Безопасность и VPN : Протоколы IPSec Negotiation/IKE

Установка IPSec Redundancy Over ISDN используя Dialer Watch (Просмотр Номеронобирателя)

5 апреля 2016 - Машинный перевод
Другие версии: PDF-версия:pdf | Английский (22 августа 2015) | Отзыв


Содержание


Введение

Этот документ предоставляет пример конфигурации, как зашифровать трафик от сети позади Маршрутизатора 1 к сети позади Маршрутизатора 2 (Loopback 0s используются в качестве сетей в данном примере). Если основное соединение (Ethernet) между Маршрутизатором 1 и Маршрутизатором 2 выключается, IP-безопасность (IPSec), трафик продолжает течь через вторичное соединение (ISDN). Существует несколько способов достигнуть этой цели; можно использовать часы номеронабирателя, резервный интерфейс, канал требования и плавающего статического. С помощью этого примера конфигурации демонстрируется работа механизма функции Dialer watch. Дополнительные сведения по другим функциям см. в разделе "Оценка интерфейсов резервного копирования, плавающих статических маршрутов и программы Dialer Watch для резервирования DDR".

Предварительные условия

Требования

Для этого документа отсутствуют особые требования.

Используемые компоненты

Сведения, содержащиеся в данном документе, касаются следующих версий программного и аппаратного обеспечения:

  • Маршрутизаторы Cisco 2621 и 3640

  • Cisco выпуск ПО IOS� 12.3 (3)

Сведения, представленные в этом документе, были получены от устройств в специфической лабораторной среде. Все устройства, используемые в этом документе, были запущены с чистой конфигурацией (конфигурацией по умолчанию). Если используемая сеть — действующая, необходимо изучить возможные последствия каждой команды.

Условные обозначения

Дополнительные сведения об условных обозначениях см. в документе Технические рекомендации Cisco. Условные обозначения.

Настройка

В этом разделе содержатся сведения о настройке функций, описанных в этом документе.

Примечание: Дополнительные сведения о командах, используемых в данном документе, можно получить с помощью средства поиска команд (только для зарегистрированных клиентов).

Схема сети

В этом документе используется сетевая конфигурация, изображенная ниже на рисунке:

/image/gif/paws/23100/ipsec_dialerwatch_01.gif

Конфигурации

В данном документе используются конфигурации, показанные ниже:

Маршрутизатор 1 (2621)
r1#show running-config
Building configuration...
 
Current configuration : 2244 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname r1
!
boot-start-marker
boot-end-marker
!
!
username r2 password 0 cisco

!--- This is the username for remote router (Router 2) 
!--- and shared secret. Shared secret (used for Challenge Handshake 
!--- Authentication Protocol [CHAP]) must be the same on both sides.

no aaa new-model
ip subnet-zero
ip tcp synwait-time 5
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 222.222.222.222
!
!
  crypto ipsec transform-set abc esp-des esp-md5-hmac
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
 set peer 222.222.222.222

!--- Peer address, Loopback 1 of Router 2

 set transform-set abc
 match address 101

!--- Networks to encrypt (Loopback 0 on both ends)

!
isdn switch-type basic-ts013
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0

!--- Network to encrypt

 ip address 11.11.11.11 255.255.255.0
!
interface Loopback1

!--- Used for peer address for IPSec

 ip address 111.111.111.111 255.255.255.0
!
interface FastEthernet0/0

!--- Primary link

 ip address 10.1.1.1 255.255.255.0
 no ip route-cache

!--- Enable process switching

 no ip mroute-cache
 duplex auto
 speed auto
 crypto map cisco

!--- Apply crypto map on primary interface

!
interface BRI0/0
 no ip address
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool-member 1
 isdn switch-type basic-ts013
 no cdp enable
!
interface Dialer1

!--- Backup link

 ip address 20.1.1.1 255.255.255.0
 encapsulation ppp
 no ip route-cache

!--- Enable process switching

ip ospf cost 9999

!--- Increase the cost so that when primary comes up again,
!--- Open Shortest Path First (OSPF) routes are
!--- preferred using the primary link (due to better cost).

no ip mroute-cache
 dialer idle-timeout 180
 dialer pool 1
 dialer string 94134028
dialer watch-group 1

!--- Enable dialer watch on this backup interface.
!--- Watch the route specified with the dialer watch-list 1 command.

 dialer-group 1

!--- Apply interesting traffic defined in dialer list 1.

 no peer neighbor-route
 ppp authentication chap
 crypto map cisco

!--- Apply crypto map on backup interface.

