AR device IPsec Tunnel cannot up normally Highlighted

Created Oct 19, 2018 15:21:44Latest reply Oct 31, 2018 09:25:27 472 12 9 1

AR2240    V200R003C01SPC300

 

Topology :

152122t4a3lavz3nvhfall.png

 

The IPSec Down fault occurred on the AR2240. The IPSec connection failed with the Cisco device IPSec at the xxx office. As a result, about 1000 xxx services were interrupted.

 

The network link is unreachable.

1. Remotely log in to the AR device and check the IPSec session. The SA negotiation fails. The device is configured with the tunnel peer address of 172.x.x.2.

2. According to the debug information analysis, the AR continuously initiates IPSec negotiation with the peer device at the address of 172.x.x.2, but does not receive the peer response packet from the debug analysis. The debugging information is as follows:

The AR sends a negotiation packet.

152123g8ullp77gl8xylx7.png

 

AR retransmission negotiation packet

152124clxgtda8ggoggdgw.png

 

The AR retransmits the negotiation packet again.

 

152125onrvhtq9lrhcvqqx.png

3. Initially suspected that there is a problem with the link and the AR device attempts to ping the peer address for testing. The test results show that the link between the AR and the address is unreachable. Therefore, the first line and the customer are required to solve the network link problem. The test Ping 172.x.x.2 results are as follows:

 

 

152125nby2f2of0qo2mk2w.png

 

Modify the configuration tunnel to connect successfully.

1. After the customer solves the network link problem, the AR and the CISCO IPSec tunnel still negotiate failure:

 

152126vfixfipdx30wxmno.png

2. After the client finally confirms that the cisco device interface address is changed to 192.168.104.10, the non-AR currently configured negotiation address is 172.x.x.2, Cisco interface configuration information:

 

152127cqxh7ywkt0hxcsc7.jpg

 

3. After the AR is modified, the tunnel is successfully established after the peer address is 192.168.104.10.

152128if02g3ygg7bfsh93.png

 

152128j27t7i6fvc42yyo3.png

 

Customer business recovery

After the tunnel address is changed to 192.168.104.10, the IPSec negotiation succeeds. The customer feedback monitoring platform displays that there is no tunnel alarm information, and the ATM service is restored.

 

Root Cause:

The IP address of the IPSec service is interrupted. The IPSec service is interrupted. The IPSec service is interrupted. After the IPSec configuration on the AR is modified, services are restored.

 

Solution :

After the IPSec tunnel is successfully configured, the IPSec tunnel is successfully restored.

Modify the IPSec tunnel configuration of the AR device:

152129khg5xpd0zwreq5ad.png

Modified AR device IPSec tunnel configuration:

152130mj4mjlm5e31lwt83.png

NOTE: The configuration of the IPSec tunnel link state is detected when the IPSec link is faulty.

 

  • x
  • convention:

Finn92  Novice   Created Oct 19, 2018 15:23:44 Helpful(1) Helpful(1)

hope all guys know about

IPSec Working Principles:

The security policy database (SPD) is basis for establishment of IPSec SAs, which defines data flows to be protected by IPSec. The security association database (SAD) is used to store all attributes of the IPSec SAs.

This section describes IPSec working principles using point-to-point unidirectional data transmission (in tunnel mode) as an example.

 

This post was last edited by Finn92 at 2018-10-31 16:46.
  • x
  • convention:

w1  Moderator   Created Oct 19, 2018 15:26:41 Helpful(1) Helpful(1)

Very clear, very good. it is very useful for me. troubleshooting of IPsec issue is very hard normally, this case is very clear, can guide us step by step. this is very improtant for troubleshooting.:)
  • x
  • convention:

faysalji  Novice   Created Oct 23, 2018 11:44:10 Helpful(1) Helpful(1)

Thanks :)
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
littlestone     Created Oct 24, 2018 09:01:53 Helpful(1) Helpful(1)

check the transmission distance of the optical module, and determine whether the optical fiber length is within the allowed transmission distance range of the optical module based on the optical fiber type. In the preceding command output, the transmission distance supported by OM1 optical fibers is 30 m. If the actual transmission distance exceeds 30 m, use an optical fiber with a longer transmission distance This post was last edited by littlestone at 2018-10-31 13:56.
  • x
  • convention:

GongXiaochuan  Adept   Created Oct 26, 2018 14:16:26 Helpful(0) Helpful(0)

Very clear, very good. it is very useful for me. troubleshooting of IPsec issue is very hard normally, this case is very clear, can guide us step by step. this is very improtant for troubleshooting This post was last edited by GongXiaochuan at 2018-10-30 13:57.
  • x
  • convention:

Good Good Study Day Day Up
SupperRobin  Novice   Created Oct 26, 2018 14:18:19 Helpful(0) Helpful(0)

The procedure and roadmap for configuring of ipsec are similar:
 Configure interfaces.
 Configure security policies to allow specific subnets to communicate.
 Create a static route to the peer end.
 Configure the IPSec policy, including basic IPSec policy information, data flow to be protected by IPSec, and proposal parameters for security association negotiation. This post was last edited by SupperRobin at 2018-10-31 14:33.
  • x
  • convention:

Torrent     Created Oct 26, 2018 14:19:13 Helpful(0) Helpful(0)

below should be noted! hope everyone know this.

The maximum length of a command (including the incomplete command) to be entered is 512 characters. If a command in incomplete form is configured, the system saves the command to the configuration file in its complete form, which may cause the command to have more than 512 characters. In this case, the command in incomplete form cannot be restored after the system restarts. Therefore, when you configure a command in incomplete form, pay attention to the length of the command.
This post was last edited by Torrent at 2018-10-31 14:48.
  • x
  • convention:

wanglei259     Created Oct 26, 2018 15:01:57 Helpful(0) Helpful(0)

Thanks for your sharing ,which is a wonderful guidance, i really interested in this article, which is useful for us and improvement product technology and become to a professional engineer .
I hope that you can insist post new kownlege and skills, i will alawys keep an eye on your sharing.
  • x
  • convention:

Our kingdom is young,our stories are not yet legends.
No.9527  Mentor   Created Oct 27, 2018 16:34:19 Helpful(0) Helpful(0)

usually for the ipsec problem, we just need make sure the ike/ipsec paraemters can be matched on both ends then be ok.

in addition, we need consider whether there is any NAT device between then, if so,  we need configuration NAT traversal

This post was last edited by No.9527 at 2018-10-31 11:04.
  • x
  • convention:

12
Back to list

Responses

Reply
You need to log in to reply to the post Login | Register

Notice:To ensure the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but not limited to politically sensitive content, content concerning pornography, gambling, drug abuse and trafficking, content that may disclose or infringe upon others' intellectual properties, including commercial secrets, trade marks, copyrights, and patents, and personal privacy. Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see“ Privacy Policy.”
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Fast reply Scroll to top