Vpn

來自 ASA5505-Checkpoint 的 VPN 一小時後失敗

  • July 14, 2011

我有一個 IPsec 站點-站點 VPN 設置和工作,但是一旦建立連接超過一個小時,我就會遇到問題。一個小時後,ASDM 仍然認為 VPN 已連接並且連接持續時間繼續增加,但是一旦 UI 嘗試將數據向下發送,隧道就會被拆除並重新創建,並與從我們的防火牆發送到客戶端電腦的第一個數據包一起我們的網路。我打開了登錄,以下兩行看起來最有趣:

Session Disconnected. ... Reason: crypto map policy not found
...
Connection terminated for peer 213.123.59.222.  Reason: Peer Terminate  Remote Proxy 78.129.136.64, Local Proxy 171.28.18.50

213.123.59.222 是他們用於檢查點框的外部 IP,78.129.136.64 是我們本地網路上發送數據的機器,而 171.28.18.50 是我試圖向其發送數據的網路上的機器。

我的超時配置如下:

timeout conn 0:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
group-policy DfltGrpPolicy attributes
vpn-idle-timeout 180
vpn-tunnel-protocol IPSec svc

我想了解問題是我們的(ASA5505)還是客戶防火牆(檢查點)上的配置。在與他們取得聯繫之前,我還有什麼可以檢查的嗎?

更新:當我做show configuration我的訪問列表和加密映射如下(對不起,如果有缺失的行和像’bob’這樣的有趣名字,我有點超出我的深度,發現設置VPN有點試錯! ):

access-list basic extended permit tcp any any eq 3389 
access-list basic extended permit tcp any any eq ssh 
access-list basic extended permit tcp any any eq www 
access-list basic extended permit tcp any any eq https 
access-list basic remark MySQL
access-list basic extended permit tcp any any eq 3306 
access-list allow extended permit ip any any 
access-list NoNAT extended permit ip 78.129.136.64 255.255.255.240 10.199.2.0 255.255.255.0 
access-list SiteAtoSiteB extended permit ip 78.129.136.64 255.255.255.240 10.199.2.0     255.255.255.0 
access-list SiteAtoSiteB extended permit tcp 78.129.136.64 255.255.255.240 host 171.28.18.50 eq telnet 
access-list bob standard permit host 171.28.18.50 
...
crypto map SiteToSiteVPN 10 match address SiteAtoSiteB
crypto map SiteToSiteVPN 10 set pfs 
crypto map SiteToSiteVPN 10 set peer 213.123.59.222 
crypto map SiteToSiteVPN 10 set transform-set SiteAToSiteBtransform
crypto map SiteToSiteVPN 10 set security-association lifetime seconds 28800
crypto map SiteToSiteVPN 10 set security-association lifetime kilobytes 4608000
crypto map SiteToSiteVPN interface Outside

抱歉,我想我誤解了 Shane 的評論,也許這個資訊在錯誤聲明中。發送 hr 後的第一條數據時生成的日誌記錄語句為:

Teardown local-host Outside:171.28.18.50 duration 1:59:35
Teardown TCP connection 27792859 for Outside:171.28.18.50/23 to Inside:78.129.136.66/48572 duration 1:59:35 bytes 86765 Tunnel has been torn down
Ignoring msg to mark SA with dsID 72404992 dead because SA deleted
Group = 213.123.59.222, Username = 213.123.59.222, IP = 213.123.59.222, Session disconnected. Session Type: IPsec, Duration: 1h:59m:53s, Bytes xmt: 45646, Bytes rcv: 53194, Reason: crypto map policy not found
Pitcher: received key delete msg, spi 0xf025f6b
Pitcher: received key delete msg, spi 0x7447991f
Pitcher: received key delete msg, spi 0x7447991f
IP = 213.123.59.222, IKE_DECODE SENDING Message (msgid=27f78398) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
Group = 213.123.59.222, IP = 213.123.59.222, constructing qm hash payload
Group = 213.123.59.222, IP = 213.123.59.222, constructing IKE delete payload
Group = 213.123.59.222, IP = 213.123.59.222, constructing blank hash payload
IPSEC: An outbound LAN-to-LAN SA (SPI= 0x0F025F6B) between 87.117.211.90 and 213.123.59.222 (user= 213.123.59.222) has been deleted.
IPSEC: An inbound LAN-to-LAN SA (SPI= 0x7447991F) between 87.117.211.90 and 213.123.59.222 (user= 213.123.59.222) has been deleted.
Group = 213.123.59.222, IP = 213.123.59.222, sending delete/delete with reason message
Group = 213.123.59.222, IP = 213.123.59.222, IKE SA MM:a6daae8d terminating:  flags 0x01000002, refcnt 0, tuncnt 0
Group = 213.123.59.222, IP = 213.123.59.222, IKE SA MM:a6daae8d rcv'd Terminate: state MM_ACTIVE  flags 0x00000042, refcnt 1, tuncnt 0
Group = 213.123.59.222, IP = 213.123.59.222, IKE Deleting SA: Remote Proxy 171.28.18.50, Local Proxy 78.129.136.64
Group = 213.123.59.222, IP = 213.123.59.222, Active unit receives a delete event for remote peer 213.123.59.222.
Group = 213.123.59.222, IP = 213.123.59.222, Connection terminated for peer 213.123.59.222.  Reason: Peer Terminate  Remote Proxy 78.129.136.64, Local Proxy 171.28.18.50
Group = 213.123.59.222, IP = 213.123.59.222, processing delete
Group = 213.123.59.222, IP = 213.123.59.222, processing hash payload
IP = 213.123.59.222, IKE_DECODE RECEIVED Message (msgid=b3da5da4) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
Built inbound UDP connection 27794863 for Outside:213.123.59.222/500 (213.123.59.222/500) to identity:87.117.211.90/500 (87.117.211.90/500)
Built local-host Outside:213.123.59.222

這是 Cisco + CP VPN 的常見問題。請檢查雙方的 SA Life Expiry 設置,我相信 Check Point 為 28800 秒,Cisco 為 86400 秒(或相反)

引用自:https://serverfault.com/questions/290017

相關問答

Vpn

Checkpoint R75.20 和 AWS VPC 之間的 VPN

  • April 10, 2019
檢視問答
Vpn

Strongswan - Cisco ASA 事務請求失敗

  • November 3, 2016
檢視問答
Vpn

Cisco ASA 站點到站點 VPN 更改對等 IP

  • July 15, 2016
檢視問答
Vpn

Cisco ASA 5505 (8.05):L2L IPSec 隧道上的非對稱組策略過濾器

  • September 18, 2012
檢視問答
Vpn

外部 VPN 流量無法 ping 站點到站點 VPN 遠端站點

  • July 17, 2012
檢視問答
Vpn

如何在不禁用主連接的情況下測試 ASA 之間的故障轉移 VPN?

  • March 14, 2012
檢視問答