faq обучение настройка
Текущее время: Чт мар 28, 2024 11:53

Часовой пояс: UTC + 3 часа




Начать новую тему Ответить на тему  [ 1 сообщение ] 
Автор Сообщение
 Заголовок сообщения: DFL 860E IPSec падает при смене SA
СообщениеДобавлено: Чт ноя 09, 2017 14:50 
Не в сети

Зарегистрирован: Ср янв 01, 2014 22:56
Сообщений: 17
Коллеги, помогите найти и устранить причину падения канали IPsec между двумя идентичными DFL 860E (прошивка v11.10.01.06 for WW на обоих).
Первое ощущение при просмотре логов - не смогли договориться при смене устаревшего SA. Почему - для меня непонятно. Для сравнения приведу два куска логов из syslog. Syslog, к сожалению, размещен за одним из FW и второй FW при обрыве канала писать в него не может (позже переделаю).
Интернет на обоих площадках стабильный, оптика. Ситуация возникает спонтанно, может раз в месяц, может два-три раза в день, может пару месяцев не возникнуть.
ike -delete (в предыдущих прошивках killsa -all) на одном или на обоих FW решает проблему. Вчера сделать этого не смог, восстановилось само через 40 минут, что недопустимо долго.

Лог нормального обмена ключами:
Скрытый текст: показать
============================
Message : [2017-11-08 20:55:45] FW: IPSEC: prio=1 id=01800907 rev=3 event=ipsec_sa_created ipsec_if=ipsec_tunnel_tall-bel local_ip=2.2.2.2 remote_ip=1.1.1.1 cfgmode_ip= esp_spi_in=0x5ba80353 esp_spi_out=0xf4da843c ike_spi_i=0x58ca951fb96df896 ike_spi_r=0xa4bf43efbef42f5e esp_cipher=3des-cbc esp_cipher_keysize=192 esp_mac=hmac-sha1-96 esp_mac_keysize=160 life_seconds=3600 life_kilobytes=20480 dh_group=0 dh_bits=0 local_ts="172.16.20.0/24" remote_ts="172.16.10.0/24" imsi=""
Time : 08 Nov 2017, 20:55:44Host : fw-tallSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:55:43] FW: IPSEC: prio=1 id=01800907 rev=3 event=ipsec_sa_created ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 remote_ip=2.2.2.2 cfgmode_ip= esp_spi_in=0xf4da843c esp_spi_out=0x5ba80353 ike_spi_i=0x58ca951fb96df896 ike_spi_r=0xa4bf43efbef42f5e esp_cipher=3des-cbc esp_cipher_keysize=192 esp_mac=hmac-sha1-96 esp_mac_keysize=160 life_seconds=3240 life_kilobytes=18432 dh_group=0 dh_bits=0 local_ts="172.16.10.0/24" remote_ts="172.16.20.0/24" imsi=""
Time : 08 Nov 2017, 20:55:44Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:55:43] FW: IPSEC: prio=1 id=01800909 rev=2 event=ipsec_sa_deleted ipsec_if=ipsec_tunnel_bel-tall esp_spi_in=0xdec9d15d esp_spi_out=0x6ba31727
Time : 08 Nov 2017, 20:55:44Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:36:56] FW: IPSEC: prio=1 id=01800908 rev=3 event=ipsec_sa_rekeyed ipsec_if=ipsec_tunnel_tall-bel local_ip=2.2.2.2 remote_ip=1.1.1.1 cfgmode_ip= esp_spi_in=0x1d5b3eec esp_spi_out=0x6e5e96c7 old_spi=0x0bdf0cb1 ike_spi_i=0x58ca951fb96df896 ike_spi_r=0xa4bf43efbef42f5e esp_cipher=3des-cbc esp_cipher_keysize=0 esp_mac=hmac-sha1-96 esp_mac_keysize=0 life_seconds=3600 life_kilobytes=20480 initiator=FALSE dh_group=0 dh_bits=0 local_ts="172.16.20.0/24" remote_ts="172.16.16.0/24" imsi=""
