Segurança e VPN : Negociação IPSec/Protocolos IKE

Configurando a redundância de IPSec sobre o ISDN usando o Dialer Watch

19 Setembro 2015 - Tradução por Computador
Outras Versões: Versão em PDFpdf | Inglês (22 Agosto 2015) | Feedback


Índice


Introdução

Este documento fornece uma configuração de exemplo como cifrar o tráfego da rede atrás do roteador1 à rede atrás do roteador2 (o laço de retorno 0s é usado como redes neste exemplo). Se o link principal (Ethernet) entre o roteador1 e o roteador2 vai para baixo, o tráfego da Segurança IP (IPsec) continua a correr através do enlace secundário (ISDN). Há diversas maneiras de conseguir este objetivo; você pode usar o Dialer Watch, a Interface de backup, o circuito da procura, e a estática flutuante. Esse exemplo de configuração demonstra o mecanismo do relógio do discador. Para obter informações sobre outros recursos, consulte Avaliando interfaces de backup, rotas estáticas flutuantes e relógio de discador para backup de DDR.

Pré-requisitos

Requisitos

Não existem requisitos específicos para este documento.

Componentes Utilizados

As informações neste documento são baseadas nestas versões de software e hardware:

  • Cisco 2621 e 3640 Routers

  • Software Release 12.3(3) de Cisco IOS�

As informações neste documento foram criadas a partir de dispositivos em um ambiente de laboratório específico. Todos os dispositivos utilizados neste documento foram iniciados com uma configuração (padrão) inicial. Se sua rede está viva, certifique-se de que você compreende o impacto potencial do comando any antes que você o use.

Convenções

Para obter mais informações sobre convenções de documento, consulte as Convenções de dicas técnicas Cisco.

Configurar

Nesta seção, você encontrará informações para configurar os recursos descritos neste documento.

Nota: Para localizar informações adicionais sobre os comandos usados neste documento, utilize a Ferramenta Command Lookup (somente clientes registrados).

Diagrama de Rede

Este documento usa a instalação de rede mostrada no diagrama aqui:

/image/gif/paws/23100/ipsec_dialerwatch_01.gif

Configurações

Este documento usa as configurações mostradas aqui:

Roteador 1 (2621)
r1#show running-config
Building configuration...
 
Current configuration : 2244 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
username r2 password 0 cisco

!--- This is the username for remote router (Router 2) 
!--- and shared secret. Shared secret (used for Challenge Handshake 
!--- Authentication Protocol [CHAP]) must be the same on both sides.

no aaa new-model
ip subnet-zero
ip tcp synwait-time 5
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 222.222.222.222
!
!
  crypto ipsec transform-set abc esp-des esp-md5-hmac
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
 set peer 222.222.222.222

!--- Peer address, Loopback 1 of Router 2

 set transform-set abc
 match address 101

!--- Networks to encrypt (Loopback 0 on both ends)

!
isdn switch-type basic-ts013
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0

!--- Network to encrypt

 ip address 11.11.11.11 255.255.255.0
!
interface Loopback1

!--- Used for peer address for IPSec

 ip address 111.111.111.111 255.255.255.0
!
interface FastEthernet0/0

!--- Primary link

 ip address 10.1.1.1 255.255.255.0
 no ip route-cache

!--- Enable process switching

 no ip mroute-cache
 duplex auto
 speed auto
 crypto map cisco

!--- Apply crypto map on primary interface

!
interface BRI0/0
 no ip address
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool-member 1
 isdn switch-type basic-ts013
 no cdp enable
!
interface Dialer1

!--- Backup link

 ip address 20.1.1.1 255.255.255.0
 encapsulation ppp
 no ip route-cache

!--- Enable process switching

ip ospf cost 9999

!--- Increase the cost so that when primary comes up again,
!--- Open Shortest Path First (OSPF) routes are
!--- preferred using the primary link (due to better cost).

no ip mroute-cache
 dialer idle-timeout 180
 dialer pool 1
 dialer string 94134028
dialer watch-group 1

!--- Enable dialer watch on this backup interface.
!--- Watch the route specified with the dialer watch-list 1 command.

 dialer-group 1

!--- Apply interesting traffic defined in dialer list 1.

 no peer neighbor-route
 ppp authentication chap
 crypto map cisco

!--- Apply crypto map on backup interface.

