問題描述:
某一分支端突然無法與總部端進行ike協商,分支端debug信息如下
<H3C>debugging ike all
<H3C>*Nov 27 01:29:34:043 2024 H3C IKE/7/EVENT: Sent config set message.
*Nov 27 01:29:34:420 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:34:420 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:34:420 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:34:420 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:34:420 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
*Nov 27 01:29:36:106 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:36:106 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:36:106 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:36:106 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:36:106 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
*Nov 27 01:29:36:324 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:36:324 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:36:324 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:36:324 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:36:324 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
*Nov 27 01:29:36:353 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:36:353 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:36:353 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:36:353 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:36:353 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
*Nov 27 01:29:36:621 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:36:621 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:36:621 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:36:621 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:36:621 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
*Nov 27 01:29:37:353 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:37:353 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:37:353 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:37:353 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:37:353 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
*Nov 27 01:29:38:110 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:38:110 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:38:110 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:38:111 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:38:111 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
*Nov 27 01:29:38:187 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:38:187 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:38:187 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:38:188 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:38:188 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
*Nov 27 01:29:38:213 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:38:213 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:38:213 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:38:213 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:38:213 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
%Nov 27 01:29:38:822 2024 H3C PING/6/PING_STATISTICS: Ping statistics for 172.20.232.1: 5 packet(s) transmitted, 0 packet(s) received, 100.0% packet loss.
*Nov 27 01:29:38:842 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:38:842 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:38:842 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:38:842 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:38:842 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Set IPsec SA state to IKE_P2_STATE_INIT.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: IKE SA not found. Initiate IKE SA negotiation.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Obtained profile bigoneIDC.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Initiator created an SA for peer 103.239.206.97, local port 500, remote port 500.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Set IKE SA state to IKE_P1_STATE_INIT.
*Nov 27 01:29:39:213 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:39:214 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Begin Aggressive mode exchange.
*Nov 27 01:29:39:214 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Found pre-shared key that matches address 103.239.206.97 in keychain 1.
*Nov 27 01:29:39:214 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Encryption algorithm is AES-CBC.
*Nov 27 01:29:39:214 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Key length is 256 bits.
*Nov 27 01:29:39:214 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Hash algorithm is HMAC-SHA2_256.
*Nov 27 01:29:39:214 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
DH group 2.
*Nov 27 01:29:39:214 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Authentication method is Pre-shared key.
*Nov 27 01:29:39:214 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Lifetime type is in seconds.
*Nov 27 01:29:39:214 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Life duration is 86400.
*Nov 27 01:29:39:214 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct transform payload for transform 1.
*Nov 27 01:29:39:214 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Constructed SA payload.
*Nov 27 01:29:39:239 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct KE payload.
*Nov 27 01:29:39:239 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct NONCE payload.
*Nov 27 01:29:39:239 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Local ID type: FQDN (2).
*Nov 27 01:29:39:239 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Local ID value: DG1215.
*Nov 27 01:29:39:239 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct ID payload.
*Nov 27 01:29:39:239 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct DPD vendor ID payload.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct NAT-T rfc3947 vendor ID payload.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct NAT-T draft3 vendor ID payload.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct NAT-T draft2 vendor ID payload.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct NAT-T draft1 vendor ID payload.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct XAUTH Cisco Unity 1.0 vendor ID payload.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Construct XAUTH draft6 vendor ID payload.
*Nov 27 01:29:39:240 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Sending packet to 103.239.206.97 remote port 500, local port 500.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
I-COOKIE: 1bff2de7d9bad717
R-COOKIE: 0000000000000000
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Aggressive
flags:
message ID: 0
length: 388
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Sending an IPv4 packet.
*Nov 27 01:29:39:240 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Sent data to socket successfully.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: Received message from ipsec, message type is 0.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: IKE thread 1099527456 processes a job.
*Nov 27 01:29:39:846 2024 H3C IKE/7/EVENT: Received SA acquire message from IPsec.
*Nov 27 01:29:39:847 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Collision of phase 2 negotiation is found when acquired sa.
[H3C]dis ike sa
Connection-ID Remote Flag DOI
------------------------------------------------------------------
38 103.239.206.97 Unknown IPsec
檢查過一階段與二階段配置,acl感興趣流以及ike密鑰均正確。一階段無法協商unknown狀態
組網及組網描述:
總部端日誌信息,21點後分支端重新觸發協商總部端也收不到任何日誌信息。總部端與其餘100多分支端協商均正常
從debug看重新進行IKE協商的時候,125.93.252.192這端發出了IKE協商報文,但是沒有收到對端103.239.206.97的回包。可以在對端也debug看下
*Nov 27 01:29:39:240 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
IKE SA state changed from IKE_P1_STATE_INIT to IKE_P1_STATE_SEND1.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Sending packet to 103.239.206.97 remote port 500, local port 500.
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
I-COOKIE: 1bff2de7d9bad717
R-COOKIE: 0000000000000000
next payload: SA
version: ISAKMP Version 1.0
exchange mode: Aggressive
flags:
message ID: 0
length: 388
*Nov 27 01:29:39:240 2024 H3C IKE/7/PACKET: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Sending an IPv4 packet.
*Nov 27 01:29:39:240 2024 H3C IKE/7/EVENT: vrf = 0, local = 125.93.252.192, remote = 103.239.206.97/500
Sent data to socket successfully.
- 2024-11-27回答
- 評論(0)
- 舉報
-
(0)
編輯答案
親~登錄後才可以操作哦!
確定你的郵箱還未認證,請認證郵箱或綁定手機後進行當前操作
舉報
×
侵犯我的權益
×
侵犯了我企業的權益
×
- 1. 您舉報的內容是什麼?(請在郵件中列出您舉報的內容和鏈接地址)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
- 3. 是哪家企業?(營業執照,單位登記證明等證件)
- 4. 您與該企業的關係是?(您是企業法人或被授權人,需提供企業委托授權書)
抄襲了我的內容
×
原文鏈接或出處
誹謗我
×
- 1. 您舉報的內容以及侵犯了您什麼權益?(請在郵件中列出您舉報的內容、鏈接地址,並給出簡短的說明)
- 2. 您是誰?(身份證明材料,可以是身份證或護照等證件)
對根叔社區有害的內容
×
不規範轉載
×
舉報說明
暫無評論