Juniper 防火墙建立VPN不成功:Phase1:Retransmission

Juniper 防火墙建立VPN不成功:Phase1:Retransmission

Juniper防火墙建立VPN不成功,日志中出现下面的提示:Phase 1: Retransmission limit has been reached.

下面是从Juniper资料库中查到的相关资料,按照Juniper资料库的办法好像并没有彻底解决问题,不过可以参考一下Juniper防火墙的排错思路。

Synopsis:

VPN won't come up; It is failing in Phase 1, with Retransmission limit has been reached reported in the event log.

VPN无法建立连接,日志中出现“Phase 1, with Retransmission limit has been reached ”记录

Problem:

The VPN tunnel does not come up. It is failing in Phase 1, with 'Phase 1: Retransmission limit has been reached' reported in the Event log.

因为无法完成Phase 1的握手,因此VPN隧道无法建立。

Assumptions:

You are on the responder firewall, and there are no Phase 2 errors in the Event log.

You are on the responder firewall, and the only Phase 1 message in the event log is 'Retransmission limit has been reached'. If you have other Phase 1 errors, please refer to KB9238 - How to Analyze IKE Phase 1 Messages in the Event Logs.

You are on the initiator firewall, and there are no messages in the event log on the responder.

Note: It is always better to troubleshoot VPN connection problems by reviewing the messages in the responder side first.

Terminology:

The responder is the 'receiver' side of the VPN that is being pinged, receiving tunnel setup requests, or receiving the tunneled traffic.

The initiator is the side of the VPN that the ping or traffic is generated.

Solution: 解决办法

Use the following steps to determine what to do when you receive 'Phase 1: Retransmission limit has been reached' messages in the Event log. 通过下面几个步骤检查错误原因

1. From the firewall, can you ping the IP address of the Remote VPN Gateway OR any host on the Internet? 是否能ping通远端的外网ip?

Yes - Continue with Step 2 可以,直接到下一步

No - Verify that a default route is configured on the firewall. If so, can you ping the firewall's default  gateway? If you cannot ping the firewall's default gateway, check connectivity between the firewall and the default gateway router. 查看本地路由,能否ping通网关,如果不能,请检查网络连线。

2. Is the Preshared Key specified in the IKE gateway configuration the same on both the initiator and the responder? 两边设备的“Preshared Key ”是否相同

Yes - Continue with Step 3 相同的话看下一步

No - In the IKE gateway configuration, reenter the Preshared Key on both the initiator and the responder and then attempt to bring up the VPN again. 如果不相同,重新配置两边的“Preshared Key ”

3. Does the IP address specified in the IKE gateway configuration match the public IP address of the Remote Gateway? 远端的ip地址是否正确。

Yes -Continue with Step 4

No - In the IKE gateway configuration, specify the correct IP address for the Remote Gateway, and then attempt to bring up the VPN again.

4 Does the IKE gateway's outgoing interface match the route to the destination? 出口接口是否选择正确。

Yes - Continue with Step 5

No - Correct the IKE gateway's outgoing interface. Unfortunately, you cannot change the IKE Gateway's outgoing interface. You need to create a new IKE Gateway that points to the correct outgoing interface and then change the AutoKey IKE so that points to this new IKE Gateway. 如果选择错了IKE的出口接口是无法修改的,需要建立一个新的IKE Gateway

5. Are there any routers or firewalls in the path that are blocking IPSec (IP protocol 50 or UDP port 500 (if using NAT-Traversal))? 是否有其他的路由或防火墙阻挡了网络连接,例如tcp-50及udp-500端口没开通

Yes - Work with the admin of that firewall or router to allow IPSec through for the IP address of your firewall and the Remote IP gateway.

No - Continue with Step 6

6. If the above steps do not help you resolve the 'Phase 1: Retransmission Limit has been reached' messages, collect the Site-to-Site logs for both sides of the tunnel and open a case with JTAC - Juniper Technical Assistance Center. See KB9229 - How to collect logs and open a case for a problem with a Site-to-Site VPN. 如果还不能解决问题,查看Juniper其他的资料。

客户这边的VPN是我配置的,配置都是正确的,但是偶尔会出现VPN连接不成功,在日志中看到“Phase 1: Retransmission limit has been reached.”的记录,原因应该上面所说的第3条,ip地址不正确,因为客户这边只有一个固定ip,有一段使用的是ADSL拨号,ADSL断线重连之后IP地址发生变化,原来的VPN隧道还是记录的是没断线之前的IP地址,因此会出现无法建立VPN的情况,等待一段时间应该就会正常了,这应该算是动态IP VPN的不足。

快速解决办法:

如果只是等待VPN自动重连很可能要等很长时间,断则十几分钟,长则半个小时也好不了,在实际操作中我发现了一个简便的办法,可以让VPN快速重新建立连接,就是在策略中禁用该VPN所使用的策略,然后重新启用,从动态ip方发起VPN连接,问题搞定。

本文转自 msft 51CTO博客,原文链接:http://blog.51cto.com/victorly/1845787,如需转载请自行联系原作者

上一篇:juniper防火墙之恢复出厂默认设置
下一篇:Linux iptables防火墙添加删除端口