Cisco-Asa
ASA IPSec 隧道啟動,但記錄錯誤?
我在 ASA 上收到以下錯誤;
Jan 24 2012 17:15:13 ASA1 : %ASA-7-714003: IP = 1.2.3.4, IKE Responder starting QM: msg id = 5293ff7c Jan 24 2012 17:15:13 ASA1 : %ASA-7-713236: IP = 1.2.3.4, IKE_DECODE RECEIVED Message (msgid=5293ff7c) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NONE (0) total length : 292 Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing hash payload Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing SA payload Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing nonce payload Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing ke payload Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, processing ISA_KE for PFS in phase 2 Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload Jan 24 2012 17:15:13 ASA1 : %ASA-7-714011: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR ID received 1.2.3.444 Jan 24 2012 17:15:13 ASA1 : %ASA-7-713025: Group = 1.2.3.4, IP = 1.2.3.4, Received remote Proxy Host data in ID Payload: Address 1.2.3.444, Protocol 0, Port 0 Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing ID payload Jan 24 2012 17:15:13 ASA1 : %ASA-7-714011: Group = 1.2.3.4, IP = 1.2.3.4, ID_IPV4_ADDR ID received 5.6.7.8 Jan 24 2012 17:15:13 ASA1 : %ASA-7-713024: Group = 1.2.3.4, IP = 1.2.3.4, Received local Proxy Host data in ID Payload: Address 5.6.7.8, Protocol 0, Port 0 Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, QM IsRekeyed old sa not found by addr Jan 24 2012 17:15:13 ASA1 : %ASA-7-713221: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, checking map = outside_map, seq = 10... Jan 24 2012 17:15:13 ASA1 : %ASA-7-713222: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:1.2.3.444 dst:5.6.7.8 Jan 24 2012 17:15:13 ASA1 : %ASA-7-713066: Group = 1.2.3.4, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: outside_dyn_map Jan 24 2012 17:15:13 ASA1 : %ASA-7-715047: Group = 1.2.3.4, IP = 1.2.3.4, processing IPSec SA payload Jan 24 2012 17:15:13 ASA1 : %ASA-5-713904: Group = 1.2.3.4, IP = 1.2.3.4, All IPSec SA proposals found unacceptable! Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, sending notify message Jan 24 2012 17:15:13 ASA1 : %ASA-7-715046: Group = 1.2.3.4, IP = 1.2.3.4, constructing blank hash payload Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, constructing ipsec notify payload for msg id 5293ff7c Jan 24 2012 17:15:13 ASA1 : %ASA-7-715046: Group = 1.2.3.4, IP = 1.2.3.4, constructing qm hash payload Jan 24 2012 17:15:13 ASA1 : %ASA-7-713236: IP = 1.2.3.4, IKE_DECODE SENDING Message (msgid=c34f6ff7) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84 Jan 24 2012 17:15:13 ASA1 : %ASA-3-713902: Group = 1.2.3.4, IP = 1.2.3.4, QM FSM error (P2 struct &0xca9c89b0, mess id 0x5293ff7c)! Jan 24 2012 17:15:13 ASA1 : %ASA-7-715065: Group = 1.2.3.4, IP = 1.2.3.4, IKE QM Responder FSM error history (struct &0xca9c89b0) <state>, <event>: QM_DONE, EV_ERROR-->QM_BLD_MSG2, EV_NEGO_SA-->QM_BLD_MSG2, EV_IS_REKEY-->QM_BLD_MSG2, EV_CONFIRM_SA-->QM_BLD_MSG2, EV_PROC_MSG-->QM_BLD_MSG2, EV_HASH_OK-->QM_BLD_MSG2, NullEvent-->QM_BLD_MSG2, EV_COMP_HASH Jan 24 2012 17:15:13 ASA1 : %ASA-7-713906: Group = 1.2.3.4, IP = 1.2.3.4, sending delete/delete with reason message Jan 24 2012 17:15:13 ASA1 : %ASA-3-713902: Group = 1.2.3.4, IP = 1.2.3.4, Removing peer from correlator table failed, no match!
我只能訪問此端,我無權訪問它終止的本地 LAN IP。
與遠端終端操作員交談時,他可以通過隧道連接到本地 LAN IP,因此它可以正常工作,但我仍然在日誌中看到錯誤,特別是“所有 IPSec SA 提議均不可接受!”。
通過
show isakmp sa detail
對等體處於活動狀態,show ipsec sa detail
我可以看到封裝和解封裝數據包的數據包計數器上升。這是如何工作的?我應該擔心日誌嗎?
我看到問題就知道了。我想我需要另一雙眼睛向我指出這一點,所以謝謝。
Jan 24 2012 17:15:13 ASA1 : %ASA-7-713222: Group = 1.2.3.4, IP = 1.2.3.4, Static Crypto Map check, map = outside_map, seq = 10, ACL does not match proxy IDs src:1.2.3.444 dst:5.6.7.8 Jan 24 2012 17:15:13 ASA1 : %ASA-7-713066: Group = 1.2.3.4, IP = 1.2.3.4, IKE Remote Peer configured for crypto map: outside_dyn_map
這些台詞說明了一切。outside_map 定義了遠端端點對等 IP,但它應該是它們的代理 IP。
感謝您的推動;)