USG6600因ACL网段冲突导致远端流量不通解决方案

发布时间:  2016-01-05 浏览次数:  158 下载次数:  0
问题描述

版本

V100R001C20SPC600

IPsec VPN正常建立,兴趣流172.x.x.x----172.35..253.254. 在华为USG上Tracert 172.35.253.254流量正常走VPN接口1/0/1转发。 但是使用源IP地址172.x.x.x进行Tracert发现走的另外一个接口1/0/2,导致172网段业务没有走VPN隧道转发异常 

 

告警信息
 无
处理过程

1、中心站点排查网络通断及路由情况

 HRP_A<USG.A>ping -a 172.29.151.211 172.3
  PING 172.35.253.254: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 172.35.253.254 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet lossHRP_A<USG.A>disp ip routing-table  172.35.253.254
21:30:16  2015/12/14
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1

Destination/Mask    Proto  Pre  Cost     Flags NextHop         Interface

172.35.253.254/32  Static 1    0          RD  192.168.6.254   GigabitEthernet1/0/2

2、查看IPsec SA,存在大量的兴趣流信息,初步怀疑有隧道冲突的情况

HRP_A[USG.A]display ipsec sa remote 189.140.71.251
21:49:14  2015/12/14
===============================
Interface: GigabitEthernet1/0/2
    path MTU: 1500
===============================

  -----------------------------
  IPsec policy name: "back1"
  sequence number: 1
  mode: template
  vpn: public
  -----------------------------
    connection id: 1046315
    rule number: 4294967295
    encapsulation mode: tunnel
    holding time: 0d 3h 53m 48s
    tunnel local : 192.168.6.210    tunnel remote: 189.140.71.251
    flow      source: 172.0.0.0/255.0.0.0 0/0
    flow destination: 172.31.52.62/255.255.255.255 0/0

    [inbound ESP SAs]
      spi: 2841777789 (0xa962167d)
      vpn: public  said: 80  cpuid: 0x0000
      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      sa remaining key duration (kilobytes/sec): 1843200/2167
      max received sequence-number: 1    
      udp encapsulation used for nat traversal: Y

    [outbound ESP SAs]
      spi: 3849703930 (0xe575d1fa)
      vpn: public  said: 7029  cpuid: 0x0000
      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      sa remaining key duration (kilobytes/sec): 1843200/2167
      max sent sequence-number: 1
      udp encapsulation used for nat traversal: Y

  -----------------------------
  IPsec policy name: "back1"
  sequence number: 1
  mode: template
  vpn: public
  -----------------------------
    connection id: 1046316
    rule number: 4294967295
    encapsulation mode: tunnel
    holding time: 0d 3h 53m 49s
    tunnel local : 192.168.6.210    tunnel remote: 189.140.71.251
    flow      source: 172.0.0.0/255.0.0.0 0/0
    flow destination: 10.12.7.110/255.255.255.255 0/0
                                         
    [inbound ESP SAs]
      spi: 2164889605 (0x81099805)
      vpn: public  said: 6708  cpuid: 0x0000
      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      sa remaining key duration (kilobytes/sec): 1843200/2167
      max received sequence-number: 1
      udp encapsulation used for nat traversal: Y

    [outbound ESP SAs]
      spi: 253927908 (0xf22a1e4)
      vpn: public  said: 6698  cpuid: 0x0000
      proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
      sa remaining key duration (kilobytes/sec): 1843200/2167
      max sent sequence-number: 1
      udp encapsulation used for nat traversal: Y

3、中心节点查询所有兴趣流ACL配置,发现有很多ACL网段设置范围过大,导致了流量冲突

    flow destination: 10.12.0.0/255.255.0.0 0/0
    flow destination: 172.0.0.0/255.0.0.0 0/0
    flow destination: 172.31.35.120/255.255.255.255 0/0
    flow destination: 172.29.0.0/255.255.0.0 0/0
    flow destination: 172.29.131.0/255.255.255.0 0/0
    flow destination: 10.12.0.0/255.255.0.0 0/0
    flow destination: 10.12.0.0/255.255.0.0 0/0
    flow destination: 172.31.31.0/255.255.255.0 0/0
    flow destination: 172.32.46.0/255.255.254.0 0/0
    flow destination: 172.33.61.192/255.255.255.192 0/0
    flow destination: 172.33.59.0/255.255.255.192 0/0
    flow destination: 172.35.0.104/255.255.255.252 0/0
    flow destination: 172.32.106.0/255.255.254.0 0/0
    flow destination: 172.29.17.0/255.255.255.0 0/0
    flow destination: 172.32.104.0/255.255.254.0 0/0
    flow destination: 172.30.97.0/255.255.255.0 0/0
    flow destination: 172.31.46.0/255.255.255.0 0/0
    flow destination: 10.12.0.0/255.255.0.0 0/0
    flow destination: 172.33.28.0/255.255.255.0 0/0
    flow destination: 172.34.0.216/255.255.255.248 0/0
    flow destination: 10.12.0.0/255.255.0.0 0/0


 

根因

远端站点存在配置ACL不合理情况,流量进入VPN隧道之后出现了冲突,导致流量不通

客户新建站点ACL配置举例:172.0.0.0 0.255.255.255 destination 172.0.0.0 0.255.255.255

解决方案

排查所有站点ACL配置情况,尽量精细化匹配,避免设置过大范围网段掩码导致流量冲突

   

建议与总结

在这种海量站点VPN对接场景,尽量采用中心模板方式,远端站点网络规划一定要规范,站点ACL网段尽量细化,避免大范围网络规划导致业务异常

END