Amazon Virtual Private Cloud
网络管理员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

排查 Juniper ScreenOS 客户网关连接性问题

排查基于 Juniper ScreenOS 的客户网关的连接性问题时,您需要考虑四个方面:IKE、IPsec、隧道和 BGP。您可以按任何次序对这些方面进行故障排除,不过我们建议您从 IKE 开始 (位于网络堆栈的底部) 并依次向上排除。

IKE 和 IPsec

使用以下命令。响应显示带正确配置的 IKE 的客户网关。

ssg5-serial-> get sa
total configured sa: 2 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys 00000002< 72.21.209.225 500 esp:a128/sha1 80041ca4 3385 unlim A/- -1 0 00000002> 72.21.209.225 500 esp:a128/sha1 8cdd274a 3385 unlim A/- -1 0 00000001< 72.21.209.193 500 esp:a128/sha1 ecf0bec7 3580 unlim A/- -1 0 00000001> 72.21.209.193 500 esp:a128/sha1 14bf7894 3580 unlim A/- -1 0

您应该可以看到包含隧道中所指定远程网关的远程地址的一行或多行。Sta 应为 A/-,而 SPI 应为 00000000 以外的十六进制数。处于其他状态的项表示 IKE 未正确配置。

如需进一步排查问题,请启用 IKE 跟踪选项 (按示例配置信息中所推荐 (参见 示例:Juniper ScreenOS 设备)。

隧道

首先,请反复检查必要的防火墙已布置到位。有关规则列表请查看 在 Internet 和客户网关之间配置防火墙

如果您的防火墙规则设置正确,则请使用下面的命令继续排除故障。

ssg5-serial-> get interface tunnel.1
Interface tunnel.1: description tunnel.1 number 20, if_info 1768, if_index 1, mode route link ready vsys Root, zone Trust, vr trust-vr admin mtu 1500, operating mtu 1500, default mtu 1500 *ip 169.254.255.2/30 *manage ip 169.254.255.2 route-deny disable bound vpn: IPSEC-1 Next-Hop Tunnel Binding table Flag Status Next-Hop(IP) tunnel-id VPN pmtu-v4 disabled ping disabled, telnet disabled, SSH disabled, SNMP disabled web disabled, ident-reset disabled, SSL disabled OSPF disabled BGP enabled RIP disabled RIPng disabled mtrace disabled PIM: not configured IGMP not configured NHRP disabled bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps] configured ingress mbw 0kbps, current bw 0kbps total allocated gbw 0kbps

确保您看到“link:ready”,并且IP 地址匹配客户网关隧道的内部地址。

下一步,请使用下面的命令,将 169.254.255.1 替换为您的虚拟专用网关的内部 IP 地址。您得到的结果看上去应该如此处所示。

ssg5-serial-> ping 169.254.255.1
Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 169.254.255.1, timeout is 1 seconds !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=32/32/33 ms

如需进一步排查问题,请核查配置。

BGP

使用以下命令。

ssg5-serial-> get vrouter trust-vr protocol bgp neighbor
Peer AS Remote IP Local IP Wt Status State ConnID Up/Down -------------------------------------------------------------------------------- 7224 169.254.255.1 169.254.255.2 100 Enabled ESTABLISH 10 00:01:01 7224 169.254.255.5 169.254.255.6 100 Enabled ESTABLISH 11 00:00:59

两个 BGP 对等体均列为“State: ESTABLISH”,表示通往虚拟专用网关的 BGP 连接活动。

如需进一步排查问题,请使用下面的命令,将 169.254.255.1 替换为您的虚拟专用网关的内部 IP 地址。

ssg5-serial-> get vr trust-vr prot bgp neigh 169.254.255.1
peer: 169.254.255.1, remote AS: 7224, admin status: enable type: EBGP, multihop: 0(disable), MED: node default(0) connection state: ESTABLISH, connection id: 18 retry interval: node default(120s), cur retry time 15s configured hold time: node default(90s), configured keepalive: node default(30s) configured adv-interval: default(30s) designated local IP: n/a local IP address/port: 169.254.255.2/13946, remote IP address/port: 169.254.255.1/179 router ID of peer: 169.254.255.1, remote AS: 7224 negotiated hold time: 30s, negotiated keepalive interval: 10s route map in name: , route map out name: weight: 100 (default) self as next hop: disable send default route to peer: disable ignore default route from peer: disable send community path attribute: no reflector client: no Neighbor Capabilities: Route refresh: advertised and received Address family IPv4 Unicast: advertised and received force reconnect is disable total messages to peer: 106, from peer: 106 update messages to peer: 6, from peer: 4 Tx queue length 0, Tx queue HWM: 1 route-refresh messages to peer: 0, from peer: 0 last reset 00:05:33 ago, due to BGP send Notification(Hold Timer Expired)(code 4 : subcode 0) number of total successful connections: 4 connected: 2 minutes 6 seconds Elapsed time since last update: 2 minutes 6 seconds

若 BGP 对等体已运行,请验证您的客户网关路由器正在向 VPC 通告默认路由 (0.0.0.0/0)。请注意该命令适用于 ScreenOS 6.2.0 和更高版本。

ssg5-serial-> get vr trust-vr protocol bgp rib neighbor 169.254.255.1 advertised
i: IBGP route, e: EBGP route, >: best route, *: valid route Prefix Nexthop Wt Pref Med Orig AS-Path -------------------------------------------------------------------------------------- >i 0.0.0.0/0 0.0.0.0 32768 100 0 IGP Total IPv4 routes advertised: 1

另外,请确保您正在从虚拟专用网关接收对应于您的 VPC 的前缀。请注意该命令适用于 ScreenOS 6.2.0 和更高版本。

ssg5-serial-> get vr trust-vr protocol bgp rib neighbor 169.254.255.1 received
i: IBGP route, e: EBGP route, >: best route, *: valid route Prefix Nexthop Wt Pref Med Orig AS-Path -------------------------------------------------------------------------------------- >e* 10.0.0.0/16 169.254.255.1 100 100 100 IGP 7224 Total IPv4 routes received: 1

虚拟专用网关连接

确保您的虚拟专用网关已连接到 VPC。您的整合团队借助 AWS 管理控制台进行这项操作。

如果您有问题或需要进一步的协助,请使用 Amazon VPC forum