Time : 08 Nov 2017, 20:36:56Host : fw-tallSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:36:55] FW: IPSEC: prio=1 id=01800908 rev=3 event=ipsec_sa_rekeyed ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 remote_ip=2.2.2.2 cfgmode_ip= esp_spi_in=0x6e5e96c7 esp_spi_out=0x1d5b3eec old_spi=0x3eee7e0f ike_spi_i=0x58ca951fb96df896 ike_spi_r=0xa4bf43efbef42f5e esp_cipher=3des-cbc esp_cipher_keysize=0 esp_mac=hmac-sha1-96 esp_mac_keysize=0 life_seconds=3240 life_kilobytes=18432 initiator=TRUE dh_group=0 dh_bits=0 local_ts="172.16.16.0/24" remote_ts="172.16.20.0/24" imsi=""
Time : 08 Nov 2017, 20:36:56Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:36:42] FW: IPSEC: prio=1 id=01800908 rev=3 event=ipsec_sa_rekeyed ipsec_if=ipsec_tunnel_tall-bel local_ip=2.2.2.2 remote_ip=1.1.1.1 cfgmode_ip= esp_spi_in=0x78a2d574 esp_spi_out=0x23afbac6 old_spi=0x6180b31c ike_spi_i=0x58ca951fb96df896 ike_spi_r=0xa4bf43efbef42f5e esp_cipher=3des-cbc esp_cipher_keysize=0 esp_mac=hmac-sha1-96 esp_mac_keysize=0 life_seconds=3600 life_kilobytes=20480 initiator=FALSE dh_group=0 dh_bits=0 local_ts="172.16.20.0/24" remote_ts="172.16.12.64/26" imsi=""
Time : 08 Nov 2017, 20:36:42Host : fw-tallSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:36:41] FW: IPSEC: prio=1 id=01800908 rev=3 event=ipsec_sa_rekeyed ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 remote_ip=2.2.2.2 cfgmode_ip= esp_spi_in=0x23afbac6 esp_spi_out=0x78a2d574 old_spi=0xe302fd9a ike_spi_i=0x58ca951fb96df896 ike_spi_r=0xa4bf43efbef42f5e esp_cipher=3des-cbc esp_cipher_keysize=0 esp_mac=hmac-sha1-96 esp_mac_keysize=0 life_seconds=3240 life_kilobytes=18432 initiator=TRUE dh_group=0 dh_bits=0 local_ts="172.16.12.64/26" remote_ts="172.16.20.0/24" imsi=""
Time : 08 Nov 2017, 20:36:42Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:36:41] FW: IPSEC: prio=1 id=01802023 rev=1 event=ike_sa_statistics done=151 success=101 failed=50
Time : 08 Nov 2017, 20:36:41Host : fw-tallSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:36:41] FW: IPSEC: prio=1 id=01800904 rev=3 event=ike_sa_created ipsec_if=ipsec_tunnel_tall-bel local_ip=2.2.2.2 local_port=500 remote_iface=wan1_if_2-2-2-2 remote_ip=1.1.1.1 remote_port=500 local_id=tall-bel remote_id=bel-tall local_ike_spi=0xa4bf43efbef42f5e remote_ike_spi=0x58ca951fb96df896 initiator=FALSE algorithms=3des-cbc/hmac-sha1-96/hmac-sha1/MODP_1024 mode=Main lifetime=28800 ikeversion=1 local_behind_nat=FALSE remote_behind_nat=FALSE initial_contact=FALSE
Time : 08 Nov 2017, 20:36:41Host : fw-tallSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:36:40] FW: IPSEC: prio=1 id=01802023 rev=1 event=ike_sa_statistics done=103 success=101 failed=2
