发布时间: 2016-01-05 | 浏览次数: 700 | 下载次数: 9 | 作者: g00527371 | 文档编号: EKB1000093906
版本
V100R001C20SPC600
IPsec VPN正常建立,兴趣流172.x.x.x----172.35..253.254. 在华为USG上Tracert 172.35.253.254流量正常走VPN接口1/0/1转发。 但是使用源IP地址172.x.x.x进行Tracert发现走的另外一个接口1/0/2,导致172网段业务没有走VPN隧道转发异常
1、中心站点排查网络通断及路由情况
HRP_A<USG.A>ping -a 172.29.151.211 172.3
PING 172.35.253.254: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 172.35.253.254 ping statistics ---
5 packet(s) transmitted
0 packet(s) received
100.00% packet lossHRP_A<USG.A>disp ip routing-table 172.35.253.254
21:30:16 2015/12/14
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 1
Destination/Mask Proto Pre Cost Flags NextHop Interface
172.35.253.254/32 Static 1 0 RD 192.168.6.254 GigabitEthernet1/0/2
2、查看IPsec SA,存在大量的兴趣流信息,初步怀疑有隧道冲突的情况
HRP_A[USG.A]display ipsec sa remote 189.140.71.251
21:49:14 2015/12/14
===============================
Interface: GigabitEthernet1/0/2
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "back1"
sequence number: 1
mode: template
vpn: public
-----------------------------
connection id: 1046315
rule number: 4294967295
encapsulation mode: tunnel
holding time: 0d 3h 53m 48s
tunnel local : 192.168.6.210 tunnel remote: 189.140.71.251
flow source: 172.0.0.0/255.0.0.0 0/0
flow destination: 172.31.52.62/255.255.255.255 0/0
[inbound ESP SAs]
spi: 2841777789 (0xa962167d)
vpn: public said: 80 cpuid: 0x0000
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa remaining key duration (kilobytes/sec): 1843200/2167
max received sequence-number: 1
udp encapsulation used for nat traversal: Y
[outbound ESP SAs]
spi: 3849703930 (0xe575d1fa)
vpn: public said: 7029 cpuid: 0x0000
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa remaining key duration (kilobytes/sec): 1843200/2167
max sent sequence-number: 1
udp encapsulation used for nat traversal: Y
-----------------------------
IPsec policy name: "back1"
sequence number: 1
mode: template
vpn: public
-----------------------------
connection id: 1046316
rule number: 4294967295
encapsulation mode: tunnel
holding time: 0d 3h 53m 49s
tunnel local : 192.168.6.210 tunnel remote: 189.140.71.251
flow source: 172.0.0.0/255.0.0.0 0/0
flow destination: 10.12.7.110/255.255.255.255 0/0
[inbound ESP SAs]
spi: 2164889605 (0x81099805)
vpn: public said: 6708 cpuid: 0x0000
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa remaining key duration (kilobytes/sec): 1843200/2167
max received sequence-number: 1
udp encapsulation used for nat traversal: Y
[outbound ESP SAs]
spi: 253927908 (0xf22a1e4)
vpn: public said: 6698 cpuid: 0x0000
proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5
sa remaining key duration (kilobytes/sec): 1843200/2167
max sent sequence-number: 1
udp encapsulation used for nat traversal: Y
3、中心节点查询所有兴趣流ACL配置,发现有很多ACL网段设置范围过大,导致了流量冲突
flow destination: 10.12.0.0/255.255.0.0 0/0
flow destination: 172.0.0.0/255.0.0.0 0/0
flow destination: 172.31.35.120/255.255.255.255 0/0
flow destination: 172.29.0.0/255.255.0.0 0/0
flow destination: 172.29.131.0/255.255.255.0 0/0
flow destination: 10.12.0.0/255.255.0.0 0/0
flow destination: 10.12.0.0/255.255.0.0 0/0
flow destination: 172.31.31.0/255.255.255.0 0/0
flow destination: 172.32.46.0/255.255.254.0 0/0
flow destination: 172.33.61.192/255.255.255.192 0/0
flow destination: 172.33.59.0/255.255.255.192 0/0
flow destination: 172.35.0.104/255.255.255.252 0/0
flow destination: 172.32.106.0/255.255.254.0 0/0
flow destination: 172.29.17.0/255.255.255.0 0/0
flow destination: 172.32.104.0/255.255.254.0 0/0
flow destination: 172.30.97.0/255.255.255.0 0/0
flow destination: 172.31.46.0/255.255.255.0 0/0
flow destination: 10.12.0.0/255.255.0.0 0/0
flow destination: 172.33.28.0/255.255.255.0 0/0
flow destination: 172.34.0.216/255.255.255.248 0/0
flow destination: 10.12.0.0/255.255.0.0 0/0
远端站点存在配置ACL不合理情况,流量进入VPN隧道之后出现了冲突,导致流量不通
客户新建站点ACL配置举例:172.0.0.0 0.255.255.255 destination 172.0.0.0 0.255.255.255
排查所有站点ACL配置情况,尽量精细化匹配,避免设置过大范围网段掩码导致流量冲突
在这种海量站点VPN对接场景,尽量采用中心模板方式,远端站点网络规划一定要规范,站点ACL网段尽量细化,避免大范围网络规划导致业务异常