!
router ospf 1

!--- OSPF advertising Loopback 0, Loopback 1, 
!--- primary, and secondary links.

 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 0
 network 11.11.11.0 0.0.0.255 area 0
 network 20.1.1.0 0.0.0.255 area 0
 network 111.111.111.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip classless
!
!
access-list 101 permit ip host 11.11.11.11 host 22.22.22.22

!--- Access control list (ACL) 101 is the
!--- IPSec traffic used in match address.

access-list 110 deny   ip any any

!--- ACL 110 is for the dialer list to mark 
!--- all IP traffic uninteresting. The dialer watch will 
!--- trigger the ISDN backup when the route is lost.

dialer watch-list 1 ip 222.222.222.222 255.255.255.255

!--- This defines the route(s) to be watched.
!--- This exact route (including subnet mask) 
!--- must exist in the routing table.
!--- Use the dialer watch-group 1 command to apply this
!--- list to the backup interface.

dialer watch-list 1 delay route-check initial 10
dialer-list 1 protocol ip list 110

!--- Interesting traffic is defined by ACL 110.
!--- This is applied to Dialer1 using dialer group 1.

!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 escape-character 27
line aux 0
line vty 0 4
 login
!
end

Roteador 2 (3640)
r2#show running-config
Building configuration...
 
Current configuration : 2311 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
username r1 password 0 cisco

!--- This is the username for remote router (Router 1) 
!--- and shared secret. Shared secret (used for CHAP)
!--- must be the same on both sides.

no aaa new-model
ip subnet-zero
ip tcp synwait-time 5
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 111.111.111.111
!
!
  crypto ipsec transform-set abc esp-des esp-md5-hmac
!
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
 set peer 111.111.111.111

!--- Peer address, Loopback 1 of Router 1

 set transform-set abc
 match address 101

!--- Networks to encrypt (Loopback 0 on both ends)

!
isdn switch-type basic-ts013
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0
 ip address 22.22.22.22 255.255.255.0

!--- Network to encrypt

!
interface Loopback1
 ip address 222.222.222.222 255.255.255.0

!--- Used for peer address for IPSec.

!
interface BRI0/0
 no ip address
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool-member 1
 isdn switch-type basic-ts013
!
interface Ethernet0/0

!--- Primary link

 ip address 10.1.1.2 255.255.255.0
 no ip route-cache

!--- Enable process switching.

 no ip mroute-cache
 half-duplex
 crypto map cisco

!--- Apply crypto map on primary interface.

!
interface Dialer1
 ip address 20.1.1.2 255.255.255.0
 encapsulation ppp
 no ip route-cache
 ip ospf cost 9999
 no ip mroute-cache
 dialer pool 1
 dialer idle-timeout 600
 dialer remote-name r1

!--- Dialer for the BRI interface of the remote router 
!--- without a dial string.

 dialer-group 1

!--- Apply interesting traffic defined in dialer list 1.

 ppp authentication chap
 crypto map cisco

!--- Apply crypto map on backup interface.

!
router ospf 1
 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 0
 network 20.1.1.0 0.0.0.255 area 0
 network 22.22.22.0 0.0.0.255 area 0
 network 222.222.222.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip classless
!
!
access-list 101 permit ip host 22.22.22.22 host 11.11.11.11
access-list 110 deny   ospf any any

!--- Mark OSPF as uninteresting.
!--- This will not allow OSPF hellos 
!--- to try to bring the link up.

access-list 110 permit ip any any
dialer-list 1 protocol ip list 110

!--- Interesting traffic is defined by ACL 110.
!--- This is applied to Dialer1 using dialer group 1.

!
line con 0
 exec-timeout 0 0
 logging synchronous
 escape-character 27
line aux 0
line vty 0 4
 login
!
end

Verificar

Esta seção fornece a informação que você pode se usar para confirmar se sua configuração funciona corretamente.

Exemplo de saída do comando

A Output Interpreter Tool (somente clientes registrados) oferece suporte a determinados comandos show, o que permite exibir uma análise da saída do comando show.

