manualshive.com logo in svg

H3C MSR Series, Руководство по устранению неисправностей, Страница: 26 / 28

Поделиться
Скачать
H3C MSR Series Скачать руководство пользователя страница 26

24 

3. 

Display the IPsec policy configuration on the initiator and the receiver. The following shows the 
IPsec policy configuration on the receiver: 

ipsec policy hzbank 7000 isakmp 

transform-set 1  

security acl 3000  

ike-profile 1 

reverse-route dynamic 

reverse-route tag 10 

4. 

Verify that the transform set configuration (such as the encryption and authentication algorithms) 
is consistent on both devices. 

5. 

Check whether the remote IP address is configured in the IPsec policy. If not, configure the 
remote IP address in the IPsec policy, for example: 

[Router]ipsec policy hzbank 7000 isakmp 

[Router-ipsec-policy-isakmp-hzbank-7000]remote-address 10.1.1.1 

 

 

NOTE: 

The initiator and the receiver must specify the remote IP address of the IPsec tunnel by using 
the 

remote-address

 command in the IPsec policy. If the receiver uses an IPsec policy 

template, the remote IP address configuration is optional on the receiver. 

 

6. 

Verify that the protection flows configuration is consistent on both devices.  
IPsec uses ACLs to identify the traffic to be protected. Make sure the ACL rules in an IPsec 
policy are correctly configured, and make sure the ACL rules on one device are the mirror 
images of the rules on the peer device. For example, on IPsec peers A and B, if the ACL rule in 
the IPsec policy on device B is b->a, the ACL rule in the IPsec policy on device A must be a->b. 
If the ACL rules on IPsec peers do not form mirror images of each other, SAs can be set up only 
when the range specified by an ACL rule on the initiator is covered by its counterpart ACL rule 
on the receiver. For example:  
The ACL on the initiator is as follows: 

acl number 3001 

 rule 5 permit ip source 168.201.0.0 0.0.0.7 destination 168.68.2.200 0 

The ACL on the receiver is as follows: 

acl number 3000 

 rule 7 permit ip source 168.68.2.200 0 destination 168.201.0.0 0.0.127.255 

 

 

NOTE: 

If the receiver uses an IPsec policy template, the ACL is optional. If no ACL is specified, the 
IPsec protection range has no limit. So the receiver accepts all ACL settings of the negotiation 
initiator. If an ACL is configured, all the rules of the ACL must comply with the previous 
requirements. 

 

Related commands 

This section lists the commands that you might use for troubleshooting IPsec. 

 

Command Description 

display ike sa

 [ 

verbose

 [ 

connection-id

 

connection-id

 | 

remote-address

 [ 

ipv6 

remote-address

 [ 

vpn-instance

 

vpn-name

 ] ] ]

 

Displays detailed information about current IKE SAs.

Содержание MSR Series

Страница 1: ...Copyright 2020 New H3C Technologies Co Ltd All rights reserved No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologie...

Страница 2: ...ooting E1 and T1 interfaces 10 Common E1 and T1 interface issue troubleshooting methods 10 Troubleshooting the hardware 10 Troubleshooting the cables 10 Troubleshooting the configuration 11 Troublesho...

Страница 3: ...ng information Physical evidence of failure Photos of the hardware Status of the card power and fan status LEDs Steps you have taken such as reconfiguration cable swapping and rebooting Output from th...

Страница 4: ...re full Collecting common log messages Collecting common log messages on a standalone centralized device Save common log messages from the log buffer to a log file By default the log file is saved in...

Страница 5: ...save The contents in the log file buffer have been saved to the file cfa0 logfile logfile8 log 2 Identify the log file on each MPU Display the log file on the active MPU in standalone mode or global a...

Страница 6: ...ysname diagnostic logfile save The contents in the diagnostic log file buffer have been saved to the file cfa0 diagfile diagfile18 log 2 Identify the log file on each member device Display the log fil...

Страница 7: ...on by using FTP TFTP or USB Details not shown Collecting operating statistics You can collect operating statistics by saving the statistics to a file or displaying the statistics on the screen When yo...

Страница 8: ...al enter n at the prompt Save or display diagnostic information Y save N display Y N n display alarm No alarm information display boot loader Software images on slot 0 Current software images cfa0 MSR...