Time : 08 Nov 2017, 20:36:41Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:36:40] FW: IPSEC: prio=1 id=01800904 rev=3 event=ike_sa_created ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 local_port=500 remote_iface=wan1_if_1-1-1-1 remote_ip=2.2.2.2 remote_port=500 local_id=bel-tall remote_id=tall-bel local_ike_spi=0x58ca951fb96df896 remote_ike_spi=0xa4bf43efbef42f5e initiator=TRUE algorithms=3des-cbc/hmac-sha1-96/hmac-sha1/MODP_1024 mode=Main lifetime=28800 ikeversion=1 local_behind_nat=FALSE remote_behind_nat=FALSE initial_contact=FALSE
Time : 08 Nov 2017, 20:36:41Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:28:57] FW: IPSEC: prio=1 id=01800906 rev=3 event=ike_sa_deleted ipsec_if=ipsec_tunnel_tall-bel local_ip=2.2.2.2 local_port=500 remote_iface=wan1_if_2-2-2-2 remote_ip=1.1.1.1 remote_port=500 local_id=tall-bel remote_id=bel-tall local_ike_spi=0x37b6dd364cfee279 remote_ike_spi=0x6448ef022e742730 peer_dead=FALSE
Time : 08 Nov 2017, 20:28:57Host : fw-tallSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:28:57] FW: IPSEC: prio=2 id=01800105 rev=1 event=ike_delete_notification local_ip=2.2.2.2 remote_ip=1.1.1.1 cookies=0x6448ef022e74273037b6dd364cfee279 reason="Received delete notification"
Time : 08 Nov 2017, 20:28:57Host : fw-tallSeverity : noticeFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:28:56] FW: IPSEC: prio=1 id=01800906 rev=3 event=ike_sa_deleted ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 local_port=500 remote_iface=wan1_if_1-1-1-1 remote_ip=2.2.2.2 remote_port=500 local_id=bel-tall remote_id=tall-bel local_ike_spi=0x6448ef022e742730 remote_ike_spi=0x37b6dd364cfee279 peer_dead=FALSE
Time : 08 Nov 2017, 20:28:57Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:20:49] FW: IPSEC: prio=1 id=01800908 rev=3 event=ipsec_sa_rekeyed ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 remote_ip=2.2.2.2 cfgmode_ip= esp_spi_in=0xdec9d15d esp_spi_out=0x6ba31727 old_spi=0x48a4cc34 ike_spi_i=0x6448ef022e742730 ike_spi_r=0x37b6dd364cfee279 esp_cipher=3des-cbc esp_cipher_keysize=0 esp_mac=hmac-sha1-96 esp_mac_keysize=0 life_seconds=3600 life_kilobytes=20480 initiator=FALSE dh_group=0 dh_bits=0 local_ts="172.16.10.0/24" remote_ts="172.16.20.0/24" imsi=""
Time : 08 Nov 2017, 20:20:50Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-08 20:20:50] FW: IPSEC: prio=1 id=01800908 rev=3 event=ipsec_sa_rekeyed ipsec_if=ipsec_tunnel_tall-bel local_ip=2.2.2.2 remote_ip=1.1.1.1 cfgmode_ip= esp_spi_in=0x6ba31727 esp_spi_out=0xdec9d15d old_spi=0xc0006920 ike_spi_i=0x6448ef022e742730 ike_spi_r=0x37b6dd364cfee279 esp_cipher=3des-cbc esp_cipher_keysize=0 esp_mac=hmac-sha1-96 esp_mac_keysize=0 life_seconds=3240 life_kilobytes=18432 initiator=TRUE dh_group=0 dh_bits=0 local_ts="172.16.20.0/24" remote_ts="172.16.10.0/24" imsi=""
Time : 08 Nov 2017, 20:20:50Host : fw-tallSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

