AR device IPsec Tunnel cannot up normally Highlighted

Latest reply: Oct 31, 2018 01:25:27 530 12 9 1

AR2240    V200R003C01SPC300

 

Topology :

152122t4a3lavz3nvhfall.png

 

The IPSec Down fault occurred on the AR2240. The IPSec connection failed with the Cisco device IPSec at the xxx office. As a result, about 1000 xxx services were interrupted.

 

The network link is unreachable.

1. Remotely log in to the AR device and check the IPSec session. The SA negotiation fails. The device is configured with the tunnel peer address of 172.x.x.2.

2. According to the debug information analysis, the AR continuously initiates IPSec negotiation with the peer device at the address of 172.x.x.2, but does not receive the peer response packet from the debug analysis. The debugging information is as follows:

The AR sends a negotiation packet.

152123g8ullp77gl8xylx7.png

 

AR retransmission negotiation packet

152124clxgtda8ggoggdgw.png

 

The AR retransmits the negotiation packet again.

 

152125onrvhtq9lrhcvqqx.png

3. Initially suspected that there is a problem with the link and the AR device attempts to ping the peer address for testing. The test results show that the link between the AR and the address is unreachable. Therefore, the first line and the customer are required to solve the network link problem. The test Ping 172.x.x.2 results are as follows:

 

 

152125nby2f2of0qo2mk2w.png

 

Modify the configuration tunnel to connect successfully.

1. After the customer solves the network link problem, the AR and the CISCO IPSec tunnel still negotiate failure:

 

152126vfixfipdx30wxmno.png

2. After the client finally confirms that the cisco device interface address is changed to 192.168.104.10, the non-AR currently configured negotiation address is 172.x.x.2, Cisco interface configuration information:

 

152127cqxh7ywkt0hxcsc7.jpg

 

3. After the AR is modified, the tunnel is successfully established after the peer address is 192.168.104.10.

152128if02g3ygg7bfsh93.png

 

152128j27t7i6fvc42yyo3.png

 

Customer business recovery

After the tunnel address is changed to 192.168.104.10, the IPSec negotiation succeeds. The customer feedback monitoring platform displays that there is no tunnel alarm information, and the ATM service is restored.

 

Root Cause:

The IP address of the IPSec service is interrupted. The IPSec service is interrupted. The IPSec service is interrupted. After the IPSec configuration on the AR is modified, services are restored.

 

Solution :

After the IPSec tunnel is successfully configured, the IPSec tunnel is successfully restored.

Modify the IPSec tunnel configuration of the AR device:

152129khg5xpd0zwreq5ad.png

Modified AR device IPSec tunnel configuration:

152130mj4mjlm5e31lwt83.png

NOTE: The configuration of the IPSec tunnel link state is detected when the IPSec link is faulty.

 

  • x
  • convention:

Created Oct 19, 2018 07:23:44 Helpful(1) Helpful(1)

hope all guys know about

IPSec Working Principles:

The security policy database (SPD) is basis for establishment of IPSec SAs, which defines data flows to be protected by IPSec. The security association database (SAD) is used to store all attributes of the IPSec SAs.

This section describes IPSec working principles using point-to-point unidirectional data transmission (in tunnel mode) as an example.

 

This post was last edited by Finn92 at 2018-10-31 08:46.
  • x
  • convention:

Created Oct 19, 2018 07:26:41 Helpful(1) Helpful(1)

Very clear, very good. it is very useful for me. troubleshooting of IPsec issue is very hard normally, this case is very clear, can guide us step by step. this is very improtant for troubleshooting.:)
  • x
  • convention:

Created Oct 23, 2018 03:44:10 Helpful(1) Helpful(1)

Thanks :)
  • x
  • convention:

If you think my post/reply is useful, please click the Helpful button and flag my post as a BEST ANSWER. Thanks
Created Oct 24, 2018 01:01:53 Helpful(1) Helpful(1)

check the transmission distance of the optical module, and determine whether the optical fiber length is within the allowed transmission distance range of the optical module based on the optical fiber type. In the preceding command output, the transmission distance supported by OM1 optical fibers is 30 m. If the actual transmission distance exceeds 30 m, use an optical fiber with a longer transmission distance This post was last edited by littlestone at 2018-10-31 05:56.
  • x
  • convention:

Created Oct 26, 2018 06:16:26 Helpful(0) Helpful(0)

Very clear, very good. it is very useful for me. troubleshooting of IPsec issue is very hard normally, this case is very clear, can guide us step by step. this is very improtant for troubleshooting This post was last edited by GongXiaochuan at 2018-10-30 05:57.
  • x
  • convention:

Good Good Study Day Day Up
Created Oct 26, 2018 06:18:19 Helpful(0) Helpful(0)

The procedure and roadmap for configuring of ipsec are similar:
 Configure interfaces.
 Configure security policies to allow specific subnets to communicate.
 Create a static route to the peer end.
 Configure the IPSec policy, including basic IPSec policy information, data flow to be protected by IPSec, and proposal parameters for security association negotiation. This post was last edited by SupperRobin at 2018-10-31 06:33.
  • x
  • convention:

Created Oct 26, 2018 06:19:13 Helpful(0) Helpful(0)

below should be noted! hope everyone know this.

The maximum length of a command (including the incomplete command) to be entered is 512 characters. If a command in incomplete form is configured, the system saves the command to the configuration file in its complete form, which may cause the command to have more than 512 characters. In this case, the command in incomplete form cannot be restored after the system restarts. Therefore, when you configure a command in incomplete form, pay attention to the length of the command.
This post was last edited by Torrent at 2018-10-31 06:48.
  • x
  • convention:

Created Oct 26, 2018 07:01:57 Helpful(0) Helpful(0)

Thanks for your sharing ,which is a wonderful guidance, i really interested in this article, which is useful for us and improvement product technology and become to a professional engineer .
I hope that you can insist post new kownlege and skills, i will alawys keep an eye on your sharing.
  • x
  • convention:

Our kingdom is young,our stories are not yet legends.
Created Oct 27, 2018 08:34:19 Helpful(0) Helpful(0)

usually for the ipsec problem, we just need make sure the ike/ipsec paraemters can be matched on both ends then be ok.

in addition, we need consider whether there is any NAT device between then, if so,  we need configuration NAT traversal

This post was last edited by No.9527 at 2018-10-31 03:04.
  • x
  • convention:

12
Back to list

Reply

Reply
You need to log in to reply to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

Login and enjoy all the member benefits

Login
Fast reply Scroll to top