Amazon Virtual Private Cloud
网络管理员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

排查无边界网关协议的 Cisco IOS 客户网关连接性问题

排查 Cisco 客户网关的连接性问题时,您需要考虑三个方面:IKE、IPsec 和隧道。您可以按任何次序对这些方面进行故障排除,不过我们建议您从 IKE 开始 (位于网络堆栈的底部) 并依次向上排除。

IKE

使用以下命令。响应显示带正确配置的 IKE 的客户网关。

router# show crypto isakmp sa
IPv4 Crypto ISAKMP SA dst src state conn-id slot status 174.78.144.73 205.251.233.121 QM_IDLE 2001 0 ACTIVE 174.78.144.73 205.251.233.122 QM_IDLE 2002 0 ACTIVE

您应该可以看到包含隧道中所指定远程网关的 src 的一行或多行。状态应该为 QM_IDLE 并且状况应该为 ACTIVE。任何项的缺乏或任何项处于其他状态均表示 IKE 未正确配置。

如需进一步排除故障,请运行下面的命令以启用可提供诊断信息的日志消息。

router# term mon router# debug crypto isakmp

如需禁用调试,请使用下面的命令。

router# no debug crypto isakmp

IPsec

使用以下命令。响应显示正确配置的 IPsec 的客户网关。

router# show crypto ipsec sa
interface: Tunnel1 Crypto map tag: Tunnel1-head-0, local addr 174.78.144.73 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 72.21.209.225 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 149, #pkts encrypt: 149, #pkts digest: 149 #pkts decaps: 146, #pkts decrypt: 146, #pkts verify: 146 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 174.78.144.73, remote crypto endpt.:205.251.233.121 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: 0xB8357C22(3090512930) inbound esp sas: spi: 0x6ADB173(112046451) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4467148/3189) IV size: 16 bytes replay detection support: Y replay window size: 128 Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xB8357C22(3090512930) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Tunnel1-head-0 sa timing: remaining key lifetime (k/sec): (4467148/3189) IV size: 16 bytes replay detection support: Y replay window size: 128 Status: ACTIVE outbound ah sas: outbound pcp sas: interface: Tunnel2 Crypto map tag: Tunnel2-head-0, local addr 205.251.233.122 protected vrf: (none) local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) current_peer 72.21.209.193 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26 #pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 174.78.144.73, remote crypto endpt.:205.251.233.122 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0 current outbound spi: 0xF59A3FF6(4120526838) inbound esp sas: spi: 0xB6720137(3060924727) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 3, flow_id: Motorola SEC 2.0:3, crypto map: Tunnel2-head-0 sa timing: remaining key lifetime (k/sec): (4387273/3492) IV size: 16 bytes replay detection support: Y replay window size: 128 Status: ACTIVE inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xF59A3FF6(4120526838) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } conn id: 4, flow_id: Motorola SEC 2.0:4, crypto map: Tunnel2-head-0 sa timing: remaining key lifetime (k/sec): (4387273/3492) IV size: 16 bytes replay detection support: Y replay window size: 128 Status: ACTIVE outbound ah sas: outbound pcp sas:

对于每个隧道接口,您均应看到传入 Esp Sas 和传出 Esp Sas。这一点假定 SA 已列出 (例如 spi: 0x48B456A6),状态为 ACTIVE,并且 IPsec 配置正确。

如需进一步排除故障,请使用下面的命令启用调试。

router# debug crypto ipsec

如需禁用调试,请使用下面的命令。

router# no debug crypto ipsec

隧道

首先,检查必要的防火墙规则是否已布置到位。有关规则列表请查看 在 Internet 和客户网关之间配置防火墙

如果您的防火墙规则设置正确,则请使用下面的命令继续排除故障。

router# show interfaces tun1
Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 169.254.249.18/30 MTU 17867 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 2/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 174.78.144.73, destination 205.251.233.121 Tunnel protocol/transport IPSEC/IP Tunnel TTL 255 Tunnel transport MTU 1427 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Tunnel protection via IPSec (profile "ipsec-vpn-92df3bfb-0") Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 1 packets/sec 5 minute output rate 1000 bits/sec, 1 packets/sec 407 packets input, 30010 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

确保线路协议已运行。检查隧道源 IP 地址、源接口和目的地分别匹配客户网关 IP 地址、接口和虚拟专用网关外部 IP 地址的隧道配置。确保“通过 IPsec 保护隧道”存在。确保在两个隧道接口上运行命令。如需解决任何问题,请核查配置。

您也可以使用下面的命令,将 169.254.249.18 替换为您的虚拟专用网关的内部 IP 地址。

router# ping 169.254.249.18 df-bit size 1410
Type escape sequence to abort. Sending 5, 1410-byte ICMP Echos to 169.254.249.18, timeout is 2 seconds: Packet sent with the DF bit set !!!!!

您应该可以看到五个感叹号。

路由选择

如需查看您的静态路由表,请使用下面的命令。

router# sh ip route static
1.0.0.0/8 is variably subnetted S 10.0.0.0/16 is directly connected, Tunnel1 is directly connected, Tunnel2

您应该可以看到通过两个隧道的 VPC CIDR 静态路由存在。如果不存在,请按此处所示添加静态路由。

router# ip route 10.0.0.0 255.255.0.0 Tunnel1 track 100 router# ip route 10.0.0.0 255.255.0.0 Tunnel2 track 200

检查 SLA 监视器

router# show ip sla statistics 100
IPSLAs Latest Operation Statistics IPSLA operation id: 100 Latest RTT: 128 milliseconds Latest operation start time: *18:08:02.155 UTC Wed Jul 15 2012 Latest operation return code: OK Number of successes: 3 Number of failures: 0 Operation time to live: Forever
router# show ip sla statistics 200
IPSLAs Latest Operation Statistics IPSLA operation id: 200 Latest RTT: 128 milliseconds Latest operation start time: *18:08:02.155 UTC Wed Jul 15 2012 Latest operation return code: OK Number of successes: 3 Number of failures: 0 Operation time to live: Forever

“Number of successes”值表示 SLA 监视器是否已成功设置。

如需进一步排查问题,请核查配置。

虚拟专用网关连接

验证您的虚拟专用网关已连接到 VPC。您的整合团队借助 AWS 管理控制台进行这项操作。

如果您有问题或需要进一步的协助,请使用 Amazon VPC forum