解决USG5500防火墙日志中有异常IPSEC VPN报错问题.

发布时间:  2013-05-17 浏览次数:  342 下载次数:  0
问题描述
     客户反馈USG5500 防火墙在使用过程中发现有异常IPSEC的报错日志.而实际上该设备并没有配置IPSEC VPN功能.

告警信息
设备报错信息如下:

%2013-05-14 16:03:13 USG5500 %%01IKE/4/WARNING(l): phase1: cannot find matching ike peer configuration for peer 111.193.214.102, please check "remote-address" and "exchange-mode" in ike peer configuration.
%2013-05-14 16:02:51 USG5500 %%01IKE/4/WARNING(l): phase1: cannot find matching ike peer configuration for peer 111.193.214.102, please check "remote-address" and "exchange-mode" in ike peer configuration.
%2013-05-14 16:02:47 USG5500 %%01IKE/4/WARNING(l): phase1: cannot find matching ike peer configuration for peer 222.65.209.196, please check "remote-address" and "exchange-mode" in ike peer configuration.
%2013-05-14 16:02:40 USG5500 %%01IKE/4/WARNING(l): phase1: cannot find matching ike peer configuration for peer 222.65.209.196, please check "remote-address" and "exchange-mode" in ike peer configuration.
%2013-05-14 16:02:38 USG5500 %%01IKE/4/WARNING(l): phase1: cannot find matching ike peer configuration for peer 222.65.209.196, please check "remote-address" and "exchange-mode" in ike peer configuration.
%2013-05-14 16:02:35 USG5500 %%01IKE/4/WARNING(l): phase1: cannot find matching ike peer configuration for peer 222.65.209.196, please check "remote-address" and "exchange-mode" in ike peer configuration.
%2013-05-14 16:02:31 USG5500 %%01IKE/4/WARNING(l): phase1: cannot find matching ike peer configuration for peer 222.65.209.196, please check "remote-address" and "exchange-mode" in ike peer configuration.
%2013-05-14 16:01:32 USG5500 %%01IKE/4/WAR


处理过程
根因
   从报错信息分析,是有对端设备有配置IPSEC VPN,主动向本端发送IPSEC VPN报文,而本端设备自检配置没有发现IPSEC VPN配置,就会反馈日志,提示没有找到相应的参数.

 虽有报错,但不影响业务,可以通过在域间配置包过滤来禁用对端主动发起IPSEC VPN协商.


[USG5500] policy interzone  local untrust inbound
[USG5500-policy-interzone- local -untrust-outbound]policy 0
[USG5500-policy-interzone- local -untrust-outbound]policy service service-set ah
[USG5500-policy-interzone- local -untrust-outbound] policy service service-set esp
[USG5500-policy-interzone- local -untrust-outbound] action deny

建议与总结

END