Cisco-Asa

ASA IPSec 隧道啟動,但記錄錯誤?

  • May 15, 2015

我在 ASA 上收到以下錯誤;

Jan 24 2012 17:15:13 ASA1 : %ASA-7-714003: IP = 1.2.3.4, IKE Responder starting QM: msg id = 5293ff7c
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713236: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=5293ff7c) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 292
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing hash payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing SA payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing nonce payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing ke payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, processing ISA_KE for PFS in phase 2
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-714011: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR ID received 1.2.3.444
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713025: Group = 1.2.3.4, IP = 1.2.3.4, Received remote Proxy Host data in ID Payload:  Address 1.2.3.444, Protocol 0, Port 0
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-714011: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR ID received
5.6.7.8
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713024: Group = 1.2.3.4, IP = 1.2.3.4, Received local Proxy Host data in ID Payload:  Address 5.6.7.8, Protocol 0, Port 0
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713221: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, checking map = outside_map, seq = 10...
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713222: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:1.2.3.444 dst:5.6.7.8
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713066: Group = 1.2.3.4, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: outside_dyn_map
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing IPSec SA payload
Jan 24 2012 17:15:13 ASA1 : %ASA-5-713904: Group = 1.2.3.4, IP = 1.2.3.4, All IPSec SA proposals found unacceptable!
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, sending notify message
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715046: Group = 1.2.3.4, IP = 1.2.3.4, constructing blank hash payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, constructing ipsec notify payload for msg id 5293ff7c
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715046: Group = 1.2.3.4, IP = 1.2.3.4, constructing qm hash payload
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713236: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=c34f6ff7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
Jan 24 2012 17:15:13 ASA1 : %ASA-3-713902: Group = 1.2.3.4, IP = 1.2.3.4, QM FSM error (P2 struct &0xca9c89b0, mess id 0x5293ff7c)!
Jan 24 2012 17:15:13 ASA1 : %ASA-7-715065: Group = 1.2.3.4, IP = 1.2.3.4, IKE QM Responder FSM error history (struct &0xca9c89b0)  <state>, <event>:  QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, sending delete/delete with reason message
Jan 24 2012 17:15:13 ASA1 : %ASA-3-713902: Group = 1.2.3.4, IP = 1.2.3.4, Removing peer from correlator table failed, no match!

我只能訪問此端,我無權訪問它終止的本地 LAN IP。

與遠端終端操作員交談時,他可以通過隧道連接到本地 LAN IP,因此它可以正常工作,但我仍然在日誌中看到錯誤,特別是“所有 IPSec SA 提議均不可接受!”。

通過show isakmp sa detail對等體處於活動狀態,show ipsec sa detail我可以看到封裝和解封裝數據包的數據包計數器上升。

這是如何工作的?我應該擔心日誌嗎?

我看到問題就知道了。我想我需要另一雙眼睛向我指出這一點,所以謝謝。

Jan 24 2012 17:15:13 ASA1 : %ASA-7-713222: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:1.2.3.444 dst:5.6.7.8
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713066: Group = 1.2.3.4, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: outside_dyn_map

這些台詞說明了一切。outside_map 定義了遠端端點對等 IP,但它應該是它們的代理 IP。

感謝您的推動;)

引用自:https://serverfault.com/questions/353162