Jump to content

Search the Community

Showing results for tags 'cisco 800 series'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Keenetic Community
    • Keenetic Development
    • Keenetic Community Support
    • KeeneticOS Testing
    • Mobile App
  • Open Package Support
    • Opkg Help
    • Opkg Cookbook
    • Opkg Cookbook RUS

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Location


Web-site


Interests


Occupation


AOL Account


ICQ Account


WLM


YAHOO


Facebook Account


Twitter Account


Skype Account


Youtube Account


Google+ Account


Keenetic

Found 2 results

  1. Дня! Для связи удалённых площадок с центром использую связку Cisco 881 + Keenetic 4G III (rev.B, release: 2.15.C.4.0-1) c USB-LTE модемом, поверх этого бегает IPSec (DMVPN). Однако, с Апреля начались "чудеса" с одним из операторов сотовой связи - перестал проходить IPSec (DMVPN). Как показал анализ трафика - пакеты (UDP/500) просто не доходят до центра. "Зачем и почему" - техподдержка оператора реагирует в высшей степени неторопливо и занимается какой-то дурью типа "почему у вас на динамическом(!) подключении... меняется IP-адрес" (я серьёзно, это практически цитата). Из-за этого пришлось искать "заплатку" на стороне Keenetic. "Пляски с бубном" выдали два варианта решения: Откат на сильно более раннюю прошивку - 2.7.х и ниже. Через CLI включать в конфигурацию (config)> ip nat udp-port-preserve Кстати, попутно выяснилось ещё несколько "чудесатых" условий: проблемы есть в нескольких регионах и только с одним конкретным оператором; при установке в тот же USB-модем SIM-карты от другого оператора - IPSec (DMVPN) восстанавливается, даже перезапускать оборудование не приходится; проблемы есть при использовании динамического IP, т.е. если на SIM-карту подключить фиксированный IP и прописать соответствующий APN - связь, опять же, восстанавливается, без перезагрузки. С учётом, что до этого несколько лет такая схема работала без проблем, то с "моей колокольни" видится - источник проблемы где-то районе операторского CG NAT. Но время уходит, а оператор не может ни подтвердить ни опровергнуть это. Версия Keenetic:
  2. Добрый день! Собственно, как и следует из названия темы, устройство начинает пробрасывать тоннель, причём, по какой-то непостижимой причине, производится сразу несколько попыток. В результате, соединение успешно устанавливается в рамках одного из согласований, а затем благополучно дропается, т.к. другое не получает ответа от Циски и рубит по тайм-ауту. Что характерно, с самим соединений никаких проблем нет: пакеты ходят, компы друг друга видят, пингуют... Версия прошивки: v2.08(AAUU.4)C2 Версия Циски: 15.4 Логи Кинетика: Nov 10 13:15:01ipsec 06[MGR] ignoring request with ID 0, already processing Nov 10 13:15:08ipsec 16[IKE] remote host is behind NAT Nov 10 13:15:08ipsec 14[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] Nov 10 13:15:08ipsec 14[CFG] selected peer config 'Test' Nov 10 13:15:08ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:15:08ipsec 14[IKE] authentication of '192.168.0.2' with pre-shared key successful Nov 10 13:15:08ipsec 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 10 13:15:08ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:15:08ipsec 14[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key Nov 10 13:15:08ipsec 14[IKE] IKE_SA Test[4] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:15:08ipsec 14[IKE] scheduling reauthentication in 3573s Nov 10 13:15:08ipsec 14[IKE] maximum IKE_SA lifetime 3593s Nov 10 13:15:08ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0. Nov 10 13:15:08ipsec 14[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:15:08ipsec 14[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ Nov 10 13:15:08ipsec 14[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:15:08ipsec 14[IKE] CHILD_SA Test{2} established with SPIs c12ee9c8_i c20b83b1_o and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:15:08ndm IpSec::Configurator: crypto map "Test" is up. Nov 10 13:15:08ndm IpSec::Configurator: reconnection for crypto map "Test" was cancelled. Nov 10 13:15:08ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1. Nov 10 13:15:08ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:15:08ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:15:11ipsec 10[IKE] retransmit 1 of request with message ID 0 Nov 10 13:15:20ipsec 08[IKE] retransmit 2 of request with message ID 0 Nov 10 13:15:30ipsec 10[IKE] retransmit 3 of request with message ID 0 Nov 10 13:15:41ipsec 09[IKE] retransmit 4 of request with message ID 0 Nov 10 13:15:52ipsec 05[IKE] retransmit 5 of request with message ID 0 Nov 10 13:16:05ipsec 10[IKE] retransmit 6 of request with message ID 0 Nov 10 13:16:20ipsec 09[IKE] retransmit 7 of request with message ID 0 Nov 10 13:16:35ipsec 16[IKE] retransmit 8 of request with message ID 0 Nov 10 13:16:52ipsec 12[IKE] giving up after 8 retransmits Nov 10 13:16:52ndm IpSec::Configurator: remote peer of crypto map "Test" is down. Nov 10 13:16:52ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:16:52ndm IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry. Nov 10 13:16:52ndm IpSec::Configurator: schedule reconnect for crypto map "Test". Nov 10 13:16:52ipsec 12[IKE] establishing IKE_SA failed, peer not responding Nov 10 13:17:08ndm IpSec::Configurator: reconnecting crypto map "Test". Nov 10 13:17:10ndm IpSec::Configurator: crypto map "Test" shutdown started. Nov 10 13:17:10ipsec 12[CFG] received stroke: unroute 'Test' Nov 10 13:17:10ipsec 13[CFG] received stroke: terminate 'Test{*}' Nov 10 13:17:10ipsec 16[IKE] closing CHILD_SA Test{2} with SPIs c12ee9c8_i (40144 bytes) c20b83b1_o (811908 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:17:10ipsec 16[IKE] sending DELETE for ESP CHILD_SA with SPI c12ee9c8 Nov 10 13:17:10ipsec 09[IKE] received DELETE for ESP CHILD_SA with SPI c20b83b1 Nov 10 13:17:10ipsec 09[IKE] CHILD_SA closed Nov 10 13:17:10ipsec 14[CFG] received stroke: terminate 'Test[*]' Nov 10 13:17:10ndm IpSec::Configurator: crypto map "Test" shutdown complete. Nov 10 13:17:11ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:17:11ipsec 06[IKE] deleting IKE_SA Test[4] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:17:11ipsec 06[IKE] sending DELETE for IKE_SA Test[4] Nov 10 13:17:11ipsec 11[IKE] IKE_SA deleted Nov 10 13:17:11ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:17:11ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:17:11ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:17:11ipsec 15[IKE] received Cisco Delete Reason vendor ID Nov 10 13:17:11ipsec 15[IKE] CISCO_IP is initiating an IKE_SA Nov 10 13:17:11ipsec 15[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:17:11ipsec 15[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:17:11ipsec 15[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:17:11ipsec 12[CFG] received stroke: initiate 'Test' Nov 10 13:17:11ndm IpSec::Configurator: crypto map "Test" initialized. Nov 10 13:17:13ipsec 07[MGR] ignoring request with ID 0, already processing Nov 10 13:17:17ipsec 09[MGR] ignoring request with ID 0, already processing Nov 10 13:17:19ipsec 15[IKE] remote host is behind NAT Nov 10 13:17:19ipsec 16[IKE] initiating IKE_SA Test[6] to CISCO_IP Nov 10 13:17:20ipsec 14[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] Nov 10 13:17:20ipsec 14[CFG] selected peer config 'Test' Nov 10 13:17:20ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:17:20ipsec 14[IKE] authentication of '192.168.0.2' with pre-shared key successful Nov 10 13:17:20ipsec 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 10 13:17:20ipsec 14[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:17:20ipsec 14[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key Nov 10 13:17:20ipsec 14[IKE] IKE_SA Test[5] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:17:20ipsec 14[IKE] scheduling reauthentication in 3569s Nov 10 13:17:20ipsec 14[IKE] maximum IKE_SA