No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR Router Troubleshooting Guide

This Product Documentation provides guidance for maintaining AR Enterprise Router, covering common information collection and fault diagnostic commands, typical fault troubleshooting guide, and troubleshooting.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
GRE over IPSec Fails

GRE over IPSec Fails

Common Causes

This fault is commonly caused by one of the following:

  • The link is faulty.
  • Data flows are not forwarded from a specified interface.
  • The data flows encapsulated on the GRE tunnel does not match the ACL referenced by the IPSec policy.
  • The settings of IPSec proposals at both ends of the IPSec tunnel are different.
  • The settings of IPSec policies at both ends of the IPSec tunnel do not match. For example, the IPSec negotiation modes are different or the Perfect Forward Secrecy (PFS) settings are different.
  • The ACLs referenced by IPSec policies at both ends do not mirror each other.
  • The settings of IKE proposals at both ends of the IPSec tunnel are different.
  • The settings of IKE peers at both ends of the IPSec tunnel are incorrect. For example, IKE negotiation modes are different, IKE versions are incorrect, IP addresses of IKE peers do not match, or names of IKE peers do not match.

Troubleshooting Flowchart

Figure 25-5 shows the troubleshooting flowchart.

Figure 25-5  Troubleshooting flowchart for a GRE over IPSec failure
Figure 25-6  Troubleshooting flowchart for a failure to establish IPSec SAs by using GRE over IPSec
Figure 25-7  Troubleshooting flowchart for a failure to establish IKE SAs by using GRE over IPSec

Troubleshooting Procedure

NOTE:

Saving the results of each troubleshooting step is recommended. If troubleshooting fails to correct the fault, you will have a record of your actions to provide technical support personnel.

Procedure

  1. Check whether the IPSec SA and IKE SA are established successfully.

    Run the display ike sa command to check the SAs established by a peer in certain phases according to the Peer, Flag, and Phase fields. The command output shows that the peer at 30.0.0.1 establishes the IKE SA in phase 1 and the IPSec SA in phase 2 by using IKE negotiation.

    <RouterA>display ike sa
          Conn-ID  Peer            VPN   Flag(s)                Phase
      ---------------------------------------------------------------
          397      30.0.0.1        0     RD                     v2:2
          367      30.0.0.1        0     RD                     v1:1
    
      Number of SA entries  : 2
                                      
      Number of SA entries of all cpu : 2 
                                                               
      Flag Description:           
      RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
      HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
      M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING   

    • If the IPSec SA and IKE SA are established successfully, go to step 2.
    • If the IPSec SA fails to be established but the IKE SA is established successfully, go to step 4.
    • If the IKE SA fails to be established, go to step 8.
  2. Check whether data flows protected by the IPSec tunnel can be forwarded by a specified interface.

    Ensure that outgoing data flows are sent by the interface to which the IPSec policy is applied.

    The operations are as follows:
    • Run the display ip routing-table command on both devices to view the routes to each other. Check whether the outbound interface in a route with a reachable next hop is the specified interface. If the outbound interface is not the specified interface, modify the routing configuration.
    • Run the display arp command on both devices to check whether the interface in the ARP entry matching the peer IP address is the specified interface. If not, run the reset arp command to delete the ARP entry from the ARP mapping table.

    If data flows protected by the IPSec tunnel are forwarded by a specified interface, go to step 3.

  3. Check whether data flows match the ACL.

    Analyze the source and destination IP addresses and port numbers of data flows to check whether the data flows match the ACL referenced by the IPSec policy.

    • If the data flows do not match the ACL, they cannot enter the IPSec tunnel. Instead, the data flows are forwarded directly. Modify the matching rule.
    • If the data flows match the ACL, go to step 10.
  4. Check whether the settings of IPSec proposals at both ends of the IPSec tunnel are the same.

    Run the display ipsec proposal command on both devices to check the following fields.

    Field

    Check Standard and Operation

    IPsec Proposal Name

    The IPSec proposals bound to IPSec policies at both ends must be the same. If not, run the ipsec proposal command to change the IPSec proposal names to be the same.

    Encapsulation Mode

    The encapsulation modes must be the same. If not, run the encapsulation-mode command to change the encapsulation modes to be the same.

    Transform

    The IPSec protocols must be the same. If not, run the transform command to change the IPSec protocols to be the same.