!
router ospf 1

!--- OSPF advertising Loopback 0, Loopback 1, 
!--- primary, and secondary links.

 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 0
 network 11.11.11.0 0.0.0.255 area 0
 network 20.1.1.0 0.0.0.255 area 0
 network 111.111.111.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip classless
!
!
access-list 101 permit ip host 11.11.11.11 host 22.22.22.22

!--- Access control list (ACL) 101 is the
!--- IPSec traffic used in match address.

access-list 110 deny   ip any any

!--- ACL 110 is for the dialer list to mark 
!--- all IP traffic uninteresting. The dialer watch will 
!--- trigger the ISDN backup when the route is lost.

dialer watch-list 1 ip 222.222.222.222 255.255.255.255

!--- This defines the route(s) to be watched.
!--- This exact route (including subnet mask) 
!--- must exist in the routing table.
!--- Use the dialer watch-group 1 command to apply this
!--- list to the backup interface.

dialer watch-list 1 delay route-check initial 10
dialer-list 1 protocol ip list 110

!--- Interesting traffic is defined by ACL 110.
!--- This is applied to Dialer1 using dialer group 1.

!
!
!
dial-peer cor custom
!
!
!
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 escape-character 27
line aux 0
line vty 0 4
 login
!
end

Маршрутизатор 2 (3640)
r2#show running-config
Building configuration...
 
Current configuration : 2311 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname r2
!
boot-start-marker
boot-end-marker
!
username r1 password 0 cisco

!--- This is the username for remote router (Router 1) 
!--- and shared secret. Shared secret (used for CHAP)
!--- must be the same on both sides.

no aaa new-model
ip subnet-zero
ip tcp synwait-time 5
!
!
no ip domain lookup
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key cisco address 111.111.111.111
!
!
  crypto ipsec transform-set abc esp-des esp-md5-hmac
!
!
crypto map cisco local-address Loopback1
crypto map cisco 10 ipsec-isakmp
 set peer 111.111.111.111

!--- Peer address, Loopback 1 of Router 1

 set transform-set abc
 match address 101

!--- Networks to encrypt (Loopback 0 on both ends)

!
isdn switch-type basic-ts013
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
!
!
!
!
interface Loopback0
 ip address 22.22.22.22 255.255.255.0

!--- Network to encrypt

!
interface Loopback1
 ip address 222.222.222.222 255.255.255.0

!--- Used for peer address for IPSec.

!
interface BRI0/0
 no ip address
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool-member 1
 isdn switch-type basic-ts013
!
interface Ethernet0/0

!--- Primary link

 ip address 10.1.1.2 255.255.255.0
 no ip route-cache

!--- Enable process switching.

 no ip mroute-cache
 half-duplex
 crypto map cisco

!--- Apply crypto map on primary interface.

!
interface Dialer1
 ip address 20.1.1.2 255.255.255.0
 encapsulation ppp
 no ip route-cache
 ip ospf cost 9999
 no ip mroute-cache
 dialer pool 1
 dialer idle-timeout 600
 dialer remote-name r1

!--- Dialer for the BRI interface of the remote router 
!--- without a dial string.

 dialer-group 1

!--- Apply interesting traffic defined in dialer list 1.

 ppp authentication chap
 crypto map cisco

!--- Apply crypto map on backup interface.