lifetime 3589s Nov 10 13:17:20ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0. Nov 10 13:17:20ipsec 14[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:17:20ipsec 14[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ Nov 10 13:17:20ipsec 14[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:17:20ipsec 14[IKE] CHILD_SA Test{3} established with SPIs c96d5999_i 8d98ca14_o and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:17:20ndm IpSec::Configurator: crypto map "Test" is up. Nov 10 13:17:20ndm IpSec::Configurator: reconnection for crypto map "Test" was cancelled. Nov 10 13:17:20ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1. Nov 10 13:17:20ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:17:20ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:17:32ipsec 11[IKE] retransmit 1 of request with message ID 0 Nov 10 13:17:41ipsec 07[IKE] retransmit 2 of request with message ID 0 Nov 10 13:17:50ipsec 05[IKE] retransmit 3 of request with message ID 0 Nov 10 13:18:01ipsec 13[IKE] retransmit 4 of request with message ID 0 Nov 10 13:18:13ipsec 05[IKE] retransmit 5 of request with message ID 0 Nov 10 13:18:26ipsec 15[IKE] retransmit 6 of request with message ID 0 Nov 10 13:18:40ipsec 13[IKE] retransmit 7 of request with message ID 0 Nov 10 13:18:55ipsec 16[IKE] retransmit 8 of request with message ID 0 Nov 10 13:19:13ipsec 14[IKE] giving up after 8 retransmits Nov 10 13:19:13ndm IpSec::Configurator: remote peer of crypto map "Test" is down. Nov 10 13:19:13ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:19:13ndm IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry. Nov 10 13:19:13ndm IpSec::Configurator: schedule reconnect for crypto map "Test". Nov 10 13:19:13ipsec 14[IKE] establishing IKE_SA failed, peer not responding Nov 10 13:19:29ndm IpSec::Configurator: reconnecting crypto map "Test". Nov 10 13:19:31ndm IpSec::Configurator: crypto map "Test" shutdown started. Nov 10 13:19:31ipsec 14[CFG] received stroke: unroute 'Test' Nov 10 13:19:31ipsec 08[CFG] received stroke: terminate 'Test{*}' Nov 10 13:19:31ipsec 16[IKE] closing CHILD_SA Test{3} with SPIs c96d5999_i (24735 bytes) 8d98ca14_o (68197 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:19:31ipsec 16[IKE] sending DELETE for ESP CHILD_SA with SPI c96d5999 Nov 10 13:19:31ipsec 13[IKE] received DELETE for ESP CHILD_SA with SPI 8d98ca14 Nov 10 13:19:31ipsec 13[IKE] CHILD_SA closed Nov 10 13:19:31ipsec 09[CFG] received stroke: terminate 'Test[*]' Nov 10 13:19:31ndm IpSec::Configurator: crypto map "Test" shutdown complete. Nov 10 13:19:31ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:19:31ipsec 10[IKE] deleting IKE_SA Test[5] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:19:31ipsec 10[IKE] sending DELETE for IKE_SA Test[5] Nov 10 13:19:31ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:19:31ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:19:32ipsec 12[CFG] received stroke: initiate 'Test' Nov 10 13:19:32ndm IpSec::Configurator: crypto map "Test" initialized. Nov 10 13:19:39ipsec 15[IKE] unable to create CHILD_SA while deleting IKE_SA Nov 10 13:19:39ipsec 05[IKE] IKE_SA deleted Nov 10 13:19:39ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:19:39ipsec 07[IKE] initiating IKE_SA Test[7] to CISCO_IP Nov 10 13:19:51ipsec 08[IKE] retransmit 1 of request with message ID 0 Nov 10 13:20:00ipsec 13[IKE] retransmit 2 of request with message ID 0 Nov 10 13:20:01ipsec 10[IKE] received Cisco Delete Reason vendor ID Nov 10 13:20:01ipsec 10[IKE] CISCO_IP is initiating an IKE_SA Nov 10 13:20:01ipsec 10[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:20:01ipsec 10[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:20:01ipsec 10[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096/# Nov 10 13:20:03ipsec 14[MGR] ignoring request with ID 0, already processing Nov 10 13:20:06ipsec 16[MGR] ignoring request with ID 0, already processing Nov 10 13:20:09ipsec 10[IKE] remote host is behind NAT