    AH Protocol

    The authentication algorithms used by the AH protocol must be the same. If not, run the ah authentication-algorithm command to change the authentication algorithms to be the same.

    ESP Protocol

    The authentication algorithm and encryption algorithm used by the ESP protocol at both ends must be the same. If not, run the esp authentication-algorithm command to change the authentication algorithm or run the esp encryption-algorithm command to change the encryption algorithm.

    If the settings of IPSec protocols are the same, go to step 5.

  5. Check whether the settings of IPSec policies at both ends of the IPSec tunnel match.

    Check Item Check Standard and Operation
    IPSec negotiation mode

    Run the display ipsec policy brief command to view the Mode field. If the IPSec negotiation modes at both ends are different, run the ipsec policy isakmp command to change the IPSec negotiation modes to be the same.

    Diffie-Hellman (DH) group If PFS is specified on the local device, PFS must be specified on the remote device. The two ends must use the same DH group; otherwise, IKE negotiation fails. Run the display ipsec policy command to view the Perfect Forward Secrecy field. If the DH groups at both ends are different, run the pfs command to change the DH groups to be the same.

    If the settings of IPSec policies at both ends of the IPSec tunnel match, go to step 6.

  6. Check whether the ACLs referenced by IPSec policies at both ends of the IPSec tunnel mirror each other.

    NOTE:

    If an IPSec policy template is used, you can choose to configure ACLs. If the ACLs are configured, ensure that the ACLs at both ends mirror each other.

    You are advised not to configure ACLs if an IPSec policy template is used.

    Run the display acl command on the Router to check whether source and destination addresses in the ACL rules at both ends of the IPSec tunnel mirror each other.

    • If the ACLs referenced by IPSec policies at both ends of the IPSec tunnel do not mirror each other, modify the configuration.
    • If the ACLs referenced by IPSec policies at both ends of the IPSec tunnel mirror each other, go to step 2.
  7. Check whether the interfaces at both ends of the IPSec tunnel can ping each other.

    Run the undo ipsec policy command on the Router interfaces at both ends of the IPSec tunnel to delete IPSec policies. Run the ping command to check whether the ping operation succeeds.

    • If the ping operation fails, check whether there are routes to the peer ends in the routing tables at both ends according to The Ping Operation Fails.

    • If the ping operation succeeds, there are reachable routes at both ends of the IPSec tunnel. Reconfigure the IPSec policies on interfaces at both ends, and go to step 8.

  8. Check whether the configurations of IKE peers are correct.

    Run the display ike peer command to check the following fields.

    Field

    Check Standard and Operation

    Exchange mode

    The IKE negotiation modes in phase 1 must be the same. If not, run the exchange-mode { main | aggressive } command to change the IKE negotiation modes to be the same.

    Negotiated IKE version

    The IKE versions must be the same. If not, run the ike peer command to change the IKE versions to be the same.

    Peer ip address

    Local ip address

    The peer IP address of the local end must be the same as the local IP address of the remote end, and the local IP address of the local end must be the same as the peer IP address of the remote end. If IP addresses of IKE peers do not match, run the local-address command to change the local IP address of the IKE peer or run the remote-address command to change the peer IP address of the IKE peer.

    remote-name

    The remote name of the local end must be the same as the local name of the peer end. If not, run the remote-name command to change the name of the remote peer.
    NOTE:
    The name of the remote peer is used in the following scenarios:
    • IKEv1 and the aggressive mode are used, and the name is used for authentication.

    • IKEv2 is used and the remote IKE peer ID type is name.

    If the configurations of IKE peers are correct, go to step 9.

  9. Check whether the settings of IKE proposals at both ends of the IPSec tunnel are the same.

    Run the display ike proposal command on both devices to check whether the settings of IKE proposals at both ends of the IPSec tunnel are the same.

    • If the settings of IKE proposals at both ends of the IPSec tunnel are different, reconfigure IKE proposals.

    • If the settings of IKE proposals are the same, go to step 2.

    NOTE:
    If preshared key authentication is used, configure a preshared key for each peer. The preshared keys of peers that establish a connection must be the same. If not, run the pre-shared-key command to change the preshared key.

  10. Collect the following information and contact technical support personnel.

    • Results of the preceding troubleshooting procedure
    • Configuration files, log files, and alarm files of the device

Translation
Download
Updated: 2019-05-10

Document ID: EDOC1000079719

Views: 444665

Downloads: 4299

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next