OpenForum RSS: Непонятная проблема с классическим ipsec https://opennet.ru/openforum/vsluhforumID6/1356.html Всем привет, может кто сталкивался.<br>Ситуация следующая: Есть 2821, на ней терминируются порядка 100 ipsec тунелей site-to-site.<br>Все реализовано на crypto map. все прекрасно и все хорошо работает уже не один месяц, но.... в какой то момент все тунели падают в одно время.<br><br>конфиг касающийся тунелей на 2821:<br><br>crypto isakmp invalid-spi-recovery<br>crypto isakmp keepalive 20 5 periodic<br>crypto isakmp nat keepalive 10<br><br>crypto isakmp policy 2<br> encr 3des<br> hash md5<br> authentication pre-share<br> group 2<br><br>crypto ipsec transform-set 3DES_MD5 esp-3des esp-md5-hmac<br>crypto ipsec transform-set 3DES_SHA esp-3des esp-sha-hmac<br><br>crypto map Inet 1 ipsec-isakmp<br> description ---<br> set peer A.A.A.A<br> set transform-set 3DES_MD5<br> match address 124<br> reverse-route static<br><br>interface GigabitEthernet0/1<br> description --- Internet ---<br> ip address B.B.B.B<br> standby version 2<br> standby 2 ip C.C.C.C<br> standby 2 priority 200<br> standby 2 preempt<br> standby 2 name Internet<br> duplex auto<br> speed auto<br> crypto map Inet redundancy I Непонятная проблема с классическим ipsec (vidershpan) https://opennet.ru/openforum/vsluhforumID6/1356.html#1 Tue, 27 May 2014 05:04:40 GMT debug crypto isa c 870ой железки:<br><br>*May 27 12:44:11: ISAKMP:(0): SA request profile is (NULL)<br>*May 27 12:44:11: ISAKMP: Found a peer struct for C.C.C.C, peer port 500<br>*May 27 12:44:11: ISAKMP: Locking peer struct 0x83F14820, refcount 3 for isakmp_initiator<br>*May 27 12:44:11: ISAKMP: local port 500, remote port 500<br>*May 27 12:44:11: ISAKMP: set new node 0 to QM_IDLE<br>*May 27 12:44:11: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8571A10C<br>*May 27 12:44:11: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.<br>*May 27 12:44:11: ISAKMP:(0):found peer pre-shared key matching C.C.C.C<br>*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID<br>*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-07 ID<br>*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-03 ID<br>*May 27 12:44:11: ISAKMP:(0): constructed NAT-T vendor-02 ID<br>*May 27 12:44:11: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM<br>*May 27 12:44:11: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1