Router#show access-lists 101
Extended IP access list 101
10 permit udp host 172.17.0.1 host 172.16.1.1 eq isakmp log (4 matches)
20 permit udp host 172.17.0.5 host 172.16.1.1 eq isakmp log (4 matches)
30 permit ip any any (295 matches)
注意:請確保您的access-list中允許ip any any。否則,由於訪問清單應用在出口介面的入站方向,因此可以阻止所有其他流量。
驗證GRE在隧道保護刪除後是否正常工作
當DMVPN不起作用時,在使用IPsec進行故障排除之前,請驗證GRE隧道在沒有IPsec加密的情況下是否工作正常。
有關詳細資訊,請參閱如何配置GRE隧道。
NHRP註冊失敗
中心和分支之間的VPN隧道已啟動,但無法傳遞資料流量:
Router#show crypto isakmp sa
dst src state conn-id slot status
172.17.0.1 172.16.1.1 QM_IDLE 1082 0 ACTIVE
Router#show crypto IPSEC sa
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.17.0.1/255.255.255.255/47/0)
#pkts encaps: 154, #pkts encrypt: 154, #pkts digest: 154
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
inbound esp sas:
spi: 0xF830FC95(4163959957)
outbound esp sas:
spi: 0xD65A7865(3596253285)
!--- !--- Output is truncated !---
它顯示返回流量不會從隧道的另一端返回。
檢查分支路由器中的NHS條目:
Router#show ip nhrp nhs detail
Legend: E=Expecting replies, R=Responding
Tunnel0: 172.17.0.1 E req-sent 0 req-failed 30 repl-recv 0
Pending Registration Requests:
Registration Request: Reqid 4371, Ret 64 NHS 172.17.0.1
它顯示NHS請求失敗。要解決此問題,請確保分支路由器隧道介面上的配置正確。
組態範例:
interface Tunnel0
ip address 10.0.0.9 255.255.255.0
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp nhs 172.17.0.1
!--- !--- Output is truncated !---
配置示例,其中包含NHS伺服器的正確條目:
interface Tunnel0
ip address 10.0.0.9 255.255.255.0
ip nhrp map 10.0.0.1 172.17.0.1
ip nhrp map multicast 172.17.0.1
ip nhrp nhs 10.0.0.1
!--- !--- Output is truncated !---
現在,驗證NHS條目和IPSec加密/解密計數器:
Router#show ip nhrp nhs detail
Legend: E=Expecting replies, R=Responding
Tunnel0: 10.0.0.1 RE req-sent 4 req-failed 0 repl-recv 3 (00:01:04 ago)
Router#show crypto IPSec sa
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.17.0.1/255.255.255.255/47/0)
#pkts encaps: 121, #pkts encrypt: 121, #pkts digest: 121
#pkts decaps: 118, #pkts decrypt: 118, #pkts verify: 118
inbound esp sas:
spi: 0x1B7670FC(460747004)
outbound esp sas:
spi: 0x3B31AA86(993110662)
!--- !--- Output is truncated !---
驗證是否已正確配置生命週期
使用以下命令驗證當前SA生存時間和下次重新協商的時間:
注意SA生存期值。如果它們接近配置的生命週期(對於ISAKMP預設為24小時,對於IPsec預設為1小時),則意味著這些SA最近進行了協商。如果您稍待片刻,然後再次協商這些協定,則ISAKMP和/或IPSec可能會上下反彈。
Router#show crypto ipsec security-assoc lifetime
Security association lifetime: 4608000 kilobytes/3600 seconds
Router#show crypto isakmp policy
Global IKE policy
Protection suite of priority 1
Encryption algorithm: DES-Data Encryption Standard (65 bit keys)
Hash algorithm: Message Digest 5
Authentication method: Pre-Shared Key
Diffie-Hellman group: #1 (768 bit)
Lifetime: 86400 seconds, no volume limit
Default protection suite
Encryption algorithm: DES- Data Encryption Standard (56 bit keys)
Hash algorithm: Secure Hash Standard
Authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
Lifetime: 86400 seconds, no volume limit
Router# show crypto ipsec sa
interface: Ethernet0/3
Crypto map tag: vpn, local addr. 172.17.0.1
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.17.0.1/255.255.255.255/47/0)
current_peer: 172.17.0.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 19, #pkts encrypt: 19, #pkts digest 19
#pkts decaps: 19, #pkts decrypt: 19, #pkts verify 19
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.16.1.1, remote crypto endpt.: 172.17.0.1
path mtu 1500, media mtu 1500
current outbound spi: 8E1CB77A
inbound esp sas:
spi: 0x4579753B(1165587771)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4456885/3531)
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x8E1CB77A(2384246650)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: vpn
sa timing: remaining key lifetime (k/sec): (4456885/3531)
IV size: 8 bytes
replay detection support: Y
驗證是否只在一個方向傳輸流量
分支到分支路由器之間的VPN隧道已啟動,但無法傳遞資料流量。
Spoke1# show crypto ipsec sa peer 172.16.2.11
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
#pkts encaps: 110, #pkts encrypt: 110
#pkts decaps: 0, #pkts decrypt: 0,
local crypto endpt.: 172.16.1.1,
remote crypto endpt.: 172.16.2.11
inbound esp sas:
spi: 0x4C36F4AF(1278669999)
outbound esp sas:
spi: 0x6AC801F4(1791492596)
!--- !--- Output is truncated !---
Spoke2#sh crypto ipsec sa peer 172.16.1.1
local ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
#pkts encaps: 116, #pkts encrypt: 116,
#pkts decaps: 110, #pkts decrypt: 110,
local crypto endpt.: 172.16.2.11,
remote crypto endpt.: 172.16.1.1
inbound esp sas:
spi: 0x6AC801F4(1791492596)
outbound esp sas:
spi: 0x4C36F4AF(1278669999
!--- !--- Output is truncated !---
spoke1中沒有解封封包,這表示esp封包會在從spoke2傳回spoke1的路徑中某個地方捨棄。
spoke2路由器同時顯示encap和decap,這表示ESP流量在到達spoke2之前被過濾。它可能發生在spoke2的ISP端,或者發生在spoke2路由器和spoke1路由器之間路徑中的任何防火牆上。在允許ESP (IP通訊協定50)之後,spoke1和spoke2都會顯示封裝和解除封裝計數器增加。
spoke1# show crypto ipsec sa peer 172.16.2.11
local ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
#pkts encaps: 300, #pkts encrypt: 300
#pkts decaps: 200, #pkts decrypt: 200
!--- !--- Output is truncated !---
spoke2#sh crypto ipsec sa peer 172.16.1.1
local ident (addr/mask/prot/port): (172.16.2.11/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.16.1.1/255.255.255.255/47/0)
#pkts encaps: 316, #pkts encrypt: 316,
#pkts decaps: 300, #pkts decrypt: 310
!--- !--- Output is truncated !---
驗證已建立路由協定鄰居
分支無法建立路由協定鄰居關係:
Hub# show ip eigrp neighbors
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 10.0.0.9 Tu0 13 00:00:37 1 5000 1 0
0 10.0.0.5 Tu0 11 00:00:47 1587 5000 0 1483
1 10.0.0.11 Tu0 13 00:00:56 1 5000 1 0
Syslog message:
%DUAL-5-NBRCHANGE: IP-EIGRP(0) 10:
Neighbor 10.0.0.9 (Tunnel0) is down: retry limit exceeded
Hub# show ip route eigrp
172.17.0.0/24 is subnetted, 1 subnets
C 172.17.0.0 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
C 192.168.0.0/24 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 172.17.0.100
驗證是否在集線器中正確配置了NHRP組播對映。
在集線器中,需要在集線器隧道介面中配置動態nhrp組播對映。
組態範例:
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication test
ip nhrp network-id 10
no ip split-horizon eigrp 10
tunnel mode gre multipoint
!--- !--- Output is truncated !---
包含用於動態nhrp組播對映的正確條目的配置示例:
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
ip mtu 1400
no ip next-hop-self eigrp 10
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 10
no ip split-horizon eigrp 10
tunnel mode gre multipoint
!--- !--- Output is truncated !---
這允許NHRP自動將分支路由器增加到組播NHRP對映。
有關詳細資訊,請參閱Cisco IOS IP編址服務命令參考中的ip nhrp map multicast dynamic 命令。
Hub#show ip eigrp neighbors
IP-EIGRP neighbors for process 10
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
2 10.0.0.9 Tu0 12 00:16:48 13 200 0 334
1 10.0.0.11 Tu0 13 00:17:10 11 200 0 258
0 10.0.0.5 Tu0 12 00:48:44 1017 5000 0 1495
Hub#show ip route
172.17.0.0/24 is subnetted, 1 subnets
C 172.17.0.0 is directly connected, FastEthernet0/0
D 192.168.11.0/24 [90/2944000] via 10.0.0.11, 00:16:12, Tunnel0
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.0.0 is directly connected, Tunnel0
C 192.168.0.0/24 is directly connected, FastEthernet0/1
D 192.168.2.0/24 [90/2818560] via 10.0.0.9, 00:15:45, Tunnel0
S* 0.0.0.0/0 [1/0] via 172.17.0.100
透過eigrp協定獲知分支的路由。
遠端訪問VPN與DMVPN整合的問題
問題
DMVPN工作正常,但無法建立RAVPN。
解決方案
使用ISAKMP配置檔案和IPSec配置檔案來實現此目的。 為DMVPN和RAVPN建立單獨的配置檔案。
有關詳細資訊,請參閱DMVPN和帶ISAKMP配置檔案的簡易VPN伺服器配置示例。
Dual-hub-dual-dmvpn問題
問題
dual-hub-dual-dmvpn問題。具體而言,隧道會關閉,無法重新協商。
解決方案
在中心點和分支點上的隧道介面使用隧道IPsec保護中的shared關鍵字。
組態範例:
interface Tunnel43
description <<tunnel to primary cloud>>
tunnel source interface vlan10
tunnel protection IPSec profile myprofile shared
!--- !--- Output is truncated !---
interface Tunnel44
description <<tunnel to secondary cloud>>
tunnel source interface vlan10
tunnel protection IPSec profile myprofile shared
!--- !--- Output is truncated !---
有關詳細資訊,請參閱思科IOS安全命令參考(A-C)中的tunnel protection 命令。
透過DMVPN登入到伺服器時出現問題
問題
無法訪問透過DMVPN網路伺服器的流量。
解決方案
問題可能與使用GRE和IPsec的封包的MTU和MSS大小有關。
現在,封包大小可能是分段的問題。若要消除此問題,請使用以下命令:
ip mtu 1400
ip tcp adjust-mss 1360
crypto IPSec fragmentation after-encryption (global)
您還可以配置tunnel path-mtu-discovery命令來動態發現MTU大小。
有關詳細說明,請參閱解決GRE和IPSEC中的IP分段、MTU、MSS和PMTUD問題.
無法通過特定埠訪問DMVPN上的伺服器
問題
無法通過特定埠訪問DMVPN上的伺服器。
解決方案
驗證是否停用Cisco IOS防火牆功能集並檢視其是否有效。
如果運行正常,則問題與Cisco IOS防火牆配置有關,與DMVPN無關。
相關資訊