本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# AWS Site-to-Site VPN 客戶閘道裝置的故障診斷
疑難排解客戶閘道裝置的問題時,請務必採用結構化的方法。本節的前兩個主題分別提供一般流程圖,用於在使用針對動態路由 (啟用 BGP) 設定的裝置,以及針對靜態路由 (未啟用 BGP) 設定的裝置時疑難排解問題。下列主題是 Cisco、Juniper 和 Yamaha 客戶閘道裝置的裝置特定疑難排解指南。
除了本節中的主題之外,啟用 [AWS Site-to-Site VPN 日誌](monitoring-logs.md)對疑難排解和解決 VPN 連線問題非常有用。如需一般測試說明,另請參閱 [測試 AWS Site-to-Site VPN 連線](HowToTestEndToEnd_Linux.md)。
**Topics**
+ [具有 BGP 的裝置](Generic_Troubleshooting.md)
+ [不含 BGP 的裝置](Generic_Troubleshooting_noBGP.md)
+ [Cisco ASA](Cisco_ASA_Troubleshooting.md)
+ [Cisco IOS](Cisco_Troubleshooting.md)
+ [沒有 BGP 的 Cisco IOS](Cisco_Troubleshooting_NoBGP.md)
+ [Juniper JunOS](Juniper_Troubleshooting.md)
+ [Juniper ScreenOS](Juniper_ScreenOs_Troubleshooting.md)
+ [Yamaha](Yamaha_Troubleshooting.md)
**其他資源**
+ [ Amazon VPC 論壇](https://repost.aws/tags/TATGuEiYydTVCPMhSnXFN6gA/amazon-vpc)
# 使用邊界閘道通訊協定時的 AWS Site-to-Site VPN 連線故障診斷
下圖及下表提供使用邊界閘道協定 (BGP) 之客戶閘道裝置的故障診斷一般說明。我們也建議您啟用裝置的偵錯功能。詳細資訊請洽閘道裝置開發廠商。
![\[對一般客戶閘道裝置進行故障診斷的流程圖\]](http://docs.aws.amazon.com/zh_tw/vpn/latest/s2svpn/images/troubleshooting-cgw-flow-diagram.png)
| | |
| --- |--- |
| IKE | 判斷 IKE 安全關聯是否存在。 需要有 IKE 安全關聯才能交換用來建立 IPsec 安全關聯的金鑰。 如果 IKE 安全關聯不存在,請檢閱您的 IKE 組態設定。您必須如組態檔案中所列,設定加密、身分驗證、完美遠期保密和模式參數。 如果 IKE 安全關聯存在,請移至「IPsec」。 |
| IPsec | 判斷 IPsec 安全關聯 (SA) 是否存在。 IPsec SA 是通道本身。查詢您的客戶閘道裝置,以判斷 IPsec SA 是否處於作用中狀態。請務必如組態檔案中所列,設定加密、身分驗證、完美遠期保密和模式參數。 如果 IPsec SA 不存在,請檢閱您的 IPsec 組態。 如果 IPsec SA 存在,請移至「通道」。 |
| 通道 | 確認已設定必要的防火牆規則 (如需規則清單,請參閱[AWS Site-to-Site VPN 客戶閘道裝置的防火牆規則](FirewallRules.md))。如已設定,請繼續。 判斷 IP 連線是否通過通道。 通道的每一端皆有如組態檔案中指定的 IP 地址。虛擬私有閘道地址是做為 BGP 鄰近地址的地址。從您的客戶閘道裝置 ping 這個地址,判斷是否正確加密及解密 IP 流量。 如果 ping 不成功,請檢閱您的通道界面組態,確定設定正確的 IP 地址。 如果 ping 成功,請移至「BGP」。 |
| BGP | 判斷 BGP 對等對等互連工作階段是否為作用中。 針對每一個通道執行下列作業: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/vpn/latest/s2svpn/Generic_Troubleshooting.html) 如果通道不在此狀態,請檢閱您的 BGP 組態。 如果 BGP 對等已建立,您收到了字首並且公告字首,這代表您的通道設定正確。請確認兩個通道均處於此狀態。 |
# 在沒有邊界閘道通訊協定的情況下對 AWS Site-to-Site VPN 連線進行故障診斷
下圖及下表提供不使用邊界閘道協定 (BGP) 之客戶閘道裝置的故障診斷一般說明。我們也建議您啟用裝置的偵錯功能。詳細資訊請洽閘道裝置開發廠商。
![\[對一般客戶閘道裝置進行故障診斷的流程圖\]](http://docs.aws.amazon.com/zh_tw/vpn/latest/s2svpn/images/troubleshooting-cgw-flow-nobgp-diagram.png)
| | |
| --- |--- |
| IKE | 判斷 IKE 安全關聯是否存在。 需要有 IKE 安全關聯才能交換用來建立 IPsec 安全關聯的金鑰。 如果 IKE 安全關聯不存在,請檢閱您的 IKE 組態設定。您必須如組態檔案中所列,設定加密、身分驗證、完美遠期保密和模式參數。 如果 IKE 安全關聯存在,請移至「IPsec」。 |
| IPsec | 判斷 IPsec 安全關聯 (SA) 是否存在。 IPsec SA 是通道本身。查詢您的客戶閘道裝置,以判斷 IPsec SA 是否處於作用中狀態。請務必如組態檔案中所列,設定加密、身分驗證、完美遠期保密和模式參數。 如果 IPsec SA 不存在,請檢閱您的 IPsec 組態。 如果 IPsec SA 存在,請移至「通道」。 |
