент все тунели падают в одно время.конфиг касающийся тунелей на 2821:
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 5 periodic
crypto isakmp nat keepalive 10crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmaccrypto map Inet 1 ipsec-isakmp
description ---
set peer A.A.A.A
set transform-set 3DES_MD5
match address 124
reverse-route staticinterface GigabitEthernet0/1
description --- Internet ---
ip address B.B.B.B
standby version 2
standby 2 ip C.C.C.C
standby 2 priority 200
standby 2 preempt
standby 2 name Internet
duplex auto
speed auto
crypto map Inet redundancy Internet
......
access-list 124 permit ip 192.168.0.0 0.0.255.255 192.168.15.200 0.0.0.3Со второй стороны стоит 871, с аналогичным конфигом.
Так вот после падения туннеля, трафик между внешними интерфейсами ходит, первая и вторая фаза ipsec проходят, но полезный трафик дропается почему то. Экспериментальным путем выяснилось что лечится это изменением шифрования с 3DES_MD5 на 3DES_SHA. Как только меняю метод шифрования с двух сторон - все сразу поднимается.
Уже голову сломал чего не так....
debug crypto isa c 870ой железки:*May 27 12:44:11: ISAKMP:(0): SA request profile is (NULL)
*May 27 12:44:11: ISAKMP: Found a peer struct for C.C.C.C, peer port 500
*May 27 12:44:11: ISAKMP: Locking peer struct 0x83F14820, refcount 3 for isakmp_initiator
*May 27 12:44:11: ISAKMP: local port 500, remote port 500
*May 27 12:44:11: ISAKMP: set new node 0 to QM_IDLE
*May 27 12:44:11: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8571A10C
*May 27 12:44:11: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*May 27 12:44:11: ISAKMP:(0):found peer pre-shared key matching C.C.C.C
*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-07 ID
*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-03 ID
*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-02 ID
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1*May 27 12:44:11: ISAKMP:(0): beginning Main Mode exchange
*May 27 12:44:11: ISAKMP:(0): sending packet to C.C.C.C my_port 500 peer_port 500 (I) MM_NO_STATE
*May 27 12:44:11: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP (0): received packet from C.C.C.C dport 500 sport 500 Global (R) MM_SA_SETUP
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3*May 27 12:44:11: ISAKMP:(0): processing KE payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0):found peer pre-shared key matching C.C.C.C
*May 27 12:44:11: ISAKMP:(2010): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2010): vendor ID is DPD
*May 27 12:44:11: ISAKMP:(2010): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2010): speaking to another IOS box!
*May 27 12:44:11: ISAKMP:(2010): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2010): vendor ID seems Unity/DPD but major 204 mismatch
*May 27 12:44:11: ISAKMP:(2010): vendor ID is XAUTH
*May 27 12:44:11: ISAKMP:received payload type 20
*May 27 12:44:11: ISAKMP (2010): His hash no match - this node outside NAT
*May 27 12:44:11: ISAKMP:received payload type 20
*May 27 12:44:11: ISAKMP (2010): No NAT Found for self or peer
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM3 New State = IKE_R_MM3*May 27 12:44:11: ISAKMP (0): received packet from C.C.C.C dport 500 sport 500 Global (I) MM_NO_STATE
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2*May 27 12:44:11: ISAKMP:(2010): sending packet to C.C.C.C my_port 500 peer_port 500 (R) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2010):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM3 New State = IKE_R_MM4*May 27 12:44:11: ISAKMP:(0): processing SA payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0): processing vendor id payload
*May 27 12:44:11: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*May 27 12:44:11: ISAKMP (0): vendor ID is NAT-T RFC 3947
*May 27 12:44:11: ISAKMP:(0):found peer pre-shared key matching C.C.C.C
*May 27 12:44:11: ISAKMP:(0): local preshared key found
*May 27 12:44:11: ISAKMP : Scanning profiles for xauth ...