!
router ospf 1
 log-adjacency-changes
 network 10.1.1.0 0.0.0.255 area 0
 network 20.1.1.0 0.0.0.255 area 0
 network 22.22.22.0 0.0.0.255 area 0
 network 222.222.222.0 0.0.0.255 area 0
!
no ip http server
no ip http secure-server
ip classless
!
!
access-list 101 permit ip host 22.22.22.22 host 11.11.11.11
access-list 110 deny   ospf any any

!--- Mark OSPF as uninteresting.
!--- This will not allow OSPF hellos 
!--- to try to bring the link up.

access-list 110 permit ip any any
dialer-list 1 protocol ip list 110

!--- Interesting traffic is defined by ACL 110.
!--- This is applied to Dialer1 using dialer group 1.

!
line con 0
 exec-timeout 0 0
 logging synchronous
 escape-character 27
line aux 0
line vty 0 4
 login
!
end

Проверка.

Этот раздел предоставляет сведения, можно использовать, чтобы подтвердить ли функции конфигурирования должным образом.

Пример выходных данных по командам

Некоторые команды show поддерживаются Средством интерпретации выходных данных(только зарегистрированные клиенты), которое позволяет просматривать аналитику выходных данных команды show.

  • Таблица маршрутизации Маршрутизатора 1 (2621) — основное соединение

    r1#show ip route
     
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, 
           L2 - IS-IS level-2, ia - IS-IS inter area, 
           * - candidate default, U - per-user static route,
           o - ODR, P - periodic downloaded static route
     
    Gateway of last resort is not set
     
         222.222.222.0/32 is subnetted, 1 subnets
    O       222.222.222.222 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0
          20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, Dialer1
         22.0.0.0/32 is subnetted, 1 subnets
    O       22.22.22.22 [110/2] via 10.1.1.2, 00:00:25, FastEthernet0/0
         111.0.0.0/24 is subnetted, 1 subnets
    C       111.111.111.0 is directly connected, Loopback1
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.1.1.0 is directly connected, FastEthernet0/0
         11.0.0.0/24 is subnetted, 1 subnets
    C       11.11.11.0 is directly connected, Loopback0
  • Таблица маршрутизации Маршрутизатора 2 (3640) — основное соединение

    r2#show ip route
     
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           I - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, 
           L2 - IS-IS level-2, ia - IS-IS inter area, 
           * - candidate default, U - per-user static route,
           o - ODR, P - periodic downloaded static route
     
    Gateway of last resort is not set.
     
    C    222.222.222.0/24 is directly connected, Loopback1
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, Dialer1
         22.0.0.0/24 is subnetted, 1 subnets
    C       22.22.22.0 is directly connected, Loopback0
         111.0.0.0/32 is subnetted, 1 subnets
    O       111.111.111.111 [110/11] via 10.1.1.1, 00:06:22, Ethernet0/0
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.1.1.0 is directly connected, Ethernet0/0
         11.0.0.0/32 is subnetted, 1 subnets
    O       11.11.11.11 [110/11] via 10.1.1.1, 00:06:23, Ethernet0/0
    
  • Окружение OSPF Маршрутизатора 1 (2621) — основное соединение

    r1#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address    Interface
    222.222.222.222   1   FULL/DR    00:00:33    10.1.1.2   FastEthernet0/0
    
  • OSPF-сосед маршрутизатора 2 (3640) — основной канал включен

    r2#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address    Interface
    111.111.111.111   1   FULL/BDR   00:00:31    10.1.1.1   Ethernet0/0
    
  • Таблица маршрутизации Маршрутизатора 1 (2621) — основное соединение вниз

    r1#show ip route
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, 
           ia - IS-IS inter area, * - candidate default, 
           U - per-user static route, o - ODR,
           P - periodic downloaded static route
     
    Gateway of last resort is not set.
     
