问题现象

某局点分支采用msr2600-10 跟总部锐捷,对接ipsec ,能正常建立起来,但是会出现不定时中断,业务不通,出现中断的时候,设备侧会提示下面信息,并且把ike 第一阶段给删除掉了,reset ike sa ipsec sa 之后,又能重新建立起来。

告警信息

Mar 22 03:14:02:536 2016 fengze1 IKE/4/IKE_PACKET_DROPPED: -Src addr=10.27.249.244-Dst addr=171.12.0.23-I_Cookie=5dd3009e9dfecb12-R_Cookie=000ea0108cd51d37-Cause=Invalid protocol ID-Payload=DELETE; IKE packet dropped.

原因分析

收集debug 信息分析,

锐捷发送的2DELETE报文,一个是针对第一阶段SA的,一个是针对IPsec SA

我们删除第一阶段SA的原因是因为收到了针对第一阶段SAdelete载荷。

针对IPsec SAdelete载荷,我们认为有错而没有处理。

错误在于,针对IPsec协议的删除消息的delete,其DOI应该是IPsec DOI,而不是ISAKMP DOI

对于这种报文,我们忽略了。

IPsec DOI的值是1ISAKMP DOI的值是0. DOIIKE报文里的一个字段

 

关键debug 信息:

 

%Mar 22 03:14:02:536 2016 fengze1 IKE/4/IKE_PACKET_DROPPED: -Src addr=10.27.249.244-Dst addr=171.12.0.23-I_Cookie=5dd3009e9dfecb12-R_Cookie=000ea0108cd51d37-Cause=Invalid protocol ID-Payload=DELETE; IKE packet dropped.

*Mar 22 03:14:02:536 2016 fengze1 IKE/7/DEBUG: DO decrypt: after decryption:

*Mar 22 03:14:02:536 2016 fengze1 IKE/7/DEBUG: 0c000014 4d12c4aa e9289d30 05f5545f 

*Mar 22 03:14:02:536 2016 fengze1 IKE/7/DEBUG: 22a6f5d7 00000014 00000000 03040002 

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: 5c70c008 75aea933 00000000 00000008 

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: parse payloads: payload HASH

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: parse payloads: payload DELETE

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: validate payload HASH

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: validate payload DELETE

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG:   DOI: ISAKMP

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG:   PROTO: IPSEC_ESP

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG:   SPI_SZ: 4

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG:   NSPIS: 2

*Mar 22 03:14:02:537 2016 fengze1 IKE/7/DEBUG: exchange setup(R): a2b7920

*Mar 22 03:14:02:538 2016 fengze1 IKE/7/DEBUG: validate DELETE: can't support this protocol

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: received message:

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG:   ICOOKIE: 0x5dd3009e9dfecb12

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG:   RCOOKIE: 0x000ea0108cd51d37

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG:   NEXT_PAYLOAD: HASH

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG:   VERSION: 16

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG:   EXCH_TYPE: INFO

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG:   FLAGS: [ ENC ]

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG:   MESSAGE_ID: 0x4412eb28

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG:   LENGTH: 92

*Mar 22 03:14:02:540 2016 fengze1 IKE/7/DEBUG: initialized IV:

*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 43abfe90 4296252e 5f91b169 2a7414c5 

*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: DO decrypt: before decryption:

*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: d065daf8 e0c99633 15923f23 ae26d4c5 

*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 90512196 1f0aacf4 bb2a0d9a 97343996 

*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 0b333d54 59d00611 986178a3 18f1e4f7 

*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 04f8ae69 71f2e48f 261b7eb0 0aee9efa 

*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: CryptoEngine_BlockEncrypt: op type = 0x00001013.

*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG:   enc_key:

*Mar 22 03:14:02:541 2016 fengze1 IKE/7/DEBUG: 3dee6f9a 2e046f46 a2355aef 079f4e5f 

*Mar 22 03:14:02:542 2016 fengze1 IKE/7/DEBUG:   iv:

*Mar 22 03:14:02:542 2016 fengze1 IKE/7/DEBUG: 43abfe90 4296252e 5f91b169 2a7414c5 

*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: DO decrypt: after decryption:

*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: 0c000014 2862c151 7b1854db 5a2afd08 

*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: c903c0de 0000001c 00000000 01100001 

*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: 5dd3009e 9dfecb12 000ea010 8cd51d37 

*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: 00000000 00000000 00000000 00000010 

*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: parse payloads: payload HASH

*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: parse payloads: payload DELETE

*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: validate payload HASH

*Mar 22 03:14:02:543 2016 fengze1 IKE/7/DEBUG: validate payload DELETE

*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG:   DOI: ISAKMP

*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG:   PROTO: ISAKMP

*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG:   SPI_SZ: 16

*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG:   NSPIS: 1

*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG: exchange setup(R): a2b6a40

*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG: exchange check: checking for required INFO

*Mar 22 03:14:02:544 2016 fengze1 IKE/7/DEBUG:

 

 

解决办法

客户联系锐捷研发之后,发现锐捷侧的DPD 实现不规范,取消DPD之后,恢复正常。

案例信息

案例类型:经验案例
案例号:201604070004
创建时间:2016年4月7日
更新时间:2016年4月28日
发布时间:2016/4/28 0:43:29
文章密级:游客可见
有效期:长期有效
发布者:刘文峰 [lfw0873]
点击次数:1509
评论平均得分:0
关键词:ipsec、中断
产品线:中低端路由器
产品系列:MSR2600系列
产品版本:
故障类型:

常用操作
收藏