*May 27 12:44:11: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*May 27 12:44:11: ISAKMP: encryption AES-CBC
*May 27 12:44:11: ISAKMP: keylength of 256
*May 27 12:44:11: ISAKMP: hash SHA
*May 27 12:44:11: ISAKMP: default group 2
*May 27 12:44:11: ISAKMP: auth pre-share
*May 27 12:44:11: ISAKMP: life type in seconds
*May 27 12:44:11: ISAKMP: life duration (basic) of 36000
*May 27 12:44:11: ISAKMP:(0):atts are acceptable. Next payload is 0
*May 27 12:44:11: ISAKMP:(0):Acceptable atts:actual life: 0
*May 27 12:44:11: ISAKMP:(0):Acceptable atts:life: 0
*May 27 12:44:11: ISAKMP:(0):Basic life_in_seconds:36000
*May 27 12:44:11: ISAKMP:(0):Returning Actual lifetime: 36000
*May 27 12:44:11: ISAKMP:(0)::Started lifetime timer: 36000.*May 27 12:44:11: ISAKMP:(0): processing vendor id payload
*May 27 12:44:11: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*May 27 12:44:11: ISAKMP (0): vendor ID is NAT-T RFC 3947
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2*May 27 12:44:11: ISAKMP:(0): sending packet to C.C.C.C my_port 500 peer_port 500 (I) MM_SA_SETUP
*May 27 12:44:11: ISAKMP:(0):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3*May 27 12:44:11: ISAKMP (2010): received packet from C.C.C.C dport 500 sport 500 Global (R) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM4 New State = IKE_R_MM5*May 27 12:44:11: ISAKMP:(2010): processing ID payload. message ID = 0
*May 27 12:44:11: ISAKMP (2010): ID payload
next-payload : 8
type : 1
address : C.C.C.C
protocol : 17
port : 500
length : 12
*May 27 12:44:11: ISAKMP:(0):: peer matches *none* of the profiles
*May 27 12:44:11: ISAKMP:(2010): processing HASH payload. message ID = 0
*May 27 12:44:11: ISAKMP:received payload type 17
*May 27 12:44:11: ISAKMP:(2010):SA authentication status:
authenticated
*May 27 12:44:11: ISAKMP:(2010):SA has been authenticated with C.C.C.C
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM5 New State = IKE_R_MM5*May 27 12:44:11: ISAKMP:(2010):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 27 12:44:11: ISAKMP (2010): ID payload
next-payload : 8
type : 1
address : A.A.A.A
protocol : 17
port : 500
length : 12
*May 27 12:44:11: ISAKMP:(2010):Total payload length: 12
*May 27 12:44:11: ISAKMP:(2010): sending packet to C.C.C.C my_port 500 peer_port 500 (R) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2010):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE*May 27 12:44:11: ISAKMP (0): received packet from C.C.C.C dport 500 sport 500 Global (I) MM_SA_SETUP
*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4*May 27 12:44:11: ISAKMP:(0): processing KE payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0): processing NONCE payload. message ID = 0
*May 27 12:44:11: ISAKMP:(0):found peer pre-shared key matching C.C.C.C
*May 27 12:44:11: ISAKMP:(2011): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2011): vendor ID is Unity
*May 27 12:44:11: ISAKMP:(2011): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2011): vendor ID is DPD
*May 27 12:44:11: ISAKMP:(2011): processing vendor id payload
*May 27 12:44:11: ISAKMP:(2011): speaking to another IOS box!
*May 27 12:44:11: ISAKMP:received payload type 20
*May 27 12:44:11: ISAKMP (2011): His hash no match - this node outside NAT
*May 27 12:44:11: ISAKMP:received payload type 20
*May 27 12:44:11: ISAKMP (2011): No NAT Found for self or peer
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM4 New State = IKE_I_MM4*May 27 12:44:11: ISAKMP (2010): received packet from C.C.C.C dport 500 sport 500 Global (R) QM_IDLE
*May 27 12:44:11: ISAKMP: set new node -818656473 to QM_IDLE
*May 27 12:44:11: ISAKMP:(2010): processing HASH payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010): processing SA payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010):Checking IPSec proposal 1
*May 27 12:44:11: ISAKMP: transform 1, ESP_AES
*May 27 12:44:11: ISAKMP: attributes in transform:
*May 27 12:44:11: ISAKMP: encaps is 1 (Tunnel)
*May 27 12:44:11: ISAKMP: SA life type in seconds
*May 27 12:44:11: ISAKMP: SA life duration (basic) of 3600
*May 27 12:44:11: ISAKMP: SA life type in kilobytes
*May 27 12:44:11: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
*May 27 12:44:11: ISAKMP: authenticator is HMAC-MD5
*May 27 12:44:11: ISAKMP: key length is 256
*May 27 12:44:11: ISAKMP:(2010):atts are acceptable.
