-
1.
没有
debug
解释触发过程
-------> Router
--map----->
1.<
/p>
包进入
router
,
< br>(
检查路由
)
,路由引导流量出
适当接口。
******
缺少去往对方通讯点的
路由,或者没有引导对接口。
2.
包在接口上撞击
(map)
******
正确的接口下没有
map
3.
流量
匹配
map
的
(acl)
,触发加密
***
***map
配置的
acl
错误,
不能够匹配上感兴趣流
4.
发起和
peer
的
IKE
协商,
协商包检查
(
路由
)
去往对方
peer ******
缺少对方<
/p>
peer
(加密点)
的路由
错误可能
logging console
感兴趣流
***
***
缺少去往对方通讯点的
路由,或者没有引导对接口。
******
正确的接口下没有
map
******map
配置的
acl
错误,
不能够匹配上感兴趣流
peer
***
***
缺少对方
peer
(加密点)<
/p>
的路由
***
***
由于
nat
感兴趣流改变,
需要在
nat
里排除感兴趣流
******
重敲重运用
2.
有
debug
MM
1--2
主要作用:
peer. Proposals
错误可能
1.
(<
/p>
2500
)
10:41:57: ISAKMP (0:2): sending packet
to 22.22.22.22 (I) MM_NO_STATE
10:41:57: ISAKMP (0:2): received packet
from 22.22.22.22 (I) MM_NO_STA
TE
10:41:57: ISAKMP (0:2): Notify has no
hash. Rejected.
(
2600
)
*Mar
1
00:15:34.515: ISAKMP: reserved not zero on NOTIFY
payload!
*Mar
1
00:15:34.515:
%CRYPTO-4-IKMP_BAD_MESSAGE:
IKE
message
from
150.100.1.2
failed its
sanity check or is malformed.
策略错误:检查认证策略
hash
策略
group
策略
加密策略
时间策略
2.
(
25
00
)
11:00:06:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Informational mode failed
with peer at
22.22.22.22
...
(
2600
)
*Mar
1
00:20:27.800: ISAKMP: reserved not zero on NOTIFY
payload!
*Mar
1
00:20:27.800:
%CRYPTO-4-IKMP_BAD_MESSAGE:
IKE
message
from
150.100.1.2
failed its
sanity check or is malformed
更新源错误:
本地的更新源是否是对方设置的
peer
,
检查
cry map cisco local-address
的
使用是否正确。
3.<
/p>
(
2500
)
10:49:08: ISAKMP (0:1): No Cert or pre-
shared address key.
10:49:08: ISAKMP (0:1): Can not start
Main mode
10:49:08: ISAKMP (0:1): Can
not start aggressive mode.
10:49:08:
ISAKMP (0:1): purging SA.
10:49:08:
ISAKMP (0:1): purging node -1300701206......
(
2600
)
*Mar
1
00:28:49.066: ISAKMP (0:1): Can not start
Aggressive mode, trying Main mode.
*Mar
1
00:28:49.066: ISAKMP: Looking for a matching key
for 150.100.1.100 in default
*Mar
1
00:28:49.066: ISAKMP: Looking for a matching key
for 150.100.1.100 in keyring
*Mar
1
00:28:49.0.66: ISAKMP (0:1): No pre-shared key
with 150.100.1.100!
*Mar
1 00:28:49.066: ISAKMP
(0:1): No Cert or pre-shared address key.
*Mar
1 00:28:49.070: ISAKMP (0:1):
construct_initial_message: Can not start Main mode
*Mar
1
00:28:49.070: ISAKMP (0:1): purging SA.,
sa=82D9802C, delme=82D9802C
*Mar
1
00:28:49.070: ISAKMP (0:1): purging node
889095291..
peer
错误:
检查
cry isa key cisco address
后边的地址是否和
cry
map
下
set
peer
的地址相
同
4.<
/p>
(
2500
)
2d15h: ISAKMP (0:3): sending packet to
123.1.1.2 (I) MM_NO_STATE.....
2d15h: ISAKMP (0:3): retransmitting
phase 1 MM_NO_STA
TE...
2d15h: ISAKMP (0:3): incrementing error
counter on sa: retransmit phase 1
2d15h: ISAKMP (0:3): retransmitting
phase 1 MM_NO_STA
TE
2d15h: ISAKMP (0:3): sending packet to
123.1.1.2 (I) MM_NO_STATE.
2d15h: ISAKMP
(0:2): purging node -1637699089....
(
2600
)
*Mar
1 00:36:46.905: ISAKMP (0:1):
retransmitting phase 1 MM_NO_STA
TE...
*Mar
1 00:36:46.905: ISAKMP (0:1):
incrementing error counter on sa: retransmit phase
1
*Mar
1 00:36:46.905: ISAKMP
(0:1): retransmitting phase 1
MM_NO_STA
TE
*Mar
1
00:36:46.905:
ISAKMP
(0:1):
sending
packet
to
150.100.1.2
my_port
500
peer_port 500 (I)
MM_NO_STA
TE.....
*Mar
1
00:36:56.905: ISAKMP (0:1): retransmitting phase 1
MM_NO_STA
TE...
*Mar
1
00:36:56.905: ISAKMP (0:1): incrementing error
counter on sa: retransmit phase
1
*Mar
1 00:36:56.905: ISAKMP (0:1):
retransmitting phase 1 MM_NO_STA
TE
*Mar
1
00:36:56.905:
ISAKMP
(0:1):
sending
packet
to
150.100.1.2
my_port
500