  • Tabela de roteamento do link principal do roteador1 (2621) — acima

    r1#show ip route
     
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, 
           L2 - IS-IS level-2, ia - IS-IS inter area, 
           * - candidate default, U - per-user static route,
           o - ODR, P - periodic downloaded static route
     
    Gateway of last resort is not set
     
         222.222.222.0/32 is subnetted, 1 subnets
    O       222.222.222.222 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0
          20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, Dialer1
         22.0.0.0/32 is subnetted, 1 subnets
    O       22.22.22.22 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0
         111.0.0.0/24 is subnetted, 1 subnets
    C       111.111.111.0 is directly connected, Loopback1
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.1.1.0 is directly connected, FastEthernet0/0
         11.0.0.0/24 is subnetted, 1 subnets
    C       11.11.11.0 is directly connected, Loopback0
  • Tabela de roteamento do link principal do roteador2 (3640) — acima

    r2#show ip route
     
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, 
           L2 - IS-IS level-2, ia - IS-IS inter area, 
           * - candidate default, U - per-user static route,
           o - ODR, P - periodic downloaded static route
     
    Gateway of last resort is not set.
     
    C    222.222.222.0/24 is directly connected, Loopback1
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, Dialer1
         22.0.0.0/24 is subnetted, 1 subnets
    C       22.22.22.0 is directly connected, Loopback0
         111.0.0.0/32 is subnetted, 1 subnets
    O       111.111.111.111 [110/11] via 10.1.1.1, 00:06:22, Ethernet0/0
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.1.1.0 is directly connected, Ethernet0/0
         11.0.0.0/32 is subnetted, 1 subnets
    O       11.11.11.11 [110/11] via 10.1.1.1, 00:06:23, Ethernet0/0
    
  • Vizinho de OSPF do link principal do roteador1 (2621) — acima

    r1#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address    Interface
    222.222.222.222   1   FULL/DR    00:00:33    10.1.1.2   FastEthernet0/0
    
  • Vizinho OSPF do Roteador 2 (3640)—link primário ativo

    r2#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address    Interface
    111.111.111.111   1   FULL/BDR   00:00:31    10.1.1.1   Ethernet0/0
    
  • Tabela de roteamento do link principal do roteador1 (2621) — para baixo

    r1#show ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, 
           ia - IS-IS inter area, * - candidate default, 
           U - per-user static route, o - ODR,
           P - periodic downloaded static route
     
    Gateway of last resort is not set.
     
         222.222.222.0/32 is subnetted, 1 subnets
    O       222.222.222.222 [110/10000] via 20.1.1.2, 00:00:09, Dialer1
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, BRI0/0
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, Dialer1
         22.0.0.0/32 is subnetted, 1 subnets
    O       22.22.22.22 [110/10000] via 20.1.1.2, 00:00:09, Dialer1
         111.0.0.0/24 is subnetted, 1 subnets
    C       111.111.111.0 is directly connected, Loopback1
         10.0.0.0/24 is subnetted, 1 subnets
    O       10.1.1.0 [110/10009] via 20.1.1.2, 00:00:09, Dialer1
         11.0.0.0/24 is subnetted, 1 subnets
    C       11.11.11.0 is directly connected, Loopback0
  • Tabela de roteamento do link principal do roteador2 (3640) — para baixo

    r2#show ip route
     
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, 
           ia - IS-IS inter area, * - candidate default, 
           U - per-user static route, o - ODR,
           P - periodic downloaded static route
     
    Gateway of last resort is not set.
     
    C    222.222.222.0/24 is directly connected, Loopback1
         20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C       20.1.1.0/24 is directly connected, Dialer1
    C       20.1.1.1/32 is directly connected, Dialer1
         22.0.0.0/24 is subnetted, 1 subnets
    C       22.22.22.0 is directly connected, Loopback0
         111.0.0.0/32 is subnetted, 1 subnets
    O       111.111.111.111 [110/10000] via 20.1.1.1, 00:00:07, Dialer1
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.1.1.0 is directly connected, Ethernet0/0
         11.0.0.0/32 is subnetted, 1 subnets
    O       11.11.11.11 [110/10000] via 20.1.1.1, 00:00:08, Dialer1
    
  • Vizinho de OSPF do link principal do roteador1 (2621) — para baixo

    r1#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address     Interface
    222.222.222.222   0   FULL/  -   00:00:32    20.1.1.2    Dialer1
    
