Sir Arthur
13.12.2007, 21:56
соха в нижневартовске. пикса в мск.
на пиксе
13 IKE Peer: 80.251.55.58
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2 рядом (там же стоит еще одна соха с таким же конфигом)
8 IKE Peer: 80.251.48.66
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
вопрос почему типы разные?
с сохи
RGSN-Niznevartovsk2#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
195.151.225.217 80.251.55.58 MM_NO_STATE 0 0 ACTIVE
IPv6 Crypto ISAKMP SA
с сохи на первой точке:
RGSN-Niznevartovsk#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
80.251.48.66 195.151.225.217 QM_IDLE 1016 0 ACTIVE
IPv6 Crypto ISAKMP SA
RGSN-Niznevartovsk#
т.е как я понимаю авторизация не проходит - туннель не поднимается.
Дальше в логе сохи постоянно ругань на
Jul 26 07:25:10.811: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet4.1 (not full duplex), with Switch FastEthernet0/43 (full duplex).
*Jul 26 07:25:30.599: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet4.1 (not full duplex), with Router.nvds.ru FastEthernet0/0 (full duplex).
пробовал ставить на f4.1 и full и half - без результатно.
соха вокруг себя видит
sh cdp ne det
-------------------------
Device ID: SunBrew-Niznevartovsk
Entry address(es):
IP address: 80.251.48.74
Platform: cisco 1751, Capabilities: Router
Interface: FastEthernet4.1, Port ID (outgoing port): Ethernet0/0
Holdtime : 145 sec
Version :
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K8SY7-M), Version 12.2(15)T9, RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Sat 01-Nov-03 06:24 by ccai
advertisement version: 2
Duplex: half
Power drawn: 4294967.294 Watts
-------------------------
Device ID: Router.nvds.ru
Entry address(es):
IP address: 80.251.55.24
Platform: Cisco 1841, Capabilities: Router Switch IGMP
Interface: FastEthernet4.1, Port ID (outgoing port): FastEthernet0/0
Holdtime : 163 sec
Version :
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 25-Oct-05 17:10 by evmiller
advertisement version: 2
VTP Management Domain: ''
Duplex: full
Power drawn: 4294967.294 Watts
-------------------------
Device ID: Switch
Entry address(es):
IP address: 192.168.0.159
Platform: cisco WS-C2960-48TT-L, Capabilities: Switch IGMP
Interface: FastEthernet4.1, Port ID (outgoing port): FastEthernet0/43
Holdtime : 143 sec
Version :
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by yenanh
advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010231FF0000000000000014A949 7B00FF0000
VTP Management Domain: ''
Native VLAN: 1
Duplex: full
Power drawn: 4294967.294 Watts
-------------------------
Device ID: SEP001AA27AB6C9
Entry address(es):
IP address: 10.86.2.254
Platform: Cisco IP Phone 7912, Capabilities: Host
Interface: FastEthernet0, Port ID (outgoing port): Port 1
Holdtime : 173 sec
Version :
CP7912-v6-01-0-051208A
advertisement version: 2
Power drawn: 6.300 Watts
-------------------------
Device ID: c2514.nvnipi.ru
Entry address(es):
IP address: 80.251.48.68
Platform: cisco 2500, Capabilities: Router
Interface: FastEthernet4.1, Port ID (outgoing port): Ethernet1
Holdtime : 155 sec
Version :
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IO-L), Version 12.0(15), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Thu 28-Dec-00 01:38 by linda
advertisement version: 1
Power drawn: 4294967.294 Watts
Админ из Нв говорит что на сохе визуально горят не переставая индикаторы Rx/TX - т.е что-то льется потоком. отключение в shut внутренних интерфесов результатов не дало. Индикация как была так и осталась.
собственно мртг подтверждает это.
статистка с интерфейса
63 packets input, 5349 bytes
2819 packets input, 236890 bytes
3635 packets input, 307545 bytes
5529 packets input, 459583 bytes
это примерно за 3-4 минуты после сброса счетчиков на интерфейсе
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 001a.e3b0.ef6d (bia 001a.e3b0.ef6d)
Description: WAN$FW_OUTSIDE$$ES_WAN$
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 12000 bits/sec, 17 packets/sec
5 minute output rate 2000 bits/sec, 2 packets/sec
7580 packets input, 620534 bytes
Received 6089 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
1453 packets output, 168313 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
выставил на кошке в акцесс листе deny ip any (кроме себя естественно) вроде стало полегче.
Вот и думаю чего это такое и что делать.
дебаг ip,tcp ничего подозрительного не показал
Скрин с мртг прилагаю
на пиксе
13 IKE Peer: 80.251.55.58
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2 рядом (там же стоит еще одна соха с таким же конфигом)
8 IKE Peer: 80.251.48.66
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
вопрос почему типы разные?
