排查 Juniper JunOS 客户网关设备的连接性问题 - AWS Site-to-Site VPN
IKEIPsec隧道BGP

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

排查 Juniper JunOS 客户网关设备的连接性问题

对瞻博网络客户网关设备的连接进行故障排除时,请考虑四件事:IKE、IPsec、隧道和BGP。您可以按任意顺序对这些区域进行故障排除,但我们建议您从IKE(网络堆栈底部)开始,然后向上移动。

IKE

使用以下命令。响应显示IKE配置正确的客户网关设备。

user@router> show security ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
4       72.21.209.225   UP     c4cd953602568b74  0d6d194993328b02  Main
3       72.21.209.193   UP     b8c8fb7dc68d9173  ca7cb0abaedeb4bb  Main

您应该可以看到包含隧道中所指定远程网关的远程地址的一行或多行。State 应为 UP。缺少条目或任何处于其他状态的条目(例如DOWN),表示配置不IKE正确。

要进一步排除故障,请按照示例配置文件中的建议启用IKE跟踪选项。然后运行下面的命令,将各种调试信息打印到屏幕上。

user@router> monitor start kmd

从外部主机上,您可以使用下面的命令检索整个日志文件。

scp username@router.hostname:/var/log/kmd

IPsec

使用以下命令。响应显示IPsec配置正确的客户网关设备。

user@router> show security ipsec security-associations
Total active tunnels: 2
ID      Gateway        Port  Algorithm        SPI      Life:sec/kb Mon vsys
<131073 72.21.209.225  500   ESP:aes-128/sha1 df27aae4 326/ unlim   -   0
>131073 72.21.209.225  500   ESP:aes-128/sha1 5de29aa1 326/ unlim   -   0
<131074 72.21.209.193  500   ESP:aes-128/sha1 dd16c453 300/ unlim   -   0
>131074 72.21.209.193  500   ESP:aes-128/sha1 c1e0eb29 300/ unlim   -   0

具体来说,每个网关地址您至少应该看到两行(对应远程网关)。每行开头的插入符号 (< >) 表示特定项的流量方向。在输出内容中,入站流量(“<”,从虚拟私有网关到此客户网关设备的流量)和出站流量(“>”)分别占据单独的行。

要进一步排除故障,请启用 IKE traceoptions(有关更多信息,请参阅前一节IKE)。

隧道

首先,请反复检查必要的防火墙已布置到位。有关规则列表,请参阅您的客户网关设备的防火墙规则

如果您的防火墙规则设置正确,则请使用下面的命令继续排除故障。

user@router> show interfaces st0.1
 Logical interface st0.1 (Index 70) (SNMP ifIndex 126)
    Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
    Input packets : 8719
    Output packets: 41841
    Security: Zone: Trust
    Allowed host-inbound traffic : bgp ping ssh traceroute
    Protocol inet, MTU: 9192
      Flags: None
      Addresses, Flags: Is-Preferred Is-Primary
      Destination: 169.254.255.0/30, Local: 169.254.255.2

确保 Security: Zone 正确,并且 Local 地址匹配客户网关设备隧道的内部地址。

下一步,请使用下面的命令,将 169.254.255.1 替换为您的虚拟专用网关的内部 IP 地址。您得到的结果看上去应该如此处所示。

user@router> ping 169.254.255.1 size 1382 do-not-fragment
PING 169.254.255.1 (169.254.255.1): 1410 data bytes
64 bytes from 169.254.255.1: icmp_seq=0 ttl=64 time=71.080 ms
64 bytes from 169.254.255.1: icmp_seq=1 ttl=64 time=70.585 ms

如需进一步排查问题,请核查配置。

BGP

运行以下命令。

user@router> show bgp summary
Groups: 1 Peers: 2 Down peers: 0
Table          Tot Paths  Act Paths Suppressed    History Damp State    Pending
inet.0                 2          1          0          0          0          0
Peer                     AS      InPkt     OutPkt    OutQ   Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
169.254.255.1          7224          9         10       0       0        1:00 1/1/1/0              0/0/0/0
169.254.255.5          7224          8          9       0       0          56 0/1/1/0              0/0/0/0

如需进一步排查问题,请使用下面的命令,将 169.254.255.1 替换为您的虚拟专用网关的内部 IP 地址。

user@router> show bgp neighbor 169.254.255.1
Peer: 169.254.255.1+179 AS 7224 Local: 169.254.255.2+57175 AS 65000
  Type: External    State: Established    Flags: <ImportEval Sync>
  Last State: OpenConfirm   Last Event: RecvKeepAlive
  Last Error: None
  Export: [ EXPORT-DEFAULT ] 
  Options: <Preference HoldTime PeerAS LocalAS Refresh>
  Holdtime: 30 Preference: 170 Local AS: 65000 Local System AS: 0
  Number of flaps: 0
  Peer ID: 169.254.255.1    Local ID: 10.50.0.10       Active Holdtime: 30
  Keepalive Interval: 10         Peer index: 0   
  BFD: disabled, down
  Local Interface: st0.1                            
  NLRI for restart configured on peer: inet-unicast
  NLRI advertised by peer: inet-unicast
  NLRI for this session: inet-unicast
  Peer supports Refresh capability (2)
  Restart time configured on the peer: 120
  Stale routes from peer are kept for: 300
  Restart time requested by this peer: 120
  NLRI that peer supports restart for: inet-unicast
  NLRI that restart is negotiated for: inet-unicast
  NLRI of received end-of-rib markers: inet-unicast
  NLRI of all end-of-rib markers sent: inet-unicast
  Peer supports 4 byte AS extension (peer-as 7224)
  Table inet.0 Bit: 10000
    RIB State: BGP restart is complete
    Send state: in sync
    Active prefixes:              1
    Received prefixes:            1
    Accepted prefixes:            1
    Suppressed due to damping:    0
    Advertised prefixes:          1
Last traffic (seconds): Received 4    Sent 8    Checked 4   
Input messages:  Total 24     Updates 2       Refreshes 0     Octets 505
Output messages: Total 26     Updates 1       Refreshes 0     Octets 582
Output Queue[0]: 0

在此处,您应看到 Received prefixesAdvertised prefixes 逐个列出。上述内容应该在 Table inet.0 部分中。

如果 State 不是 Established,请检查 Last StateLast Error,了解纠正问题所需的详细信息。

如果对等连接BGP已启动,请确认您的客户网关设备正在向通告默认路由 (0.0.0.0/0)。VPC

user@router> show route advertising-protocol bgp 169.254.255.1
inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 0.0.0.0/0               Self                                    I

此外,请确保您VPC从虚拟专用网关收到与您的对应的前缀。

user@router> show route receive-protocol bgp 169.254.255.1
inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
  Prefix                  Nexthop              MED     Lclpref    AS path
* 10.110.0.0/16           169.254.255.1        100                7224 I