| 通道 | 確認已設定必要的防火牆規則 (如需規則清單,請參閱[AWS Site-to-Site VPN 客戶閘道裝置的防火牆規則](FirewallRules.md))。如已設定,請繼續。 判斷 IP 連線是否通過通道。 通道的每一端皆有如組態檔案中指定的 IP 地址。虛擬私有閘道地址是做為 BGP 鄰近地址的地址。從您的客戶閘道裝置 ping 這個地址,判斷是否正確加密及解密 IP 流量。 如果 ping 不成功,請檢閱您的通道界面組態,確定設定正確的 IP 地址。 如果 ping 成功,請移至「靜態路由」。 |
| 靜態路由 | 針對每一個通道執行下列作業: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/zh_tw/vpn/latest/s2svpn/Generic_Troubleshooting_noBGP.html) 如果通道不在此狀態,請檢閱您的裝置組態。 確認兩個通道均處於此狀態,作業即完成。 |
# 對與 Cisco ASA 客戶閘道裝置的 AWS Site-to-Site VPN 連線進行故障診斷
當您對 Cisco 客戶閘道裝置連線問題進行故障診斷時,請考量 IKE、IPsec 和路由。您可依任何順序故障診斷這些區域,但建議您從 IKE 開始 (網路堆疊底部的),一路向上。
**重要**
有些 Cisco ASA 僅支援作用中/待命模式。當您使用這些 Cisco ASA 時,一次只能有一個作用中的通道。另一個待命通道只有在第一個通道無法使用時,才會變成作用中。待命通道在日誌檔案中可能會出現下列錯誤,可予以忽略:`Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside`
## IKE
使用下列 命令。回應顯示客戶閘道裝置的 IKE 設定正確。
```
ciscoasa# show crypto isakmp sa
```
```
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: AWS_ENDPOINT_1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
```
您應該會看到一或多行包含通道中所指定遠端閘道的 `src` 數值。`state` 數值應為 `MM_ACTIVE`,而 `status` 應為 `ACTIVE`。缺少項目或任何項目處於其他狀態,都表示 IKE 未正確設定。
如需進一步故障診斷,請執行下列命令來啟用提供診斷資訊的日誌訊息。
```
router# term mon
router# debug crypto isakmp
```
使用下列命令停用除錯。
```
router# no debug crypto isakmp
```
## IPsec
使用下列 命令。回應顯示客戶閘道裝置的 IPsec 設定正確。
```
ciscoasa# show crypto ipsec sa
```
```
interface: outside
Crypto map tag: VPN_crypto_map_name, seq num: 2, local addr: 172.25.50.101
access-list integ-ppe-loopback extended permit ip any vpc_subnet subnet_mask
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (vpc_subnet/subnet_mask/0/0)
current_peer: integ-ppe1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 172.25.50.101, remote crypto endpt.: AWS_ENDPOINT_1
path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: 6D9F8D3B
current inbound spi : 48B456A6
inbound esp sas:
spi: 0x48B456A6 (1219778214)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4710400, crypto-map: VPN_cry_map_1
sa timing: remaining key lifetime (kB/sec): (4374000/3593)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6D9F8D3B (1839172923)
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, }
slot: 0, conn_id: 4710400, crypto-map: VPN_cry_map_1
sa timing: remaining key lifetime (kB/sec): (4374000/3593)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
```
對於每個通道界面,您應該都會同時看到 `inbound esp sas` 和 `outbound esp sas`。這假設列出 SA (例如,`spi: 0x48B456A6`),而且 IPsec 設定正確。
在 Cisco ASA 中,IPsec 只有在傳送感興趣的流量 (應該加密的流量) 之後才會出現。為一直保持 IPsec 作用中,建議設定 SLA 監控。SLA 監控會持續傳送有趣的流量,保持 IPsec 作用中。
您也可以使用下列 ping 命令,強制 IPsec 開始交涉和啟動。
```
ping ec2_instance_ip_address
```
```
Pinging ec2_instance_ip_address with 32 bytes of data:
Reply from ec2_instance_ip_address: bytes=32 time<1ms TTL=128