  • Vizinho de OSPF do link principal do roteador2 (3640) — para baixo

    r2#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address     Interface
    111.111.111.111   0   FULL/  -   00:00:31    20.1.1.1    Dialer1
    

O debug dialer e diversos show command outputs (resultado do comando show) indicados aqui mostram o link principal como a rota perdida recognizesthe falhada, e do Dialer Watch. O roteador inicia então o link de backup e o OSPF convirge através do enlace secundário. Sempre que o timeout de ociosidade expira, o roteador verifica se o enlace principal está inativo. Se o link principal é encontrado para estar acima, o Dialer Watch desliga o link de backup depois que o temporizador do desabilitação expira e rasga para baixo o atendimento, e o OSPF convirge pelo link principal como de costume.

Estas são as saídas do comando debug and show do roteador um (2621), quando o link principal vai para baixo e é trazido acima outra vez.

r1#show debug
Dial on demand:
  Dial on demand events debugging is on

r1#
03:00:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, 
   changed state to down

!--- Primary link was brought down manually when you disable the switch ports.

03:00:21: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
   from FULL to DOWN, Neighbor Down: Interface down or detached

!--- Primary link goes down.
!--- OSPF loses neighbor adjacency.

r1#

!--- Dialer watch kicks in.

03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR:    network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR:    primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Primary of group 1 DOWN
03:00:21: DDR: Dialer Watch: watch-group = 1, 
03:00:21: BR0/0 DDR: rotor dialout [best] 
   least recent failure is also most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best] also has most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best]
03:00:21: DDR:    dialing secondary by dialer string 94134028 on Di1
03:00:21: BR0/0 DDR: Attempting to dial 94134028
03:00:21: DDR: Dialer Watch: watch-group = 1
r1#
03:00:21: DDR:    network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR:    primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1, 
03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR:    network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR:    primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1, 
03:00:21: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 82 changed to up
03:00:94489280514: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
03:00:94489280516: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:00:94489280512: BR0/0:1: interface must be fifo queue, force fifo
03:00:94489280512: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
r1#
03:00:22: BR0/0:1 DDR: Remote name for r2
03:00:22: BR0/0:1 DDR: dialer protocol up
03:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, 
   changed state to up
r1#
03:00:28: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 94134028 r2

!--- Backup link is now connected to Router 2.

r1#
03:00:31: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1 
   from LOADING to FULL, Loading Done

!--- OSPF converges over the backup link.

r1#
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String   Successes   Failures   Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss

!--- Dial reason is the lost route.

Interface bound to profile Di1
Time until disconnect 154 secs

!--- Idle timeout is ticking.

Current call connected 00:00:25
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String      Successes   Failures    Last DNIS   Last status
94134028                45         24    00:00:27       successful   Default
r1#show isdn active
-----------------------------------------------------------------------------
                                ISDN ACTIVE CALLS
-----------------------------------------------------------------------------
Call    Calling     Called     Remote  Seconds Seconds Seconds Charges
Type    Number      Number     Name    Used    Left    Idle    Units/Currency
-----------------------------------------------------------------------------
Out   ---N/A---   94134028         r2       37     142      37      0        
-----------------------------------------------------------------------------
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String      Successes   Failures    Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 47 secs

!--- Idle timeout is ticking.

Current call connected 00:02:12
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String   Successes   Failures   Last DNIS   Last status
94134028             45         24   00:02:14    successful   Default
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String      Successes   Failures    Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 0 secs

!--- Idle timeout is ticking.

Current call connected 00:02:59
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String   Successes   Failures   Last DNIS   Last status
94134028             45         24   00:03:05    successful   Default
r1#
03:03:22: BR0/0:1 DDR: idle timeout

!--- Idle timed out.
!--- Dialer watch checks lost routes
!--- again and reset the idle time since primary is not up yet.

03:03:22: DDR: Dialer Watch: watch-group = 1
03:03:22: DDR:    network 222.222.222.222/255.255.255.255 UP,
03:03:22: DDR:    primary DOWN

!--- Primary link is still down.

r1#
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String    Successes   Failures    Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 154 secs

!--- Idle timeout was reset by dialer watch.

