Amazon Virtual Private Cloud
网络管理员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

排查 Juniper JunOS 客户网关连接性问题

排查 Juniper 客户网关连接性问题时,您需要考虑四个方面:IKE、IPsec、隧道和 BGP。您可以按任何次序对这些方面进行故障排除,不过我们建议您从 IKE 开始 (位于网络堆栈的底部) 并依次向上排除。

IKE

使用以下命令。响应显示带正确配置的 IKE 的客户网关。

Copy
user@router> show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
4       72.21.209.225   UP     c4cd953602568b74  0d6d194993328b02  Main
3       72.21.209.193   UP     b8c8fb7dc68d9173  ca7cb0abaedeb4bb  Main

您应该可以看到包含隧道中所指定远程网关的远程地址的一行或多行。状态应该为 UP。任何项的缺失或任何项处于其他状态 (例如 DOWN) 均表示 IKE 未正确配置。

如需进一步排查问题,请启用 IKE 跟踪选项 (按示例配置信息中所推荐 (参见 示例:Juniper J-Series JunOS 设备)。然后运行下面的命令,将各种调试信息打印到屏幕上。

Copy
user@router> monitor start kmd

从外部主机上,您可以借助下面的命令检索整个日志文件。

Copy
scp username@router.hostname:/var/log/kmd

IPsec

使用以下命令。响应显示正确配置的 IPsec 的客户网关。

Copy
user@router> show security ipsec security-associations
Total active tunnels: 2
ID      Gateway        Port  Algorithm        SPI      Life:sec/kb Mon vsys
<131073 72.21.209.225  500   ESP:aes-128/sha1 df27aae4 326/ unlim   -   0
>131073 72.21.209.225  500   ESP:aes-128/sha1 5de29aa1 326/ unlim   -   0
<131074 72.21.209.193  500   ESP:aes-128/sha1 dd16c453 300/ unlim   -   0
>131074 72.21.209.193  500   ESP:aes-128/sha1 c1e0eb29 300/ unlim   -   0

具体来说,每个网关地址您至少应该看到两行 (对应远程网关)。请注意表示特定项的流量方向的每行开头的插字号 (< >)。输出内容对传入流量 (“<”,从虚拟专用网关到该客户网关的流量) 和传出流量 (“>”)分别有独立的行。

如需进一步排查问题,请启用 IKE 跟踪选项 (如需更多信息请参见前面有关 IKE 的部分)。

隧道

首先,请反复检查必要的防火墙已布置到位。有关规则列表请查看 在 Internet 和客户网关之间配置防火墙

如果您的防火墙规则设置正确,则请使用下面的命令继续排除故障。

Copy
user@router> show interfaces st0.1
 Logical interface st0.1 (Index 70) (SNMP ifIndex 126)
    Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 8719
    Output packets: 41841
    Security: Zone: Trust
    Allowed host-inbound traffic : bgp ping ssh traceroute
    Protocol inet, MTU: 9192
      Flags: None
      Addresses, Flags: Is-Preferred Is-Primary
      Destination: 169.254.255.0/30, Local: 169.254.255.2

确保“Security: Zone”正确,并且“本地”地址匹配客户网关隧道的内部地址。

下一步,请使用下面的命令,将 169.254.255.1 替换为您的虚拟专用网关的内部 IP 地址。您得到的结果看上去应该如此处所示。

Copy
user@router> ping 169.254.255.1 size 1382 do-not-fragment
PING 169.254.255.1 (169.254.255.1): 1410 data bytes
64 bytes from 169.254.255.1: icmp_seq=0 ttl=64 time=71.080 ms
64 bytes from 169.254.255.1: icmp_seq=1 ttl=64 time=70.585 ms

如需进一步排查问题,请核查配置。

BGP

使用以下命令。

Copy
user@router> show bgp summary
Groups: 1 Peers: 2 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 2          1          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
169.254.255.1          7224          9         10       0       0        1:00 1/1/1/0              0/0/0/0
169.254.255.5          7224          8          9       0       0          56 0/1/1/0              0/0/0/0

如需进一步排查问题,请使用下面的命令,将 169.254.255.1 替换为您的虚拟专用网关的内部 IP 地址。

Copy
user@router> show bgp neighbor 169.254.255.1
Peer: 169.254.255.1+179 AS 7224 Local: 169.254.255.2+57175 AS 65000
  Type: External    State: Established    Flags: <ImportEval Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Export: [ EXPORT-DEFAULT ] 
  Options: <Preference HoldTime PeerAS LocalAS Refresh>
  Holdtime: 30 Preference: 170 Local AS: 65000 Local System AS: 0
  Number of flaps: 0
  Peer ID: 169.254.255.1    Local ID: 10.50.0.10       Active Holdtime: 30
  Keepalive Interval: 10         Peer index: 0   
  BFD: disabled, down
  Local Interface: st0.1                            
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Restart time configured on the peer: 120
  Stale routes from peer are kept for: 300
  Restart time requested by this peer: 120
  NLRI that peer supports restart for: inet-unicast
  NLRI that restart is negotiated for: inet-unicast
  NLRI of received end-of-rib markers: inet-unicast
  NLRI of all end-of-rib markers sent: inet-unicast
  Peer supports 4 byte AS extension (peer-as 7224)
  Table inet.0 Bit: 10000
    RIB State: BGP restart is complete
    Send state: in sync
    Active prefixes:              1
    Received prefixes:            1
    Accepted prefixes:            1
    Suppressed due to damping:    0
    Advertised prefixes:          1
Last traffic (seconds): Received 4    Sent 8    Checked 4   
Input messages:  Total 24     Updates 2       Refreshes 0     Octets 505
Output messages: Total 26     Updates 1       Refreshes 0     Octets 582
Output Queue[0]: 0

此处,您应该可以看到“接收到的前缀”“通告的前缀”逐个列出。上述内容应该在“Table inet.0”部分。

如果状态不是 Established,请检查上次状态上次错误,了解纠正问题所需的详细信息。

若 BGP 对等体已运行,请验证您的客户网关路由器正在向 VPC 通告默认路由 (0.0.0.0/0)。

Copy
user@router> show route advertising-protocol bgp 169.254.255.1
inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 0.0.0.0/0               Self                                    I

另外,请确保您正在从虚拟专用网关接收对应于您的 VPC 的前缀。

Copy
user@router> show route receive-protocol bgp 169.254.255.1
inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 10.110.0.0/16           169.254.255.1        100                7224 I

虚拟专用网关连接

确保您的虚拟专用网关已连接到 VPC。您的整合团队借助 AWS 管理控制台进行这项操作。

如果您有问题或需要进一步的协助,请使用 Amazon VPC forum