Reply from ec2_instance_ip_address: bytes=32 time<1ms TTL=128
Reply from ec2_instance_ip_address: bytes=32 time<1ms TTL=128
Ping statistics for 10.0.0.4:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
```
如需進一步故障診斷,請使用下列命令啟用除錯。
```
router# debug crypto ipsec
```
使用下列命令停用除錯。
```
router# no debug crypto ipsec
```
## 路由
Ping 通道的另一端。如果這項作業有效,則您的 IPsec 應該已建立。如果這項作業無效,請檢查您的存取清單,然後參考前面的 IPsec 一節。
如果無法連接您的執行個體,請檢查下列資訊。
1. 確認存取清單設定允許與加密映射相關聯的流量。
您可使用下列命令來執行此作業。
```
ciscoasa# show run crypto
```
```
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto map VPN_crypto_map_name 1 match address access-list-name
crypto map VPN_crypto_map_name 1 set pfs
crypto map VPN_crypto_map_name 1 set peer AWS_ENDPOINT_1 AWS_ENDPOINT_2
crypto map VPN_crypto_map_name 1 set transform-set transform-amzn
crypto map VPN_crypto_map_name 1 set security-association lifetime seconds 3600
```
1. 使用以下命令檢查存取清單。
```
ciscoasa# show run access-list access-list-name
```
```
access-list access-list-name extended permit ip any vpc_subnet subnet_mask
```
1. 確認此存取清單是否正確。下列範例存取清單允許連往 VPC 子網路 10.0.0.0/16 的所有內部流量。
```
access-list access-list-name extended permit ip any 10.0.0.0 255.255.0.0
```
1. 從 Cisco ASA 裝置執行追蹤路由,查看它是否連接到 Amazon 路由器 (例如 *AWS\$1ENDPOINT\$11*/*AWS\$1ENDPOINT\$12*)。
如果這連上 Amazon 路由器,則檢查您在 Amazon VPC 主控台中新增的靜態路由,以及特定執行個體的安全群組。
1. 如需進一步故障診斷,請檢閱組態。
## 退信通道界面
如果通道似乎已啟動,但流量未正常流動,通道界面通常會彈跳 (停用和重新啟用) 來解決連線問題。若要退信 Cisco ASA 上的通道界面:
1. 執行下列命令:
```
ciscoasa# conf t
ciscoasa(config)# interface tunnel X (where X is your tunnel ID)
ciscoasa(config-if)# shutdown
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# end
```
或者,您可以使用單行命令:
```
ciscoasa# conf t ; interface tunnel X ; shutdown ; no shutdown ; end
```
1. 啟動界面後,請檢查 VPN 連接是否已重新建立,以及流量現在是否正確流動。
# 對與 Cisco IOS 客戶閘道裝置的 AWS Site-to-Site VPN 連線進行故障診斷
當您對 Cisco 客戶閘道裝置的連線問題進行故障診斷時,請考量四件事:IKE、IPsec、通道和 BGP。您可依任何順序故障診斷這些區域,但建議您從 IKE 開始 (網路堆疊底部的),一路向上。
## IKE
使用下列 命令。回應顯示客戶閘道裝置的 IKE 設定正確。
```
router# show crypto isakmp sa
```
```
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
192.168.37.160 72.21.209.193 QM_IDLE 2001 0 ACTIVE
192.168.37.160 72.21.209.225 QM_IDLE 2002 0 ACTIVE
```
您應該會看到一或多行包含通道中所指定遠端閘道的 `src` 數值。`state` 應為 `QM_IDLE`,而 `status` 應為 `ACTIVE`。缺少項目或任何項目處於其他狀態,都表示 IKE 未正確設定。
如需進一步故障診斷,請執行下列命令來啟用提供診斷資訊的日誌訊息。
```
router# term mon
router# debug crypto isakmp
```
使用下列命令停用除錯。
```
router# no debug crypto isakmp
```
## IPsec
使用下列 命令。回應顯示客戶閘道裝置的 IPsec 設定正確。
```
router# show crypto ipsec sa
```
```
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.37.160