         222.222.222.0/32 is subnetted, 1 subnets
    O       222.222.222.222 [110/10000] via 20.1.1.2, 00:00:09, Dialer1
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, BRI0/0
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.1.1.0 is directly connected, Dialer1
         22.0.0.0/32 is subnetted, 1 subnets
    O       22.22.22.22 [110/10000] via 20.1.1.2, 00:00:09, Dialer1
         111.0.0.0/24 is subnetted, 1 subnets
    C       111.111.111.0 is directly connected, Loopback1
         10.0.0.0/24 is subnetted, 1 subnets
    O       10.1.1.0 [110/10009] via 20.1.1.2, 00:00:09, Dialer1
         11.0.0.0/24 is subnetted, 1 subnets
    C       11.11.11.0 is directly connected, Loopback0
  • Таблица маршрутизации маршрутизатора 2 (3640), основной канал не работает

    r2#show ip route
     
    Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
           I - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, 
           ia - IS-IS inter area, * - candidate default, 
           U - per-user static route, o - ODR,
           P - periodic downloaded static route
     
    Gateway of last resort is not set.
     
    C    222.222.222.0/24 is directly connected, Loopback1
         20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C       20.1.1.0/24 is directly connected, Dialer1
    C       20.1.1.1/32 is directly connected, Dialer1
         22.0.0.0/24 is subnetted, 1 subnets
    C       22.22.22.0 is directly connected, Loopback0
         111.0.0.0/32 is subnetted, 1 subnets
    O       111.111.111.111 [110/10000] via 20.1.1.1, 00:00:07, Dialer1
         10.0.0.0/24 is subnetted, 1 subnets
    C       10.1.1.0 is directly connected, Ethernet0/0
         11.0.0.0/32 is subnetted, 1 subnets
    O       11.11.11.11 [110/10000] via 20.1.1.1, 00:00:08, Dialer1
    
  • Окружение OSPF Маршрутизатора 1 (2621) — основное соединение вниз

    r1#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address     Interface
    222.222.222.222   0   FULL/  -   00:00:32    20.1.1.2    Dialer1
    
  • Основной канал OSPF-соседа маршрутизатора 2 (3640) — не работает

    r2#show ip ospf neighbor
    Neighbor ID     Pri   State      Dead Time   Address     Interface
    111.111.111.111   0   FULL/  -   00:00:31    20.1.1.1    Dialer1
    

Debug dialer и несколько выходных данных команды show, отображенных здесь, показывают основное соединение, как подведено, и номеронабиратель наблюдает recognizesthe потерянный маршрут. Маршрутизатор тогда инициирует резервное соединение, и OSPF сходится через вторичное соединение. Каждый раз, когда истекает время ожидания простоя, маршрутизатор проверяет, отключен ли основной канал. Если основное соединение, как находят, произошло, часы номеронабирателя разъединяют резервное соединение после того, как запрещать таймер истекает и разъединяет вызов, и OSPF сходится посредством основного соединения, как обычно.

Когда основное соединение выключается и переведено в рабочее состояние снова, это выходные данные команды debug и show Маршрутизатора 1 (2621).

r1#show debug
Dial on demand:
  Dial on demand events debugging is on

r1#
03:00:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, 
   changed state to down

!--- Primary link was brought down manually when you disable the switch ports.

03:00:21: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
   from FULL to DOWN, Neighbor Down: Interface down or detached

!--- Primary link goes down.
!--- OSPF loses neighbor adjacency.

r1#

!--- Dialer watch kicks in.

03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR:    network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR:    primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Primary of group 1 DOWN
03:00:21: DDR: Dialer Watch: watch-group = 1, 
03:00:21: BR0/0 DDR: rotor dialout [best] 
   least recent failure is also most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best] also has most recent failure
03:00:21: BR0/0 DDR: rotor dialout [best]
03:00:21: DDR:    dialing secondary by dialer string 94134028 on Di1
03:00:21: BR0/0 DDR: Attempting to dial 94134028
03:00:21: DDR: Dialer Watch: watch-group = 1
r1#
03:00:21: DDR:    network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR:    primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1, 
03:00:21: DDR: Dialer Watch: watch-group = 1
03:00:21: DDR:    network 222.222.222.222/255.255.255.255 DOWN,
03:00:21: DDR:    primary DOWN
03:00:21: DDR: Dialer Watch: Dial Reason: Secondary of group 1 AVAILABLE
03:00:21: DDR: Dialer Watch: watch-group = 1, 
03:00:21: %ISDN-6-LAYER2UP: Layer 2 for Interface BR0/0, TEI 82 changed to up
03:00:94489280514: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to up
03:00:94489280516: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:00:94489280512: BR0/0:1: interface must be fifo queue, force fifo
03:00:94489280512: %DIALER-6-BIND: Interface BR0/0:1 bound to profile Di1
r1#
03:00:22: BR0/0:1 DDR: Remote name for r2
03:00:22: BR0/0:1 DDR: dialer protocol up
03:00:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, 
   changed state to up
r1#
03:00:28: %ISDN-6-CONNECT: Interface BRI0/0:1 is now connected to 94134028 r2