с сохи
RGSN-Niznevartovsk2#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
195.151.225.217 80.251.55.58 MM_NO_STATE 0 0 ACTIVE
IPv6 Crypto ISAKMP SA
с сохи на первой точке:
RGSN-Niznevartovsk#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
80.251.48.66 195.151.225.217 QM_IDLE 1016 0 ACTIVE
IPv6 Crypto ISAKMP SA
RGSN-Niznevartovsk#
т.е как я понимаю авторизация не проходит - туннель не поднимается.
Дальше в логе сохи постоянно ругань на
Jul 26 07:25:10.811: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet4.1 (not full duplex), with Switch FastEthernet0/43 (full duplex).
*Jul 26 07:25:30.599: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on FastEthernet4.1 (not full duplex), with Router.nvds.ru FastEthernet0/0 (full duplex).
пробовал ставить на f4.1 и full и half - без результатно.
соха вокруг себя видит
sh cdp ne det
-------------------------
Device ID: SunBrew-Niznevartovsk
Entry address(es):
IP address: 80.251.48.74
Platform: cisco 1751, Capabilities: Router
Interface: FastEthernet4.1, Port ID (outgoing port): Ethernet0/0
Holdtime : 145 sec
Version :
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-K8SY7-M), Version 12.2(15)T9, RELEASE SOFTWARE (fc2)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Sat 01-Nov-03 06:24 by ccai
advertisement version: 2
Duplex: half
Power drawn: 4294967.294 Watts
-------------------------
Device ID: Router.nvds.ru
Entry address(es):
IP address: 80.251.55.24
Platform: Cisco 1841, Capabilities: Router Switch IGMP
Interface: FastEthernet4.1, Port ID (outgoing port): FastEthernet0/0
Holdtime : 163 sec
Version :
Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 25-Oct-05 17:10 by evmiller
advertisement version: 2
VTP Management Domain: ''
Duplex: full
Power drawn: 4294967.294 Watts
-------------------------
Device ID: Switch
Entry address(es):
IP address: 192.168.0.159
Platform: cisco WS-C2960-48TT-L, Capabilities: Switch IGMP
Interface: FastEthernet4.1, Port ID (outgoing port): FastEthernet0/43
Holdtime : 143 sec
Version :
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)FX, RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Wed 12-Oct-05 22:05 by yenanh
advertisement version: 2
Protocol Hello: OUI=0x00000C, Protocol ID=0x0112; payload len=27, value=00000000FFFFFFFF010231FF0000000000000014A949 7B00FF0000
VTP Management Domain: ''
Native VLAN: 1
Duplex: full
Power drawn: 4294967.294 Watts
-------------------------
Device ID: SEP001AA27AB6C9
Entry address(es):
IP address: 10.86.2.254
Platform: Cisco IP Phone 7912, Capabilities: Host
Interface: FastEthernet0, Port ID (outgoing port): Port 1
Holdtime : 173 sec
Version :
CP7912-v6-01-0-051208A
advertisement version: 2
Power drawn: 6.300 Watts
-------------------------
Device ID: c2514.nvnipi.ru
Entry address(es):
IP address: 80.251.48.68
Platform: cisco 2500, Capabilities: Router
Interface: FastEthernet4.1, Port ID (outgoing port): Ethernet1
Holdtime : 155 sec
Version :
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IO-L), Version 12.0(15), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2000 by cisco Systems, Inc.
Compiled Thu 28-Dec-00 01:38 by linda
advertisement version: 1
Power drawn: 4294967.294 Watts
Админ из Нв говорит что на сохе визуально горят не переставая индикаторы Rx/TX - т.е что-то льется потоком. отключение в shut внутренних интерфесов результатов не дало. Индикация как была так и осталась.
собственно мртг подтверждает это.
статистка с интерфейса
63 packets input, 5349 bytes
2819 packets input, 236890 bytes
3635 packets input, 307545 bytes
5529 packets input, 459583 bytes
это примерно за 3-4 минуты после сброса счетчиков на интерфейсе
FastEthernet4 is up, line protocol is up
Hardware is PQUICC_FEC, address is 001a.e3b0.ef6d (bia 001a.e3b0.ef6d)
Description: WAN$FW_OUTSIDE$$ES_WAN$
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation 802.1Q Virtual LAN, Vlan ID 1., loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 12000 bits/sec, 17 packets/sec
5 minute output rate 2000 bits/sec, 2 packets/sec
7580 packets input, 620534 bytes
Received 6089 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
1453 packets output, 168313 bytes, 0 underruns
0 output errors, 0 collisions, 5 interface resets
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
выставил на кошке в акцесс листе deny ip any (кроме себя естественно) вроде стало полегче.
Вот и думаю чего это такое и что делать.
дебаг ip,tcp ничего подозрительного не показал
Скрин с мртг прилагаю