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 72.21.209.225 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 149, #pkts encrypt: 149, #pkts digest: 149
#pkts decaps: 146, #pkts decrypt: 146, #pkts verify: 146
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 174.78.144.73, remote crypto endpt.: 72.21.209.225
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xB8357C22(3090512930)
inbound esp sas:
spi: 0x6ADB173(112046451)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4467148/3189)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB8357C22(3090512930)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4467148/3189)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 174.78.144.73
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 72.21.209.193 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 174.78.144.73, remote crypto endpt.: 72.21.209.193
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xF59A3FF6(4120526838)
inbound esp sas:
spi: 0xB6720137(3060924727)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: Motorola SEC 2.0:3, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4387273/3492)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF59A3FF6(4120526838)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: Motorola SEC 2.0:4, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4387273/3492)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
```
對於每個通道界面,您應該都會同時看到 `inbound esp sas` 和 `outbound esp sas`。假設列出 SA (例如,`spi: 0xF95D2F3C`),而且 `Status` 為 `ACTIVE`,則 IPsec 設定正確。
如需進一步故障診斷,請使用下列命令啟用除錯。
```
router# debug crypto ipsec
```
使用下列命令停用除錯。
```
router# no debug crypto ipsec
```
## 通道
首先,請檢查您有沒有必要的防火牆規則。如需詳細資訊,請參閱[AWS Site-to-Site VPN 客戶閘道裝置的防火牆規則](FirewallRules.md)。
如果您的防火牆規則設定正確,則繼續使用下列命令來進行故障診斷。
```
router# show interfaces tun1
```
```
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 169.254.255.2/30
MTU 17867 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 2/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 174.78.144.73, destination 72.21.209.225
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1427 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec-vpn-92df3bfb-0")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 1 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
407 packets input, 30010 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
```
確定 `line protocol` 已啟動。分別針對通道來源 IP 地址、來源界面和目標,檢查其是否與 IP 地址外客戶閘道裝置、界面和 IP 地址外虛擬私有閘道的通道組態相符。確定 `Tunnel protection via IPSec` 已存在。於這兩個通道界面上執行此命令。若要解決任何問題,請檢閱組態,並檢查與客戶閘道裝置的實體連接。
同時也使用下列命令,將 `169.254.255.1` 換成虛擬私有閘道的內部 IP 地址。
```
router# ping 169.254.255.1 df-bit size 1410
```
```
Type escape sequence to abort.