!--- Backup link is now connected to Router 2.

r1#
03:00:31: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1 
   from LOADING to FULL, Loading Done

!--- OSPF converges over the backup link.

r1#
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String   Successes   Failures   Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss

!--- Dial reason is the lost route.

Interface bound to profile Di1
Time until disconnect 154 secs

!--- Idle timeout is ticking.

Current call connected 00:00:25
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String      Successes   Failures    Last DNIS   Last status
94134028                45         24    00:00:27       successful   Default
r1#show isdn active
-----------------------------------------------------------------------------
                                ISDN ACTIVE CALLS
-----------------------------------------------------------------------------
Call    Calling     Called     Remote  Seconds Seconds Seconds Charges
Type    Number      Number     Name    Used    Left    Idle    Units/Currency
-----------------------------------------------------------------------------
Out   ---N/A---   94134028         r2       37     142      37      0        
-----------------------------------------------------------------------------
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String      Successes   Failures    Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 47 secs

!--- Idle timeout is ticking.

Current call connected 00:02:12
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String   Successes   Failures   Last DNIS   Last status
94134028             45         24   00:02:14    successful   Default
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String      Successes   Failures    Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 0 secs

!--- Idle timeout is ticking.

Current call connected 00:02:59
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String   Successes   Failures   Last DNIS   Last status
94134028             45         24   00:03:05    successful   Default
r1#
03:03:22: BR0/0:1 DDR: idle timeout

!--- Idle timed out.
!--- Dialer watch checks lost routes
!--- again and reset the idle time since primary is not up yet.

03:03:22: DDR: Dialer Watch: watch-group = 1
03:03:22: DDR:    network 222.222.222.222/255.255.255.255 UP,
03:03:22: DDR:    primary DOWN

!--- Primary link is still down.

r1#
r1#show dialer
 
BRI0/0 - dialer type = ISDN
 
Dial String    Successes   Failures    Last DNIS   Last status
0 incoming call(s) have been screened.
0 incoming call(s) rejected for callback.
 
BRI0/0:1 - dialer type = ISDN
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Dial reason: Dialing on watched route loss
Interface bound to profile Di1
Time until disconnect 154 secs

!--- Idle timeout was reset by dialer watch.

Current call connected 00:03:25
Connected to 94134028 (r2)
 
BRI0/0:2 - dialer type = ISDN
Idle timer (120 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is idle
 
Di1 - dialer type = DIALER PROFILE
Idle timer (180 secs), Fast idle timer (20 secs)
Wait for carrier (30 secs), Re-enable (15 secs)
Dialer state is data link layer up
Number of active calls = 1
 
Dial String   Successes   Failures   Last DNIS   Last status
94134028             45         24   00:03:28    successful   Default
r1#
03:04:59: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0,
   changed state to up

!--- Primary link was brought up manually when the switch ports are enabled.

r1#
r1#
03:05:50: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on FastEthernet0/0
   from LOADING to FULL, Loading Done
r1#
r1#show ip ospf neigh
 
Neighbor ID     Pri   State      Dead Time   Address     Interface
222.222.222.222   0   FULL/  -   00:00:02    20.1.1.2    Dialer1

!--- OSPF over secondary link is still up because
!--- the call is not terminated yet, waiting for idle timeout.

222.222.222.222   1   FULL/DR    00:00:38    10.1.1.2    FastEthernet0/0

!--- OSPF is now starts to converge over primary link.

r1#
r1#show ip route 222.222.222.222

!--- The watched route is now learned through the primary link.
!--- Check the cost.

