案例1 RSR20X-28路由器IPSEC VPN偶发业务不通,1小时后恢复

2026年 4月 16日 路由器 SE_You

一、故障现象描述

RSR20-X-28路由器和友商建立的GRE OVER IPSEC中断,影响内网业务。

二、故障排查分析

通过故障log分析,当链路异常后,我方IPSEC隧道没有拆除,对端进行了拆除,当链路恢复后,ipsec 会话无法建立。当1个小时过后ipsec sa 重协商过期,重新协商ipsec,业务恢复。当日故障关键日志如下:
002751: *Apr 17 10:05:47: %TRACK-6-STATE_CHANGE: Track 1, changed state to down
002752: *Apr 17 10:05:57: %TRACK-6-STATE_CHANGE: Track 1, changed state to up
002753: *Apr 17 10:06:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel 10, changed state to down.
002754: *Apr 17 10:06:05: %OSPF-5-ADJCHG: Process 1, Nbr 10.248.0.7-Tunnel 10 from Full to Down, KillNbr.
002755: *Apr 17 10:10:44: %7: Send NAT-Keepalive pkt to 42.62.74.228.
。。。
Ipsec SA to 42.62.74.228 soft-life-timeout, will re-negotiate sab!
002766: *Apr 17 11:01:00: %7: set acquire!
002767: *Apr 17 11:01:00: %7: Acqurire negociate with map center
002768: *Apr 17 11:01:00: %7: map 1 local ip 192.168.1.3
002769: *Apr 17 11:01:00: %7: use state 1 negotiate!
002770: *Apr 17 11:01:00: %7: ++++++++++++++Fill quick sa"s
002816: *Apr 17 11:01:00: %7: ike"s tunnel (number=1)established.
002817: *Apr 17 11:01:00: %7: IKE message packet process over.
002818: *Apr 17 11:01:01: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel 10, changed state to up.
002819: *Apr 17 11:01:06: %OSPF-5-ADJCHG: Process 1, Nbr 10.248.0.7-Tunnel 10 from Down to Init, HelloReceived.
002820: *Apr 17 11:01:11: %OSPF-5-ADJCHG: Process 1, Nbr 10.248.0.7-Tunnel 10 from Loading to Full, LoadingDone.
002821: *Apr 17 11:01:27: %SYS-6-CLOCKUPDATE: System clock has been updated to 11:01:27 beijing Mon Apr 17 2017. dpd_mode(3).
002771: *Apr 17 11:01:00: %7: (8192) Beginning Quick Mode exchange, M-ID of 1247994033
002772: *Apr 17 11:01:00: %7: must_be_tunnel 0, original transform encap mode 1
002773: *Apr 17 11:01:00: %7: Set transet encapsulation 3, nat 1
002774: *Apr 17 11:01:00: %7: life seconds 3600

三、故障根因说明

我司和友商建立GRE OVER IPSEC时,友商检测到线路异常将ipsec隧道清除后未及时通知我司路由器拆除IPSEC VPN一二阶段隧道信息,导致我司路由器下端终端ping上端业务出现异常,需要等待1小时才能恢复。因此需要我司路由器强制开启DPD功能进行探测,自动检测对方隧道是否拆除来保障IPSEC VPN隧道的有效性。

四、故障解决方案

crypto isakmp keepalive 5 2 per ---》配置dpd周期发送。
版权声明:
作者:SE_You
链接:https://www.cnesa.cn/11497.html
文章版权归作者所有,未经允许请勿转载。
上一篇 同一交换机上,设备ping不通?
下一篇 华为CE交换机-配置Segment VXLAN实现二层互通(映射VNI模式)