Sending 5, 1410-byte ICMP Echos to 169.254.255.1, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
```
您應該會看見五個驚嘆號。
如需進一步故障診斷,請檢閱組態。
## BGP
使用下列 命令。
```
router# show ip bgp summary
```
```
BGP router identifier 192.168.37.160, local AS number 65000
BGP table version is 8, main routing table version 8
2 network entries using 312 bytes of memory
2 path entries using 136 bytes of memory
3/1 BGP path/bestpath attribute entries using 444 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 2) using 32 bytes of memory
BGP using 948 total bytes of memory
BGP activity 4/1 prefixes, 4/1 paths, scan interval 15 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.255.1 4 7224 363 323 8 0 0 00:54:21 1
169.254.255.5 4 7224 364 323 8 0 0 00:00:24 1
```
應會列出兩個鄰近項目。每一個都應該會看到 `State/PfxRcd` 的數值為 `1`。
如果 BGP 對等互連已啟動,請確認您的客戶閘道裝置是否向 VPC 公告預設路由 (0.0.0.0/0)。
```
router# show bgp all neighbors 169.254.255.1 advertised-routes
```
```
For address family: IPv4 Unicast
BGP table version is 3, local router ID is 174.78.144.73
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Originating default network 0.0.0.0
Network Next Hop Metric LocPrf Weight Path
*> 10.120.0.0/16 169.254.255.1 100 0 7224 i
Total number of prefixes 1
```
此外,確定您會從虛擬私有閘道收到對應至您 VPC 的字首。
```
router# show ip route bgp
```
```
10.0.0.0/16 is subnetted, 1 subnets
B 10.255.0.0 [20/0] via 169.254.255.1, 00:00:20
```
如需進一步故障診斷,請檢閱組態。
# 對沒有邊界閘道協定的 Cisco IOS 客戶閘道裝置的 AWS Site-to-Site VPN 連線進行故障診斷
當您對 Cisco 客戶閘道裝置的連線問題進行故障診斷時,請考量三件事:IKE、IPsec 和通道。您可依任何順序故障診斷這些區域,但建議您從 IKE 開始 (網路堆疊底部的),一路向上。
## IKE
使用下列 命令。回應顯示客戶閘道裝置的 IKE 設定正確。
```
router# show crypto isakmp sa
```
```
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
174.78.144.73 205.251.233.121 QM_IDLE 2001 0 ACTIVE
174.78.144.73 205.251.233.122 QM_IDLE 2002 0 ACTIVE
```
您應該會看到一或多行包含通道中所指定遠端閘道的 `src` 數值。`state` 應為 `QM_IDLE`,而 `status` 應為 `ACTIVE`。缺少項目或任何項目處於其他狀態,都表示 IKE 未正確設定。
如需進一步故障診斷,請執行下列命令來啟用提供診斷資訊的日誌訊息。
```
router# term mon
router# debug crypto isakmp
```
使用下列命令停用除錯。
```
router# no debug crypto isakmp
```
## IPsec
使用下列 命令。回應顯示客戶閘道裝置的 IPsec 設定正確。
```
router# show crypto ipsec sa
```
```
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 174.78.144.73
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 72.21.209.225 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 149, #pkts encrypt: 149, #pkts digest: 149
#pkts decaps: 146, #pkts decrypt: 146, #pkts verify: 146
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 174.78.144.73, remote crypto endpt.:205.251.233.121
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xB8357C22(3090512930)
inbound esp sas:
spi: 0x6ADB173(112046451)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4467148/3189)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB8357C22(3090512930)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4467148/3189)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 205.251.233.122
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 72.21.209.193 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 26, #pkts encrypt: 26, #pkts digest: 26
#pkts decaps: 24, #pkts decrypt: 24, #pkts verify: 24
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 174.78.144.73, remote crypto endpt.:205.251.233.122