Routing entry for 222.222.222.222/32
  Known via "ospf 1", distance 110, metric 2, type intra area
  Last update from 10.1.1.2 on FastEthernet0/0, 00:00:16 ago
  Routing Descriptor Blocks:
  * 10.1.1.2, from 222.222.222.222, 00:00:16 ago, via FastEthernet0/0
      Route metric is 2, traffic share count is
r1#
03:06:22: BR0/0:1 DDR: idle timeout

!--- Idle timed out.
!--- Dialer watch checks lost routes. Since primary is up,
!--- it tears down the call.

03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR:    network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR:    primary UP
03:06:22: BR0/0:1 DDR: disconnecting call
03:06:22: BR0/0:1 DDR: Dialer Watch: resetting call in progress
03:06:22: DDR: Dialer Watch: watch-group = 1
03:06:22: DDR:    network 222.222.222.222/255.255.255.255 UP,
03:06:22: DDR:    primary UP
03:06:22: %ISDN-6-DISCONNECT: Interface BRI0/0:1  
   disconnected from 94134028 r2,
   call lasted 360 seconds
03:06:96677768412: %LINK-3-UPDOWN: Interface BRI0/0:1, changed state to down
03:06:94489281195: BR0/0 DDR: has total 0 call(s), dial_out 0, dial_in 0
r1#
03:06:94489280544: %DIALER-6-UNBIND: Interface BR0/0:1 
   unbound from profile Di1
03:06:23: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1,
   changed state to down
r1#
03:06:37: %ISDN-6-LAYER2DOWN: Layer 2 for Interface BR0/0, 
   TEI 82 changed to down
r1#
03:07:01: %OSPF-5-ADJCHG: Process 1, Nbr 222.222.222.222 on Dialer1 
   from FULL to DOWN, Neighbor Down: Dead timer expired

!--- OSPF neighbor is down because the secondary link is down.
!--- Dead timer has expired.

r1#
r1#show ip ospf neigh
 
Neighbor ID     Pri   State       Dead Time   Address     Interface
222.222.222.222   1   FULL/DR     00:00:38    10.1.1.2    FastEthernet0/0

!--- OSPF neighbor is through the primary link only.

r1#u all
All possible debugging has been turned off
r1#

Устранение неполадок

В этом разделе описывается процесс устранения неполадок конфигурации. Для получения дополнительной информации по устранению неполадок при наличии общих проблем ISDN уровней 1, 2 и 3 см. раздел "Использование команды show isdn status при устранении неполадок BRI".

Команды для устранения неполадок

Некоторые команды show поддерживаются Средством интерпретации выходных данных(только зарегистрированные клиенты), которое позволяет просматривать аналитику выходных данных команды show.

Примечание: Прежде чем применять команды отладки, ознакомьтесь с разделом "Важные сведения о командах отладки".

Эти команды отладки могут быть выполнены на обоих Узлах IPsec.

  • "debug crypto isakmp" - отображаются ошибки, возникающие в фазе 1.

  • "debug crypto ipsec" – отображает ошибки в фазе 2.

  • {\f3 debug crypto engine}–{\f3 выводит информацию о криптографическом модуле.}

Эти команды показа могут быть выполнены на обоих Узлах IPsec.

  • {\f3 show crypto isakmp sa} — {\f3 показывает все текущие ассоциации безопасности протокола IKE (Internet Key Exchange, обмен ключами в Интернете) на одноранговом узле.}

  • команда show crypto ipsec sa — отображает настройки текущих SA [IPSec].

  • show crypto engine connections active — Показывает текущие соединения и информацию относительно зашифрованных и расшифрованных пакетов.

Эти команды clear могут использоваться для очистки SA.

  • clear crypto isakmp сопоставления безопасности Фазы 1.

  • clear crypto sa Фазу два сопоставления безопасности.

Связанные обсуждения сообщества поддержки Cisco

В рамках сообщества поддержки Cisco можно задавать и отвечать на вопросы, обмениваться рекомендациями и совместно работать со своими коллегами.


Дополнительные сведения


Document ID: 23100