问题现象

 

用户组网:

用户在同一物理链路下起了两个tunnel口,为了实现不同局域网的路由隔离,在不同的tunnel口下绑定了vpn实例,正常配置后,发现两端设备都只有一个tunnel口可以up,另外一个tunnel口down。

 

告警信息

[H3C]%Dec 18 21:05:08:275 2017 H3C IFNET/5/LINK_UPDOWN: Line protocol state on the interface Tunnel1 changed to down.

 

原因分析

查看debugging tunnel all信息:
<H3C>*Dec 18 21:10:23:924 2017 H3C TUNNEL/7/packet:
 Tunnel2 packet: Fast forwarded the de-encapsulated packet.
*Dec 18 21:10:24:978 2017 H3C TUNNEL/7/packet:
 Tunnel2 packet: Fast forwarded the de-encapsulated packet.
*Dec 18 21:10:25:274 2017 H3C TUNNEL/7/event:
 Tunnel1: No keepalive packet received from the peer.
*Dec 18 21:10:29:196 2017 H3C TUNNEL/7/packet:
 Tunnel2 packet: Fast forwarded the de-encapsulated packet.
*Dec 18 21:10:30:249 2017 H3C TUNNEL/7/packet:
 Tunnel2 packet: Fast forwarded the de-encapsulated packet.
*Dec 18 21:10:30:274 2017 H3C TUNNEL/7/event:
 Tunnel1: No keepalive packet received from the peer.
*Dec 18 21:10:34:458 2017 H3C TUNNEL/7/packet:
 Tunnel2 packet: Fast forwarded the de-encapsulated packet.
*Dec 18 21:10:35:274 2017 H3C TUNNEL/7/event:
 Tunnel1: No keepalive packet received from the peer.
*Dec 18 21:10:35:510 2017 H3C TUNNEL/7/packet:
 Tunnel2 packet: Fast forwarded the de-encapsulated packet.

发现tunnel1没有从对端收到keepalive报文,查看配置tunnel口下都配置了 keepalive 5 3,如果tunnel口在3次收不到keepalive报文时,便会down掉。因为两个tunnel接口是封装在同一个物理接口ip地址,导致每个tunnel口发出的keepalive报文格式一致,于是对端的tunnel口没法识别,先收到的keepalive报文的tunnel口就会处于保活up状态,其他tunnel口就一致没法收到keepalive报文而down掉。
 

解决办法

方法一:删除tunnel口keepalive配置,即关闭tunnel口保活功能;

方法二:三层物理口下配置子接口,不同tunnel口源目地址指定不同的子接口ip。

建议与总结

tunnel口下的keepalive保活功能常结合静态路由使用,不同的tunnel口不建议封装在同一个物理接口地址下,否则就要把keepalive保活功能关闭。

案例信息

案例类型:经验案例
案例号:201712180076
创建时间:2017年12月18日
更新时间:2017年12月27日
发布时间:2017/12/27 9:46:12
文章密级:游客可见
有效期:长期有效
发布者:郑标 [zfw2782]
点击次数:1293
评论平均得分:0
关键词:tunnel,keepalive
产品线:高端路由器
产品系列:SR6600-X系列
产品版本: version 7.1.064, Release 7607
故障类型:

常用操作
收藏