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xF59A3FF6(4120526838)
inbound esp sas:
spi: 0xB6720137(3060924727)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3, flow_id: Motorola SEC 2.0:3, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4387273/3492)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF59A3FF6(4120526838)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 4, flow_id: Motorola SEC 2.0:4, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4387273/3492)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
```
對於每個通道界面,您應該都會同時看到 inbound `esp sas` 和 outbound `esp sas`。這假設列出 SA (例如,`spi: 0x48B456A6`),狀態為 `ACTIVE`,而且 IPsec 設定正確。
如需進一步故障診斷,請使用下列命令啟用除錯。
```
router# debug crypto ipsec
```
使用下列命令停用除錯。
```
router# no debug crypto ipsec
```
## 通道
首先,請檢查您有沒有必要的防火牆規則。如需詳細資訊,請參閱[AWS Site-to-Site VPN 客戶閘道裝置的防火牆規則](FirewallRules.md)。
如果您的防火牆規則設定正確,則繼續使用下列命令來進行故障診斷。
```
router# show interfaces tun1
```
```
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 169.254.249.18/30
MTU 17867 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 2/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 174.78.144.73, destination 205.251.233.121
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Tunnel transport MTU 1427 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec-vpn-92df3bfb-0")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 1 packets/sec
5 minute output rate 1000 bits/sec, 1 packets/sec
407 packets input, 30010 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
```
確定線路通訊協定已啟動。分別針對通道來源 IP 地址、來源界面和目標,檢查其是否與 IP 地址外客戶閘道裝置、界面和 IP 地址外虛擬私有閘道的通道組態相符。確定 `Tunnel protection through IPSec` 已存在。於這兩個通道界面上執行此命令。若要解決任何問題,請檢閱組態,並檢查與客戶閘道裝置的實體連接。
您也可以使用下列命令,將 `169.254.249.18` 換成虛擬私有閘道的內部 IP 地址。
```
router# ping 169.254.249.18 df-bit size 1410
```
```
Type escape sequence to abort.
Sending 5, 1410-byte ICMP Echos to 169.254.249.18, timeout is 2 seconds:
Packet sent with the DF bit set
!!!!!
```
您應該會看見五個驚嘆號。
### 路由
若要查看您的靜態路由表,請使用下列命令。
```
router# sh ip route static
```
```
1.0.0.0/8 is variably subnetted
S 10.0.0.0/16 is directly connected, Tunnel1
is directly connected, Tunnel2
```
您應可透過現有的兩個通道看到 VPC CIDR 的靜態路由。它若不存在,請如下所示新增靜態路由。
```
router# ip route 10.0.0.0 255.255.0.0 Tunnel1 track 100
router# ip route 10.0.0.0 255.255.0.0 Tunnel2 track 200
```
### 檢查 SLA 監控
```
router# show ip sla statistics 100
```
```
IPSLAs Latest Operation Statistics
IPSLA operation id: 100
Latest RTT: 128 milliseconds
Latest operation start time: *18:08:02.155 UTC Wed Jul 15 2012
Latest operation return code: OK
Number of successes: 3
Number of failures: 0
Operation time to live: Forever
```
```
router# show ip sla statistics 200
```
```
IPSLAs Latest Operation Statistics
IPSLA operation id: 200
Latest RTT: 128 milliseconds
Latest operation start time: *18:08:02.155 UTC Wed Jul 15 2012
Latest operation return code: OK
Number of successes: 3
Number of failures: 0
Operation time to live: Forever
```
`Number of successes` 的值表示是否已順利設定 SLA 監控。
如需進一步故障診斷,請檢閱組態。
# 對 Juniper JunOS 客戶閘道裝置的 AWS Site-to-Site VPN 連線進行故障診斷
當您對 Juniper 客戶閘道裝置的連線問題進行故障診斷時,請考量四件事:IKE、IPsec、通道和 BGP。您可依任何順序故障診斷這些區域,但建議您從 IKE 開始 (網路堆疊底部的),一路向上。
## IKE
使用下列 命令。回應顯示客戶閘道裝置的 IKE 設定正確。
```
