Amazon Virtual Private Cloud
网络管理员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

排查无边界网关协议的 Cisco IOS 客户网关连接性问题

排查 Cisco 客户网关的连接性问题时,您需要考虑三个方面:IKE、IPsec 和隧道。您可以按任何次序对这些方面进行故障排除,不过我们建议您从 IKE 开始 (位于网络堆栈的底部) 并依次向上排除。

IKE

使用以下命令。响应显示带正确配置的 IKE 的客户网关。

Copy
router# show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
174.78.144.73 205.251.233.121 QM_IDLE           2001    0 ACTIVE
174.78.144.73 205.251.233.122 QM_IDLE           2002    0 ACTIVE

您应该可以看到包含隧道中所指定远程网关的 src 的一行或多行。状态应该为 QM_IDLE 并且状况应该为 ACTIVE。任何项的缺乏或任何项处于其他状态均表示 IKE 未正确配置。

如需进一步排除故障,请运行下面的命令以启用可提供诊断信息的日志消息。

Copy
router# term mon router# debug crypto isakmp

如需禁用调试,请使用下面的命令。

Copy
router# no debug crypto isakmp

IPsec

使用以下命令。响应显示正确配置的 IPsec 的客户网关。

Copy
router# show crypto ipsec sa
interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 174.78.144.73

    protected vrf: (none)
    local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    current_peer 72.21.209.225 port 500
     PERMIT, flags={origin_is_acl,}
     #pkts encaps: 149, #pkts encrypt: 149, #pkts digest: 149
     #pkts decaps: 146, #pkts decrypt: 146, #pkts verify: 146
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0
     #pkts not decompressed: 0, #pkts decompress failed: 0
     #send errors 0, #recv errors 0

     local crypto endpt.: 174.78.144.73, remote crypto endpt.:205.251.233.121
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0xB8357C22(3090512930)

     inbound esp sas:
      spi: 0x6ADB173(112046451)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel, }
       conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Tunnel1-head-0
       sa timing: remaining key lifetime (k/sec): (4467148/3189)
       IV size: 16 bytes
       replay detection support: Y  replay window size: 128
       Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB8357C22(3090512930)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel, }
       conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Tunnel1-head-0
       sa timing: remaining key lifetime (k/sec): (4467148/3189)
       IV size: 16 bytes
       replay detection support: Y  replay window size: 128
       Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Tunnel2
     Crypto map tag: Tunnel2-head-0, local addr 205.251.233.122

     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     current_peer 72.21.209.193 port 500
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
     #pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0
     #pkts not decompressed: 0, #pkts decompress failed: 0
     #send errors 0, #recv errors 0

     local crypto endpt.: 174.78.144.73, remote crypto endpt.:205.251.233.122
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0xF59A3FF6(4120526838)

     inbound esp sas:
      spi: 0xB6720137(3060924727)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel, }
       conn id: 3, flow_id: Motorola SEC 2.0:3, crypto map: Tunnel2-head-0
       sa timing: remaining key lifetime (k/sec): (4387273/3492)
       IV size: 16 bytes
       replay detection support: Y  replay window size: 128
       Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xF59A3FF6(4120526838)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel, }
       conn id: 4, flow_id: Motorola SEC 2.0:4, crypto map: Tunnel2-head-0
       sa timing: remaining key lifetime (k/sec): (4387273/3492)
       IV size: 16 bytes
       replay detection support: Y  replay window size: 128
       Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

对于每个隧道接口,您均应看到传入 Esp Sas 和传出 Esp Sas。这一点假定 SA 已列出 (例如 spi: 0x48B456A6),状态为 ACTIVE,并且 IPsec 配置正确。

如需进一步排除故障,请使用下面的命令启用调试。

Copy
router# debug crypto ipsec

如需禁用调试,请使用下面的命令。

Copy
router# no debug crypto ipsec

隧道

首先,检查必要的防火墙规则是否已布置到位。有关规则列表请查看 在 Internet 和客户网关之间配置防火墙

如果您的防火墙规则设置正确,则请使用下面的命令继续排除故障。

Copy
router# show interfaces tun1
Tunnel1 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 169.254.249.18/30
  MTU 17867 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
    reliability 255/255, txload 2/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 174.78.144.73, destination 205.251.233.121
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1427 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ipsec-vpn-92df3bfb-0")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 1 packets/sec
  5 minute output rate 1000 bits/sec, 1 packets/sec
    407 packets input, 30010 bytes, 0 no buffer
    Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

确保线路协议已运行。检查隧道源 IP 地址、源接口和目的地分别匹配客户网关 IP 地址、接口和虚拟专用网关外部 IP 地址的隧道配置。确保“通过 IPsec 保护隧道”存在。确保在两个隧道接口上运行命令。如需解决任何问题,请核查配置。

您也可以使用下面的命令,将 169.254.249.18 替换为您的虚拟专用网关的内部 IP 地址。

Copy
router# ping 169.254.249.18 df-bit size 1410
Type escape sequence to abort.
Sending 5, 1410-byte ICMP Echos to 169.254.249.18, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!

您应该可以看到五个感叹号。

路由选择

如需查看您的静态路由表,请使用下面的命令。

Copy
router# sh ip route static
     1.0.0.0/8 is variably subnetted
S       10.0.0.0/16 is directly connected, Tunnel1
is directly connected, Tunnel2

您应该可以看到通过两个隧道的 VPC CIDR 静态路由存在。如果不存在,请按此处所示添加静态路由。

Copy
router# ip route 10.0.0.0 255.255.0.0 Tunnel1 track 100 router# ip route 10.0.0.0 255.255.0.0 Tunnel2 track 200

检查 SLA 监视器

Copy
router# show ip sla statistics 100
IPSLAs Latest Operation Statistics

IPSLA operation id: 100
        Latest RTT: 128 milliseconds
Latest operation start time: *18:08:02.155 UTC Wed Jul  15 2012
Latest operation return code: OK
Number of successes: 3
Number of failures: 0
Operation time to live: Forever
Copy
router# show ip sla statistics 200
IPSLAs Latest Operation Statistics

IPSLA operation id: 200
        Latest RTT: 128 milliseconds
Latest operation start time: *18:08:02.155 UTC Wed Jul  15 2012
Latest operation return code: OK
Number of successes: 3
Number of failures: 0
Operation time to live: Forever

“Number of successes”值表示 SLA 监视器是否已成功设置。

如需进一步排查问题,请核查配置。

虚拟专用网关连接

验证您的虚拟专用网关已连接到 VPC。您的整合团队借助 AWS 管理控制台进行这项操作。

如果您有问题或需要进一步的协助,请使用 Amazon VPC forum