*May 27 12:44:11: ISAKMP:(2010): processing NONCE payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010): processing ID payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010): processing ID payload. message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010):QM Responder gets spi
*May 27 12:44:11: ISAKMP:(2010):Node -818656473, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
*May 27 12:44:11: ISAKMP:(2010): Creating IPSec SAs
*May 27 12:44:11: inbound SA from C.C.C.C to A.A.A.A (f/i) 0/ 0
(proxy 192.168.0.0 to 192.168.36.200)
*May 27 12:44:11: has spi 0xAC5F0D53 and conn_id 0
*May 27 12:44:11: lifetime of 3600 seconds
*May 27 12:44:11: lifetime of 4608000 kilobytes
*May 27 12:44:11: outbound SA from A.A.A.A to C.C.C.C (f/i) 0/0
(proxy 192.168.36.200 to 192.168.0.0)
*May 27 12:44:11: has spi 0x7522BDAB and conn_id 0
*May 27 12:44:11: lifetime of 3600 seconds
*May 27 12:44:11: lifetime of 4608000 kilobytes
*May 27 12:44:11: ISAKMP:(2010): sending packet to C.C.C.C my_port 500 peer_port 500 (R) QM_IDLE
*May 27 12:44:11: ISAKMP:(2010):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2010):Node -818656473, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2
*May 27 12:44:11: ISAKMP:(2011):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*May 27 12:44:11: ISAKMP (2011): ID payload
next-payload : 8
type : 1
address : A.A.A.A
protocol : 17
port : 500
length : 12
*May 27 12:44:11: ISAKMP:(2011):Total payload length: 12
*May 27 12:44:11: ISAKMP:(2011): sending packet to C.C.C.C my_port 500 peer_port 500 (I) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2011):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM4 New State = IKE_I_MM5*May 27 12:44:11: ISAKMP (2010): received packet from C.C.C.C dport 500 sport 500 Global (R) QM_IDLE
*May 27 12:44:11: ISAKMP: set new node -884856606 to QM_IDLE
*May 27 12:44:11: ISAKMP:(2010): processing HASH payload. message ID = -884856606
*May 27 12:44:11: ISAKMP:(2010): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2891910483, message ID = -884856606, sa = 8570CDF4
*May 27 12:44:11: ISAKMP:(2010): deleting spi 2891910483 message ID = -818656473
*May 27 12:44:11: ISAKMP:(2010):deleting node -818656473 error TRUE reason "Delete Larval"
*May 27 12:44:11: ISAKMP:(2010):peer does not do paranoid keepalives.*May 27 12:44:11: ISAKMP:(2010):deleting node -884856606 error FALSE reason "Informational (in) state 1"
*May 27 12:44:11: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 27 12:44:11: ISAKMP:(2010):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE*May 27 12:44:11: ISAKMP (2011): received packet from C.C.C.C dport 500 sport 500 Global (I) MM_KEY_EXCH
*May 27 12:44:11: ISAKMP:(2011): processing ID payload. message ID = 0
*May 27 12:44:11: ISAKMP (2011): ID payload
next-payload : 8
type : 1
address : C.C.C.C
protocol : 17
port : 500
length : 12
*May 27 12:44:11: ISAKMP:(0):: peer matches *none* of the profiles
*May 27 12:44:11: ISAKMP:(2011): processing HASH payload. message ID = 0
*May 27 12:44:11: ISAKMP:(2011):SA authentication status:
authenticated
*May 27 12:44:11: ISAKMP:(2011):SA has been authenticated with C.C.C.C
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM5 New State = IKE_I_MM6*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM6 New State = IKE_I_MM6*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE*May 27 12:44:11: ISAKMP:(2011):beginning Quick Mode exchange, M-ID of -2029979089
*May 27 12:44:11: ISAKMP:(2011):QM Initiator gets spi
*May 27 12:44:11: ISAKMP:(2011): sending packet to C.C.C.C my_port 500 peer_port 500 (I) QM_IDLE
*May 27 12:44:11: ISAKMP:(2011):Sending an IKE IPv4 Packet.
*May 27 12:44:11: ISAKMP:(2011):Node -2029979089, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE*May 27 12:44:11: ISAKMP (2011): received packet from C.C.C.C dport 500 sport 500 Global (I) QM_IDLE
*May 27 12:44:11: ISAKMP: set new node -1489836278 to QM_IDLE
*May 27 12:44:11: ISAKMP:(2011): processing HASH payload. message ID = -1489836278
*May 27 12:44:11: ISAKMP:(2011): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 2448897278, message ID = -1489836278, sa = 8571A10C
*May 27 12:44:11: ISAKMP:(2011): deleting spi 2448897278 message ID = -2029979089
*May 27 12:44:11: ISAKMP:(2011):deleting node -2029979089 error TRUE reason "Delete Larval"
*May 27 12:44:11: ISAKMP:(2011):deleting node -1489836278 error FALSE reason "Informational (in) state 1"
*May 27 12:44:11: ISAKMP:(2011):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*May 27 12:44:11: ISAKMP:(2011):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE