セキュリティと VPN : IPSec ネゴシエーション/IKE プロトコル

ダイヤラ ウォッチを使用した ISDN 上の IPSec 冗長性設定

2016 年 10 月 27 日 - 機械翻訳について
その他のバージョン: PDFpdf | ライター翻訳版 (2003 年 12 月 26 日) | 英語版 (2015 年 8 月 22 日) | フィードバック


目次


概要

このドキュメントでは、ルータ 1 の背後のネットワークからルータ 2 の背後のネットワークへのトラフィックを暗号化するための設定例を紹介します(この例では、ループバック 0 がネットワークとして使用されています)。 ルータ 1 とルータ 2 の間のプライマリ リンク(イーサネット)がダウンしても、IP セキュリティ(IPSec)トラフィックはセカンダリ リンク(ISDN)を経由して流れ続けます。 この目標を達成する方法は複数あります。 ダイヤラ ウォッチ、バックアップ インターフェイス、デマンド回線、およびフローティング スタティックを使用できます。 この設定例では、ダイヤラ ウォッチのメカニズムについて説明します。 その他の機能の詳細については、『DDR バックアップのためのバックアップ インターフェイス、フローティング スタティック ルート、ダイヤラ ウォッチの比較』を参照してください。

前提条件

要件

このドキュメントに関する固有の要件はありません。

使用するコンポーネント

このドキュメントの情報は、次のソフトウェアとハードウェアのバージョンに基づくものです。

  • Cisco 2621 および 3640 ルータ

  • Cisco IOS(R) ソフトウェア リリース 12.3(3)

このドキュメントの情報は、特定のラボ環境にあるデバイスに基づいて作成されたものです。 このドキュメントで使用するすべてのデバイスは、クリアな(デフォルト)設定で作業を開始しています。 ネットワークが実稼働中である場合は、コマンドを使用する前に、コマンドによる潜在的な影響について理解しておく必要があります。

表記法

ドキュメント表記の詳細は、『シスコ テクニカル ティップスの表記法』を参照してください。

設定

この項では、このドキュメントで説明する機能の設定に必要な情報を提供します。

このドキュメントで使用されているコマンドの詳細を調べるには、Command Lookup Tool登録ユーザ専用)を使用してください。

ネットワーク図

このドキュメントでは次の図に示すネットワーク設定を例にあげています。

/image/gif/paws/23100/ipsec_dialerwatch_01.gif

設定

このドキュメントで使用する設定を次に示します。

ルータ 1(2621)
r1#show running-config
Building configuration...
 
Current configuration : 2244 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
username r2 password 0 cisco

!--- This is the username for remote router (Router 2) 
!--- and shared secret. Shared secret (used for Challenge Handshake 
!--- Authentication Protocol [CHAP]) must be the same on both sides.

no aaa new-model
ip subnet-zero
ip tcp synwait-time 5
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 222.222.222.222
!
!
  crypto ipsec transform-set abc esp-des esp-md5-hmac
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
 set peer 222.222.222.222

!--- Peer address, Loopback 1 of Router 2

 set transform-set abc
 match address 101

!--- Networks to encrypt (Loopback 0 on both ends)

!
isdn switch-type basic-ts013
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0

!--- Network to encrypt

 ip address 11.11.11.11 255.255.255.0
!
interface Loopback1

!--- Used for peer address for IPSec

 ip address 111.111.111.111 255.255.255.0
!
interface FastEthernet0/0

!--- Primary link

 ip address 10.1.1.1 255.255.255.0
 no ip route-cache

!--- Enable process switching

 no ip mroute-cache
 duplex auto
 speed auto
 crypto map cisco

!--- Apply crypto map on primary interface

!
interface BRI0/0
 no ip address
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool-member 1
 isdn switch-type basic-ts013
 no cdp enable
!
interface Dialer1

!--- Backup link

 ip address 20.1.1.1 255.255.255.0
 encapsulation ppp
 no ip route-cache

!--- Enable process switching

ip ospf cost 9999

!--- Increase the cost so that when primary comes up again,
!--- Open Shortest Path First (OSPF) routes are
!--- preferred using the primary link (due to better cost).

no ip mroute-cache
 dialer idle-timeout 180
 dialer pool 1
 dialer string 94134028
dialer watch-group 1

!--- Enable dialer watch on this backup interface.
!--- Watch the route specified with the dialer watch-list 1 command.

 dialer-group 1

!--- Apply interesting traffic defined in dialer list 1.

 no peer neighbor-route
 ppp authentication chap
 crypto map cisco

!--- Apply crypto map on backup interface.

!
router ospf 1

!--- OSPF advertising Loopback 0, Loopback 1, 
!--- primary, and secondary links.

 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 0
 network 11.11.11.0 0.0.0.255 area 0
 network 20.1.1.0 0.0.0.255 area 0
 network 111.111.111.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip classless
!
!
access-list 101 permit ip host 11.11.11.11 host 22.22.22.22

!--- Access control list (ACL) 101 is the
!--- IPSec traffic used in match address.

access-list 110 deny   ip any any

!--- ACL 110 is for the dialer list to mark 
!--- all IP traffic uninteresting. The dialer watch will 
!--- trigger the ISDN backup when the route is lost.

dialer watch-list 1 ip 222.222.222.222 255.255.255.255

!--- This defines the route(s) to be watched.
!--- This exact route (including subnet mask) 
!--- must exist in the routing table.
!--- Use the dialer watch-group 1 command to apply this
!--- list to the backup interface.

dialer watch-list 1 delay route-check initial 10
dialer-list 1 protocol ip list 110

!--- Interesting traffic is defined by ACL 110.
!--- This is applied to Dialer1 using dialer group 1.

!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 escape-character 27
line aux 0
line vty 0 4
 login
!
end

ルータ 2(3640)
r2#show running-config
Building configuration...
 
Current configuration : 2311 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
username r1 password 0 cisco

!--- This is the username for remote router (Router 1) 
!--- and shared secret. Shared secret (used for CHAP)
!--- must be the same on both sides.

no aaa new-model
ip subnet-zero
ip tcp synwait-time 5
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 111.111.111.111
!
!
  crypto ipsec transform-set abc esp-des esp-md5-hmac
!
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
 set peer 111.111.111.111

!--- Peer address, Loopback 1 of Router 1

 set transform-set abc
 match address 101

!--- Networks to encrypt (Loopback 0 on both ends)

!
isdn switch-type basic-ts013
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0
 ip address 22.22.22.22 255.255.255.0

!--- Network to encrypt

!
interface Loopback1
 ip address 222.222.222.222 255.255.255.0

!--- Used for peer address for IPSec.

!
interface BRI0/0
 no ip address
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool-member 1
 isdn switch-type basic-ts013
!
interface Ethernet0/0

!--- Primary link

 ip address 10.1.1.2 255.255.255.0
 no ip route-cache

!--- Enable process switching.

 no ip mroute-cache
 half-duplex
 crypto map cisco

!--- Apply crypto map on primary interface.

!
interface Dialer1
 ip address 20.1.1.2 255.255.255.0
 encapsulation ppp
 no ip route-cache
 ip ospf cost 9999
 no ip mroute-cache
 dialer pool 1
 dialer idle-timeout 600
 dialer remote-name r1

!--- Dialer for the BRI interface of the remote router 
!--- without a dial string.

 dialer-group 1

!--- Apply interesting traffic defined in dialer list 1.

 ppp authentication chap
 crypto map cisco

!--- Apply crypto map on backup interface.

!
router ospf 1
 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 0
 network 20.1.1.0 0.0.0.255 area 0
 network 22.22.22.0 0.0.0.255 area 0
 network 222.222.222.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip classless
!
!
access-list 101 permit ip host 22.22.22.22 host 11.11.11.11
access-list 110 deny   ospf any any

!--- Mark OSPF as uninteresting.
!--- This will not allow OSPF hellos 
!--- to try to bring the link up.

access-list 110 permit ip any any
dialer-list 1 protocol ip list 110

!--- Interesting traffic is defined by ACL 110.
!--- This is applied to Dialer1 using dialer group 1.

!
line con 0
 exec-timeout 0 0
 logging synchronous
 escape-character 27
line aux 0
line vty 0 4
 login
!
end

確認

このセクションでは、設定が正常に機能するかどうかを確認する際に役立つ情報を示しています。

コマンドのサンプル出力

特定の show コマンドは、Output Interpreter Tool登録ユーザ専用)によってサポートされています。このツールを使用すると、show コマンド出力の分析を表示できます。

  • ルータ 1(2621)のルーティング テーブル:プライマリ リンクのアップ

    r1#show ip route
     
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, 
           L2 - IS-IS level-2, ia - IS-IS inter area, 
           * - candidate default, U - per-user static route,
           o - ODR, P - periodic downloaded static route
     
    Gateway of last resort is not set
     
         222.222.222.0/32 is subnetted, 1 subnets
    O       222.222.222.222 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0
          20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, Dialer1
         22.0.0.0/32 is subnetted, 1 subnets
    O       22.22.22.22 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0
         111.0.0.0/24 is subnetted, 1 subnets
    C       111.111.111.0 is directly connected, Loopback1
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.1.1.0 is directly connected, FastEthernet0/0
         11.0.0.0/24 is subnetted, 1 subnets
    C       11.11.11.0 is directly connected, Loopback0
  • ルータ 2(3640)のルーティング テーブル:プライマリ リンクのアップ

    r2#show ip route
     
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, 
           L2 - IS-IS level-2, ia - IS-IS inter area, 
           * - candidate default, U - per-user static route,
           o - ODR, P - periodic downloaded static route
     
    Gateway of last resort is not set.
     
    C    222.222.222.0/24 is directly connected, Loopback1
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, Dialer1
         22.0.0.0/24 is subnetted, 1 subnets
    C       22.22.22.0 is directly connected, Loopback0
         111.0.0.0/32 is subnetted, 1 subnets
    O       111.111.111.111 [110/11] via 10.1.1.1, 00:06:22, Ethernet0/0
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.1.1.0 is directly connected, Ethernet0/0
         11.0.0.0/32 is subnetted, 1 subnets
    O       11.11.11.11 [110/11] via 10.1.1.1, 00:06:23, Ethernet0/0
    
  • ルータ 1(2621)の OSPF 隣接ルータ:プライマリ リンクのアップ

    r1#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address    Interface
    222.222.222.222   1   FULL/DR    00:00:33    10.1.1.2   FastEthernet0/0
    
  • ルータ 2(3640)の OSPF 隣接ルータ:プライマリ リンクのアップ

    r2#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address    Interface
    111.111.111.111   1   FULL/BDR   00:00:31    10.1.1.1   Ethernet0/0
    
  • ルータ 1(2621)のルーティング テーブル:プライマリ リンクのダウン

    r1#show ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, 
           ia - IS-IS inter area, * - candidate default, 
           U - per-user static route, o - ODR,
           P - periodic downloaded static route
     
    Gateway of last resort is not set.
     
         222.222.222.0/32 is subnetted, 1 subnets
    O       222.222.222.222 [110/10000] via 20.1.1.2, 00:00:09, Dialer1
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, BRI0/0
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, Dialer1
         22.0.0.0/32 is subnetted, 1 subnets
    O       22.22.22.22 [110/10000] via 20.1.1.2, 00:00:09, Dialer1
         111.0.0.0/24 is subnetted, 1 subnets
    C       111.111.111.0 is directly connected, Loopback1
         10.0.0.0/24 is subnetted, 1 subnets
    O       10.1.1.0 [110/10009] via 20.1.1.2, 00:00:09, Dialer1
         11.0.0.0/24 is subnetted, 1 subnets
    C       11.11.11.0 is directly connected, Loopback0
  • ルータ 2(3640)のルーティング テーブル:プライマリ リンクのダウン

    r2#show ip route
     
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, 
           ia - IS-IS inter area, * - candidate default, 
           U - per-user static route, o - ODR,
           P - periodic downloaded static route
     
    Gateway of last resort is not set.
     
    C    222.222.222.0/24 is directly connected, Loopback1
         20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C       20.1.1.0/24 is directly connected, Dialer1
    C       20.1.1.1/32 is directly connected, Dialer1
         22.0.0.0/24 is subnetted, 1 subnets
    C       22.22.22.0 is directly connected, Loopback0
         111.0.0.0/32 is subnetted, 1 subnets
    O       111.111.111.111 [110/10000] via 20.1.1.1, 00:00:07, Dialer1
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.1.1.0 is directly connected, Ethernet0/0
         11.0.0.0/32 is subnetted, 1 subnets
    O       11.11.11.11 [110/10000] via 20.1.1.1, 00:00:08, Dialer1
    
  • ルータ 1(2621)の OSPF 隣接ルータ:プライマリ リンクのダウン

    r1#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address     Interface
    222.222.222.222   0   FULL/  -   00:00:32    20.1.1.2    Dialer1
    
  • ルータ 2(3640)の OSPF 隣接ルータ:プライマリ リンクのダウン

    r2#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address     Interface
    111.111.111.111   0   FULL/  -   00:00:31    20.1.1.1    Dialer1
    

debug dialer と以下に示す複数の show コマンドの出力には、プライマリ リンクの障害と、喪失ルートを認識したダイヤラ ウォッチが示されています。 次にルータはバックアップ リンクを起動し、OSPF はセカンダリ リンクを介して収束します。 アイドル タイムアウトが満了するたびに、ルータはプライマリ リンクがダウンしているかどうかチェックします。 プライマリ リンクがアップしていることが確認されると、ディセーブル タイマーが満了し、コールが切断された後、ダイアラ ウォッチはバックアップ リンクを接続解除し、OSPF は通常と同じプライマリ リンク経由に収束します。

プライマリ リンクがダウンして再度アップした場合の、ルータ 1(2621)の debug および show コマンド出力を以下に示します。

r1#show debug
Dial on demand:
  Dial on demand events debugging is on

r1#
03:00:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, 
   changed state to down

!--- Primary link was brought down manually when you disable the switch ports.

03:00:21: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
   from FULL to DOWN, Neighbor Down: Interface down or detached

!--- Primary link goes down.
!--- OSPF loses neighbor adjacency.

r1#

!--- Dialer watch kicks in.

03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR:    network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR:    primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Primary of group 1 DOWN
03:00:21: DDR: Dialer Watch: watch-group = 1, 
03:00:21: BR0/0 DDR: rotor dialout [best] 
   least recent failure is also most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best] also has most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best]
03:00:21: DDR:    dialing secondary by dialer string 94134028 on Di1
03:00:21: BR0/0 DDR: Attempting to dial 94134028
03:00:21: DDR: Dialer Watch: watch-group = 1
r1#
03:00:21: DDR:    network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR:    primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1, 
03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR:    network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR:    primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1, 
03:00:21: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 82 changed to up
03:00:94489280514: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
03:00:94489280516: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:00:94489280512: BR0/0:1: interface must be fifo queue, force fifo
03:00:94489280512: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
r1#
03:00:22: BR0/0:1 DDR: Remote name for r2
03:00:22: BR0/0:1 DDR: dialer protocol up
03:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, 
   changed state to up
r1#
03:00:28: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 94134028 r2

!--- Backup link is now connected to Router 2.

r1#
03:00:31: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1 
   from LOADING to FULL, Loading Done

!--- OSPF converges over the backup link.

r1#
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String   Successes   Failures   Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss

!--- Dial reason is the lost route.

Interface bound to profile Di1
Time until disconnect 154 secs

!--- Idle timeout is ticking.

Current call connected 00:00:25
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String      Successes   Failures    Last DNIS   Last status
94134028                45         24    00:00:27       successful   Default
r1#show isdn active
-----------------------------------------------------------------------------
                                ISDN ACTIVE CALLS
-----------------------------------------------------------------------------
Call    Calling     Called     Remote  Seconds Seconds Seconds Charges
Type    Number      Number     Name    Used    Left    Idle    Units/Currency
-----------------------------------------------------------------------------
Out   ---N/A---   94134028         r2       37     142      37      0        
-----------------------------------------------------------------------------
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String      Successes   Failures    Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 47 secs

!--- Idle timeout is ticking.

Current call connected 00:02:12
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String   Successes   Failures   Last DNIS   Last status
94134028             45         24   00:02:14    successful   Default
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String      Successes   Failures    Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 0 secs

!--- Idle timeout is ticking.

Current call connected 00:02:59
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String   Successes   Failures   Last DNIS   Last status
94134028             45         24   00:03:05    successful   Default
r1#
03:03:22: BR0/0:1 DDR: idle timeout

!--- Idle timed out.
!--- Dialer watch checks lost routes
!--- again and reset the idle time since primary is not up yet.

03:03:22: DDR: Dialer Watch: watch-group = 1
03:03:22: DDR:    network 222.222.222.222/255.255.255.255 UP,
03:03:22: DDR:    primary DOWN

!--- Primary link is still down.

r1#
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String    Successes   Failures    Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 154 secs

!--- Idle timeout was reset by dialer watch.

Current call connected 00:03:25
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String   Successes   Failures   Last DNIS   Last status
94134028             45         24   00:03:28    successful   Default
r1#
03:04:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
   changed state to up

!--- Primary link was brought up manually when the switch ports are enabled.

r1#
r1#
03:05:50: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
   from LOADING to FULL, Loading Done
r1#
r1#show ip ospf neigh
 
Neighbor ID     Pri   State      Dead Time   Address     Interface
222.222.222.222   0   FULL/  -   00:00:02    20.1.1.2    Dialer1

!--- OSPF over secondary link is still up because
!--- the call is not terminated yet, waiting for idle timeout.

222.222.222.222   1   FULL/DR    00:00:38    10.1.1.2    FastEthernet0/0

!--- OSPF is now starts to converge over primary link.

r1#
r1#show ip route 222.222.222.222

!--- The watched route is now learned through the primary link.
!--- Check the cost.

Routing entry for 222.222.222.222/32
  Known via "ospf 1", distance 110, metric 2, type intra area
  Last update from 10.1.1.2 on FastEthernet0/0, 00:00:16 ago
  Routing Descriptor Blocks:
  * 10.1.1.2, from 222.222.222.222, 00:00:16 ago, via FastEthernet0/0
      Route metric is 2, traffic share count is
r1#
03:06:22: BR0/0:1 DDR: idle timeout

!--- Idle timed out.
!--- Dialer watch checks lost routes. Since primary is up,
!--- it tears down the call.

03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR:    network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR:    primary UP
03:06:22: BR0/0:1 DDR: disconnecting call
03:06:22: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR:    network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR:    primary UP
03:06:22: %ISDN-6-DISCONNECT: Interface BRI0/0:1  
   disconnected from 94134028 r2,
   call lasted 360 seconds
03:06:96677768412: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
03:06:94489281195: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
r1#
03:06:94489280544: %DIALER-6-UNBIND: Interface BR0/0:1 
   unbound from profile Di1
03:06:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
   changed state to down
r1#
03:06:37: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0, 
   TEI 82 changed to down
r1#
03:07:01: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1 
   from FULL to DOWN, Neighbor Down: Dead timer expired

!--- OSPF neighbor is down because the secondary link is down.
!--- Dead timer has expired.

r1#
r1#show ip ospf neigh
 
Neighbor ID     Pri   State       Dead Time   Address     Interface
222.222.222.222   1   FULL/DR     00:00:38    10.1.1.2    FastEthernet0/0

!--- OSPF neighbor is through the primary link only.

r1#u all
All possible debugging has been turned off
r1#

トラブルシューティング

ここでは、設定のトラブルシューティングに役立つ情報について説明します。 ISDN レイヤ 1、2 および 3 に関する一般的な問題のトラブルシューティングについては、「show isdn status コマンドを使用した BRI のトラブルシューティング」を参照してください。

トラブルシューティングのためのコマンド

特定の show コマンドは、Output Interpreter Tool登録ユーザ専用)によってサポートされています。このツールを使用すると、show コマンド出力の分析を表示できます。

: debug コマンドを使用する前に、『debug コマンドの重要な情報』を参照してください。

以下の debug コマンドは、両方の IPSec ピアで実行できます。

  • debug crypto isakmp:フェーズ 1 のエラーを表示します。

  • debug crypto ipsec:フェーズ 2 のエラーを表示します。

  • debug crypto engine:暗号化エンジンからの情報を表示します。

以下の show コマンドは、両方の IPSec ピアで実行できます。

  • show crypto isakmp sa:ピアにおける現在のインターネット鍵交換(IKE)セキュリティ アソシエーション(SA)をすべて表示します。

  • show crypto ipsec sa:現在の [IPSec] SA が使用している設定を表示します。

  • show crypto engine connections active:現在の接続と、暗号パケットと暗号解除パケットに関する情報を表示します。

以下の clear コマンドは、SA のクリアに使用できます。

  • clear crypto isakmp:フェーズ 1 のセキュリティ アソシエーションをクリアします。

  • clear crypto sa:フェーズ 2 のセキュリティ アソシエーションをクリアします。


関連情報


Document ID: 23100