============================


Лог через 8 часов (время жизни IKE) с обрывом:
Скрытый текст: показать
--------------------------------------
Message : [2017-11-09 05:01:13] FW: IPSEC: prio=1 id=01800908 rev=3 event=ipsec_sa_rekeyed ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 remote_ip=2.2.2.2 cfgmode_ip= esp_spi_in=0xf1dbeb4c esp_spi_out=0xe10d30d2 old_spi=0x7173999b ike_spi_i=0x445efac0c2007b45 ike_spi_r=0x4a1a9b62f67a0a58 esp_cipher=3des-cbc esp_cipher_keysize=0 esp_mac=hmac-sha1-96 esp_mac_keysize=0 life_seconds=3240 life_kilobytes=18432 initiator=TRUE dh_group=0 dh_bits=0 local_ts="172.16.10.0/24" remote_ts="172.16.20.0/24" imsi=""
Time : 09 Nov 2017, 05:01:13Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-09 05:01:12] FW: IPSEC: prio=1 id=01800907 rev=3 event=ipsec_sa_created ipsec_if=ipsec_tunnel_tall-bel local_ip=2.2.2.2 remote_ip=1.1.1.1 cfgmode_ip= esp_spi_in=0xe10d30d2 esp_spi_out=0xf1dbeb4c ike_spi_i=0x445efac0c2007b45 ike_spi_r=0x4a1a9b62f67a0a58 esp_cipher=3des-cbc esp_cipher_keysize=192 esp_mac=hmac-sha1-96 esp_mac_keysize=160 life_seconds=3600 life_kilobytes=20480 dh_group=0 dh_bits=0 local_ts="172.16.20.0/24" remote_ts="172.16.10.0/24" imsi=""
Time : 09 Nov 2017, 05:01:12Host : fw-tallSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-09 04:44:52] FW: IPSEC: prio=1 id=01800908 rev=3 event=ipsec_sa_rekeyed ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 remote_ip=2.2.2.2 cfgmode_ip= esp_spi_in=0x911e0fe0 esp_spi_out=0x19e327b1 old_spi=0xa9f3ac44 ike_spi_i=0x445efac0c2007b45 ike_spi_r=0x4a1a9b62f67a0a58 esp_cipher=3des-cbc esp_cipher_keysize=0 esp_mac=hmac-sha1-96 esp_mac_keysize=0 life_seconds=3240 life_kilobytes=18432 initiator=TRUE dh_group=0 dh_bits=0 local_ts="172.16.16.0/24" remote_ts="172.16.20.0/24" imsi=""
Time : 09 Nov 2017, 04:44:52Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-09 04:44:38] FW: IPSEC: prio=1 id=01800908 rev=3 event=ipsec_sa_rekeyed ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 remote_ip=2.2.2.2 cfgmode_ip= esp_spi_in=0xc8ee67f1 esp_spi_out=0xa10b6bcc old_spi=0xda2a4541 ike_spi_i=0x445efac0c2007b45 ike_spi_r=0x4a1a9b62f67a0a58 esp_cipher=3des-cbc esp_cipher_keysize=0 esp_mac=hmac-sha1-96 esp_mac_keysize=0 life_seconds=3240 life_kilobytes=18432 initiator=TRUE dh_group=0 dh_bits=0 local_ts="172.16.12.64/26" remote_ts="172.16.20.0/24" imsi=""
Time : 09 Nov 2017, 04:44:38Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-09 04:44:38] FW: IPSEC: prio=1 id=01802023 rev=1 event=ike_sa_statistics done=104 success=102 failed=2
Time : 09 Nov 2017, 04:44:37Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-09 04:44:38] FW: IPSEC: prio=1 id=01800904 rev=3 event=ike_sa_created ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 local_port=500 remote_iface=wan1_if_1-1-1-1 remote_ip=2.2.2.2 remote_port=500 local_id=bel-tall remote_id=tall-bel local_ike_spi=0x445efac0c2007b45 remote_ike_spi=0x4a1a9b62f67a0a58 initiator=TRUE algorithms=3des-cbc/hmac-sha1-96/hmac-sha1/MODP_1024 mode=Main lifetime=28800 ikeversion=1 local_behind_nat=FALSE remote_behind_nat=FALSE initial_contact=FALSE
Time : 09 Nov 2017, 04:44:37Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-09 04:36:41] FW: IPSEC: prio=1 id=01800906 rev=3 event=ike_sa_deleted ipsec_if=ipsec_tunnel_bel-tall local_ip=1.1.1.1 local_port=500 remote_iface=wan1_if_1-1-1-1 remote_ip=2.2.2.2 remote_port=500 local_id=bel-tall remote_id=tall-bel local_ike_spi=0x58ca951fb96df896 remote_ike_spi=0xa4bf43efbef42f5e peer_dead=FALSE
Time : 09 Nov 2017, 04:36:41Host : fw-belgorodSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-09 04:36:41] FW: IPSEC: prio=2 id=01800105 rev=1 event=ike_delete_notification local_ip=1.1.1.1 remote_ip=2.2.2.2 cookies=0x58ca951fb96df896a4bf43efbef42f5e reason="Received delete notification"
Time : 09 Nov 2017, 04:36:41Host : fw-belgorodSeverity : noticeFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

Message : [2017-11-09 04:36:41] FW: IPSEC: prio=1 id=01800906 rev=3 event=ike_sa_deleted ipsec_if=ipsec_tunnel_tall-bel local_ip=2.2.2.2 local_port=500 remote_iface=wan1_if_2-2-2-2 remote_ip=1.1.1.1 remote_port=500 local_id=tall-bel remote_id=bel-tall local_ike_spi=0xa4bf43efbef42f5e remote_ike_spi=0x58ca951fb96df896 peer_dead=FALSE
Time : 09 Nov 2017, 04:36:41Host : fw-tallSeverity : informationFacility : Local0Source : Local0Username : -Remote Host : -LogonId : -Audit Id : -Logon Type : -Target Domain : -Target User : -User Pid : -Target Group : -UserName : -Group Id : -LogType : Unix

--------------------------------------


Вернуться наверх
 Профиль  
 
Показать сообщения за:  Сортировать по:  
Начать новую тему Ответить на тему  [ 1 сообщение ] 

Часовой пояс: UTC + 3 часа


Кто сейчас на форуме

Сейчас этот форум просматривают: нет зарегистрированных пользователей и гости: 56


Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете добавлять вложения

Найти:
Перейти:  
cron
Создано на основе phpBB® Forum Software © phpBB Group
Русская поддержка phpBB