Current call connected 00:03:25
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String   Successes   Failures   Last DNIS   Last status
94134028             45         24   00:03:28    successful   Default
r1#
03:04:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
   changed state to up

!--- Primary link was brought up manually when the switch ports are enabled.

r1#
r1#
03:05:50: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
   from LOADING to FULL, Loading Done
r1#
r1#show ip ospf neigh
 
Neighbor ID     Pri   State      Dead Time   Address     Interface
222.222.222.222   0   FULL/  -   00:00:02    20.1.1.2    Dialer1

!--- OSPF over secondary link is still up because
!--- the call is not terminated yet, waiting for idle timeout.

222.222.222.222   1   FULL/DR    00:00:38    10.1.1.2    FastEthernet0/0

!--- OSPF is now starts to converge over primary link.

r1#
r1#show ip route 222.222.222.222

!--- The watched route is now learned through the primary link.
!--- Check the cost.

Routing entry for 222.222.222.222/32
  Known via "ospf 1", distance 110, metric 2, type intra area
  Last update from 10.1.1.2 on FastEthernet0/0, 00:00:16 ago
  Routing Descriptor Blocks:
  * 10.1.1.2, from 222.222.222.222, 00:00:16 ago, via FastEthernet0/0
      Route metric is 2, traffic share count is
r1#
03:06:22: BR0/0:1 DDR: idle timeout

!--- Idle timed out.
!--- Dialer watch checks lost routes. Since primary is up,
!--- it tears down the call.

03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR:    network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR:    primary UP
03:06:22: BR0/0:1 DDR: disconnecting call
03:06:22: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR:    network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR:    primary UP
03:06:22: %ISDN-6-DISCONNECT: Interface BRI0/0:1  
   disconnected from 94134028 r2,
   call lasted 360 seconds
03:06:96677768412: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
03:06:94489281195: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
r1#
03:06:94489280544: %DIALER-6-UNBIND: Interface BR0/0:1 
   unbound from profile Di1
03:06:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
   changed state to down
r1#
03:06:37: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0, 
   TEI 82 changed to down
r1#
03:07:01: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1 
   from FULL to DOWN, Neighbor Down: Dead timer expired

!--- OSPF neighbor is down because the secondary link is down.
!--- Dead timer has expired.

r1#
r1#show ip ospf neigh
 
Neighbor ID     Pri   State       Dead Time   Address     Interface
222.222.222.222   1   FULL/DR     00:00:38    10.1.1.2    FastEthernet0/0

!--- OSPF neighbor is through the primary link only.

r1#u all
All possible debugging has been turned off
r1#

Troubleshooting

Esta seção fornece informações que podem ser usadas para o troubleshooting da sua configuração. Para obter informações sobre como solucionar problemas gerais com as Camadas 1, 2 e 3 do ISDN, consulte Using the show isdn status Command for BRI Troubleshooting.

Comandos para Troubleshooting

A Output Interpreter Tool (somente clientes registrados) oferece suporte a determinados comandos show, o que permite exibir uma análise da saída do comando show.

Nota: Antes de emitir comandos de depuração, consulte Informações Importantes sobre Comandos de Depuração.

Estes comandos debug podem ser executados em ambos os ipsec peer.

  • debug crypto isakmp — Exibe erros durante a Fase 1.

  • debug crypto ipsec — Exibe erros durante a Fase 2.

  • debug crypto engine — Exibe informações a partir do cripto mecanismo.

Estes comandos show podem ser executados em ambos os ipsec peer.

  • mostre isakmp cripto sa — Indica todas as associações de segurança atuais do Internet Key Exchange (IKE) (SA) em um par.

  • mostre IPsec cripto sa — Indica os ajustes usados pelo [IPSec] atual SA.

  • active do show crypto engine connections — Conexões atual e informação dos indicadores em relação aos pacotes criptografado e decriptografado.

Estes comandos clear podem ser usados para cancelar SA.

  • cancele o isakmp cripto — Cancela as associações de segurança fase um.

  • cancele o sa cripto — Cancela as associações de segurança da fase dois.

Discussões relacionadas da comunidade de suporte da Cisco

A Comunidade de Suporte da Cisco é um fórum onde você pode perguntar e responder, oferecer sugestões e colaborar com colegas.


Informações Relacionadas


Document ID: 23100