URL: https://www.opennet.me/cgi-bin/openforum/vsluhboard.cgi
Форум: vsluhforumID6
Нить номер: 21361
[ Назад ]

Исходное сообщение
"load-balancing на cisco-1811 и vpn"
Отправлено ll75 , 22-Июл-10 13:33

oad-balancing получился, но теперь невозможно подключиться снаружи cisco-vpn клиентом- пакеты ходят то по одному, то по другому интерфейсу ((
попробовал так:
Код:
ip route 0.0.0.0 0.0.0.0 Dialer3 213.154.198.хх
ip route 0.0.0.0 0.0.0.0 Dialer11 213.154.198.хх
ip nat inside source route-map fixed-nat1 interface Dialer3 overload
ip nat inside source route-map fixed-nat2 interface Dialer11 overload
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
route-map fixed-nat1 permit 10
match ip address 120
match interface Dialer3
route-map fixed-nat2 permit 10
match ip address 120
match interface Dialer11

с роутера уже пинги не ходят поочередно то через Dialer3, то через Dialer11:
Код:
gateway#ping google.ru source Dialer 3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.87.103, timeout is 2 seconds:
Packet sent with a source address of 78.25.39.xx
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/64 ms
gateway#ping google.ru source Dialer 11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.87.103, timeout is 2 seconds:
Packet sent with a source address of 213.154.207.yy
.....
Success rate is 0 percent (0/5)
но при этом почему-то при попытки подключиться cisco-vpn клиентом снаружи в логах варнинги:
Код:
113    08:18:52.765  07/22/10  Sev=Info/4   CM/0x63100002
Begin connection process
114    08:18:52.788  07/22/10  Sev=Info/4   CM/0x63100004
Establish secure connection
115    08:18:52.788  07/22/10  Sev=Info/4   CM/0x63100024
Attempt connection with server "213.154.198.хх"
116    08:18:52.802  07/22/10  Sev=Info/4   IKE/0x63000001
Starting IKE Phase 1 Negotiation
117    08:18:52.812  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK AG (SA, KE, NON, ID, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 213.154.198.хх
118    08:18:53.001  07/22/10  Sev=Info/4   IPSEC/0x63700008
IPSec driver successfully started
119    08:18:53.001  07/22/10  Sev=Info/4   IPSEC/0x63700014
Deleted all keys
120    08:18:58.070  07/22/10  Sev=Info/4   IKE/0x63000021
Retransmitting last packet!
121    08:18:58.070  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 213.154.198.78
122    08:19:03.140  07/22/10  Sev=Info/4   IKE/0x63000021
Retransmitting last packet!
123    08:19:03.141  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 213.154.198.хх
124    08:19:08.212  07/22/10  Sev=Info/4   IKE/0x63000021
Retransmitting last packet!
125    08:19:08.212  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK AG (Retransmission) to 213.154.198.хх
126    08:19:13.281  07/22/10  Sev=Info/4   IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=804F41DDA07B581B R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
127    08:19:13.797  07/22/10  Sev=Info/4   IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=804F41DDA07B581B R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING
128    08:19:13.797  07/22/10  Sev=Info/4   CM/0x63100014
Unable to establish Phase 1 SA with server "213.154.198.хх" because of "DEL_REASON_PEER_NOT_RESPONDING"
129    08:19:13.824  07/22/10  Sev=Info/4   IKE/0x63000001
IKE received signal to terminate VPN connection
130    08:19:14.831  07/22/10  Sev=Info/4   IPSEC/0x63700014
Deleted all keys
131    08:19:14.831  07/22/10  Sev=Info/4   IPSEC/0x63700014
Deleted all keys
132    08:19:14.831  07/22/10  Sev=Info/4   IPSEC/0x63700014
Deleted all keys
133    08:19:14.831  07/22/10  Sev=Info/4   IPSEC/0x6370000A
IPSec driver successfully stopped

при попытке подключения к другому интерфейсу аналогично:
Код:
162    08:21:03.843  07/22/10  Sev=Info/4   IKE/0x63000021
Retransmitting last packet!
163    08:21:03.843  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 78.25.39.yy
164    08:21:08.914  07/22/10  Sev=Info/4   IKE/0x63000021
Retransmitting last packet!
165    08:21:08.914  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 78.25.39.yy
166    08:21:08.915  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 78.25.39.52
167    08:21:13.984  07/22/10  Sev=Info/4   IKE/0x63000021
Retransmitting last packet!
168    08:21:13.984  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK QM *(Retransmission) to 78.25.39.yy
169    08:21:13.985  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 78.25.39.52
170    08:21:19.055  07/22/10  Sev=Info/4   IKE/0x6300002D
Phase-2 retransmission count exceeded: MsgID=2E13A004
171    08:21:19.056  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DEL) to 78.25.39.yy
172    08:21:19.056  07/22/10  Sev=Info/4   IKE/0x63000049
Discarding IPsec SA negotiation, MsgID=2E13A004
173    08:21:19.057  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 78.25.39.хх
174    08:21:24.126  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 78.25.39.хх
175    08:21:29.196  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 78.25.39.хх
176    08:21:34.271  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 78.25.39.хх
177    08:21:39.336  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 78.25.39.хх
178    08:21:44.422  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, NOTIFY:DPD_REQUEST) to 78.25.39.хх
179    08:21:49.491  07/22/10  Sev=Info/4   IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=D1FCCA3888CAEEAC R_Cookie=B3D8C35FFE02DD53) reason = DEL_REASON_PEER_NOT_RESPONDING
180    08:21:49.492  07/22/10  Sev=Info/4   IKE/0x63000013
SENDING >>> ISAKMP OAK INFO *(HASH, DWR) to 78.25.39.хх
181    08:21:49.997  07/22/10  Sev=Info/4   IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=D1FCCA3888CAEEAC R_Cookie=B3D8C35FFE02DD53) reason = DEL_REASON_PEER_NOT_RESPONDING
182    08:21:49.998  07/22/10  Sev=Info/4   CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_PEER_NOT_RESPONDING".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system
183    08:21:50.028  07/22/10  Sev=Info/4   IKE/0x63000001
IKE received signal to terminate VPN connection
184    08:21:50.505  07/22/10  Sev=Info/4   IPSEC/0x63700014
Deleted all keys
185    08:21:50.505  07/22/10  Sev=Info/4   IPSEC/0x63700014
Deleted all keys
186    08:21:50.506  07/22/10  Sev=Info/4   IPSEC/0x63700014
Deleted all keys
187    08:21:50.506  07/22/10  Sev=Info/4   IPSEC/0x6370000A
IPSec driver successfully stopped
хотя 1 из них снаружи пингуется чётко без потерь--как такое может быть?

Содержание

load-balancing на cisco-1811 и vpn,ll75, 13:34 , 22-Июл-10

Сообщения в этом обсуждении

"load-balancing на cisco-1811 и vpn"
Отправлено ll75 , 22-Июл-10 13:34

еще заметил, что почему-то некоторые сервера пингуются отлично с обоих интерфейсов:
Код:
gateway#ping debian.org source Dialer 11
Translating "debian.org"...domain server (192.168.1.xx) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.31.0.51, timeout is 2 seconds:
Packet sent with a source address of 213.154.207.хх
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 148/148/148 ms
gateway#ping debian.org source Dialer 3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 128.31.0.51, timeout is 2 seconds:
Packet sent with a source address of 78.25.39.yy
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/152/152 ms