Страница 9: ...lex mode of the local end match the speed and duplex mode of the peer end Verify that the cable and interface are operating correctly by viewing the packet statistics of the interface Verify that the...

Страница 10: ...xecute the display hardware internal module interface name interface number statistics command in probe view to collect the interface statistics Execute the display hardware internal module interface...

Страница 11: ...4 Contact H3C Support Related commands This section lists the commands that you might use for troubleshooting Ethernet interfaces Command Description display interface Displays Ethernet interface inf...

Страница 12: ...loopback local command on the E1 T1 interface or execute the fe1 ft1 loopback local command on the E1 F T1 F interface b Identify whether the interface comes up physically and identify whether the log...

Страница 13: ...need to compensate the signal or connect an external CSU The router provides the cable command to set the attenuation or length for the transmission line of an interface This command configures the w...

Страница 14: ...the master clock and both local and peer E1 interfaces use the slave clock mode Figure 1 Clock scheme when the transmission network provides a clock When the transmission network does not provide a cl...

Страница 15: ...cable is as thick and short as possible Do not use aluminum cables Make sure both ends of the grounding cable have good electric contact and have antiseptic and antirust processing Do not use other de...

Страница 16: ...wer supply you can use the PE wire of the AC power supply for grounding as shown in Figure 4 Make sure the PE wire of the AC power supply is well grounded in the electric distribution room or the AC p...

Страница 17: ...el tube into the earth to serve as a grounding conductor The cross section of the angle iron must be no smaller than L W H 50 50 5 mm and the thickness of the steel tube must be no smaller than 3 5mm...

Страница 18: ...rounding cables of these devices to the grounding strip of the cabinet for common grounding If the interconnected devices are placed in the same equipment room and not far from each other you can join...

Страница 19: ...ice Purpose Verify that the line between Router1 and transmission device 1 is normal Looping point 4 Method Form a leftwards loop on transmission device 2 Purpose Verify that the transmission network...

Страница 20: ...es sec 0 bits sec 0 00 packets sec Last 300 seconds output rate 0 00 bytes sec 0 bits sec 0 00 packets sec Input 12 packets 156 bytes 0 broadcasts 0 multicasts 0 errors 0 runts 0 giants 0 CRC 0 align...

Страница 21: ...nd the link layer protocol comes up and go down Solution To resolve this issue 1 Troubleshoot the hardware 2 Troubleshoot the cables 3 Troubleshoot the configuration 4 Troubleshoot the clocks 5 Troubl...

Страница 22: ...provides troubleshooting information for common problems with IPsec Failure to negotiate IPsec SAs through IKE Symptom Network diagram 168 201 0 0 10 1 1 1 10 1 1 2 168 68 2 200 MSR G1 MSR G2 MSR G1 a...

Страница 23: ...ply packet from the peer the second packet for negotiation Nov 7 09 23 09 516 2014 ROUTER IKE 7 DEBUG ICOOKIE 0xb8a20d7c014806fa Nov 7 09 23 09 566 2014 ROUTER IKE 7 DEBUG RCOOKIE 0x67a9145eb46c41d9 N...

Страница 24: ...gotiation failed Nov 7 09 23 24 973 2014 ROUTER IKE 7 DEBUG exchange setup R 9c16530 Nov 7 09 23 25 024 2014 ROUTER IKE 7 DEBUG exchange check checking for required INFO Nov 7 09 23 25 124 2014 ROUTER...

Страница 25: ...03 05 983 2014 ROUTER IKE 7 Packet Received packet from 10 1 1 1 source port 500 destination port 500 The device received the first packet for phase 2 negotiation Nov 6 17 03 05 984 2014 ROUTER IKE 7...

Страница 26: ...figured and make sure the ACL rules on one device are the mirror images of the rules on the peer device For example on IPsec peers A and B if the ACL rule in the IPsec policy on device B is b a the AC...

Страница 27: ...standard PPPoE network the MSR router acts as a PPPoE server and the CAMS server acts as an authentication server Client authentication failed The client carries an incorrect username not assigned by...

Страница 28: ...outer has no problems 2 Troubleshoot the dialup mode of the small home router A small home router typically uses the automatic dialup method At first the router uses the normal dialup mode If the dial...

Отзывы:

Нет отзывов