Nov 10 13:20:09ipsec 08[CFG] looking for peer configs matching ZYXEL_IP[%any]...CISCO_IP[192.168.0.2] Nov 10 13:20:09ipsec 08[CFG] selected peer config 'Test' Nov 10 13:20:09ipsec 08[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:20:09ipsec 08[IKE] authentication of '192.168.0.2' with pre-shared key successful Nov 10 13:20:09ipsec 08[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Nov 10 13:20:09ipsec 08[IKE] linked key for crypto map 'Test' is not found, still searching Nov 10 13:20:09ipsec 08[IKE] authentication of 'ZYXEL_IP' (myself) with pre-shared key Nov 10 13:20:09ipsec 08[IKE] IKE_SA Test[8] established between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:20:09ipsec 08[IKE] scheduling reauthentication in 3567s Nov 10 13:20:09ipsec 08[IKE] maximum IKE_SA lifetime 3587s Nov 10 13:20:09ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 0. Nov 10 13:20:09ipsec 08[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:20:09ipsec 08[CFG] configured proposals: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/MODP_4096/NO_EXT_SEQ Nov 10 13:20:09ipsec 08[CFG] selected proposal: ESP:AES_CBC=256/HMAC_SHA2_256_128/#/#/NO_EXT_SEQ Nov 10 13:20:09ipsec 08[IKE] CHILD_SA Test{4} established with SPIs cdeb3b19_i 00d56f15_o and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:20:09ndm IpSec::Configurator: crypto map "Test" is up. Nov 10 13:20:09ndm IpSec::Configurator: reconnection for crypto map "Test" was cancelled. Nov 10 13:20:09ndm IpSec::Configurator: crypto map "Test" active IKE SA: 1, active CHILD SA: 1. Nov 10 13:20:09ndm IpSec::IpSecNetfilter: start reloading netfilter configuration... Nov 10 13:20:10ndm IpSec::IpSecNetfilter: netfilter configuration reloading is done. Nov 10 13:20:10ipsec 05[IKE] retransmit 3 of request with message ID 0 Nov 10 13:20:20ipsec 15[IKE] retransmit 4 of request with message ID 0 Nov 10 13:20:32ipsec 05[IKE] retransmit 5 of request with message ID 0 Nov 10 13:20:45ipsec 08[IKE] retransmit 6 of request with message ID 0 Nov 10 13:20:48ndhcps _WEBADMIN: DHCPREQUEST received (STATE_SELECTING) for 192.168.10.45 from 74:04:2b:84:60:e8. Nov 10 13:20:48ndhcps _WEBADMIN: sending ACK of 192.168.10.45 to 74:04:2b:84:60:e8. Nov 10 13:20:59ipsec 16[IKE] retransmit 7 of request with message ID 0 Nov 10 13:21:15ipsec 15[IKE] retransmit 8 of request with message ID 0 Nov 10 13:21:32ipsec 13[IKE] giving up after 8 retransmits Nov 10 13:21:32ndm IpSec::Configurator: remote peer of crypto map "Test" is down. Nov 10 13:21:32ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:21:32ndm IpSec::Configurator: fallback peer is not defined for crypto map "Test", retry. Nov 10 13:21:32ndm IpSec::Configurator: schedule reconnect for crypto map "Test". Nov 10 13:21:32ipsec 13[IKE] establishing IKE_SA failed, peer not responding Nov 10 13:21:48ndm IpSec::Configurator: reconnecting crypto map "Test". Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" shutdown started. Nov 10 13:21:50ipsec 13[CFG] received stroke: unroute 'Test' Nov 10 13:21:50ipsec 07[CFG] received stroke: terminate 'Test{*}' Nov 10 13:21:50ipsec 15[IKE] closing CHILD_SA Test{4} with SPIs cdeb3b19_i (24726 bytes) 00d56f15_o (85210 bytes) and TS 192.168.10.0/24 === 192.168.0.0/24 Nov 10 13:21:50ipsec 15[IKE] sending DELETE for ESP CHILD_SA with SPI cdeb3b19 Nov 10 13:21:50ipsec 16[IKE] received DELETE for ESP CHILD_SA with SPI 00d56f15 Nov 10 13:21:50ipsec 16[IKE] CHILD_SA closed Nov 10 13:21:50ipsec 06[CFG] received stroke: terminate 'Test[*]' Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" shutdown complete. Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Nov 10 13:21:50ipsec 08[IKE] deleting IKE_SA Test[8] between ZYXEL_IP[ZYXEL_IP]...CISCO_IP[192.168.0.2] Nov 10 13:21:50ipsec 08[IKE] sending DELETE for IKE_SA Test[8] Nov 10 13:21:50ipsec 05[IKE] IKE_SA deleted Nov 10 13:21:50ndm IpSec::Configurator: crypto map "Test" active IKE SA: 0, active CHILD SA: 0. Спасибо!
×
×
  • Create New...