user@router> show security ike security-associations
```
```
Index Remote Address State Initiator cookie Responder cookie Mode
4 72.21.209.225 UP c4cd953602568b74 0d6d194993328b02 Main
3 72.21.209.193 UP b8c8fb7dc68d9173 ca7cb0abaedeb4bb Main
```
您應該會看到一或多行包含通道中所指定的遠端閘道遠端地址。`State` 應為 `UP`。缺少項目或任何項目處於其他狀態 (例如 `DOWN`),都表示 IKE 未正確設定。
如需進一步故障診斷,請如範例組態檔案中所建議,啟用 IKE 追蹤選項。然後執行下列命令,在螢幕中顯示各種除錯訊息。
```
user@router> monitor start kmd
```
從外部主機,您可以使用下列命令擷取整份日誌檔案。
```
scp username@router.hostname:/var/log/kmd
```
## IPsec
使用下列 命令。回應顯示客戶閘道裝置的 IPsec 設定正確。
```
user@router> show security ipsec security-associations
```
```
Total active tunnels: 2
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<131073 72.21.209.225 500 ESP:aes-128/sha1 df27aae4 326/ unlim - 0
>131073 72.21.209.225 500 ESP:aes-128/sha1 5de29aa1 326/ unlim - 0
<131074 72.21.209.193 500 ESP:aes-128/sha1 dd16c453 300/ unlim - 0
>131074 72.21.209.193 500 ESP:aes-128/sha1 c1e0eb29 300/ unlim - 0
```
特別是,每個閘道地址 (對應至遠端閘道) 至少應該看到兩行。每行開頭的插入號 (< >) 指出特定項目的流量方向。在輸出中,傳入流量 (「<」,從虛擬私有閘道到此客戶閘道裝置的流量) 和傳出流量 (「>」) 各有不同的行。
如需進一步故障診斷,請啟用 IKE 追蹤選項 (詳細資訊請參閱上一節 IKE 內容)。
## 通道
首先,請再次檢查您有沒有必要的防火牆規則。如需規則清單,請參閱[AWS Site-to-Site VPN 客戶閘道裝置的防火牆規則](FirewallRules.md)。
如果您的防火牆規則設定正確,則繼續使用下列命令來進行故障診斷。
```
user@router> show interfaces st0.1
```
```
Logical interface st0.1 (Index 70) (SNMP ifIndex 126)
Flags: Point-To-Point SNMP-Traps Encapsulation: Secure-Tunnel
Input packets : 8719
Output packets: 41841
Security: Zone: Trust
Allowed host-inbound traffic : bgp ping ssh traceroute
Protocol inet, MTU: 9192
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 169.254.255.0/30, Local: 169.254.255.2
```
確定 `Security: Zone` 正確,而且 `Local` 地址符合客戶閘道裝置通道內部地址。
接著,使用下列命令,以您虛擬私有閘道的內部 IP 地址取代 `169.254.255.1`。您的結果看起來應該類似此處顯示的回應。
```
user@router> ping 169.254.255.1 size 1382 do-not-fragment
```
```
PING 169.254.255.1 (169.254.255.1): 1410 data bytes
64 bytes from 169.254.255.1: icmp_seq=0 ttl=64 time=71.080 ms
64 bytes from 169.254.255.1: icmp_seq=1 ttl=64 time=70.585 ms
```
如需進一步故障診斷,請檢閱組態。
## BGP
執行下列命令。
```
user@router> show bgp summary
```
```
Groups: 1 Peers: 2 Down peers: 0
Table Tot Paths Act Paths Suppressed History Damp State Pending
inet.0 2 1 0 0 0 0
Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...
169.254.255.1 7224 9 10 0 0 1:00 1/1/1/0 0/0/0/0
169.254.255.5 7224 8 9 0 0 56 0/1/1/0 0/0/0/0
```
如需進一步故障診斷,請使用下列命令,以您虛擬私有閘道的內部 IP 地址取代 `169.254.255.1`。
```
user@router> show bgp neighbor 169.254.255.1
```
```
Peer: 169.254.255.1+179 AS 7224 Local: 169.254.255.2+57175 AS 65000
Type: External State: Established Flags:
Last State: OpenConfirm Last Event: RecvKeepAlive
Last Error: None
Export: [ EXPORT-DEFAULT ]
Options:
Holdtime: 30 Preference: 170 Local AS: 65000 Local System AS: 0
Number of flaps: 0
Peer ID: 169.254.255.1 Local ID: 10.50.0.10 Active Holdtime: 30
Keepalive Interval: 10 Peer index: 0
BFD: disabled, down
Local Interface: st0.1
NLRI for restart configured on peer: inet-unicast
NLRI advertised by peer: inet-unicast
NLRI for this session: inet-unicast
Peer supports Refresh capability (2)
Restart time configured on the peer: 120
Stale routes from peer are kept for: 300
Restart time requested by this peer: 120
NLRI that peer supports restart for: inet-unicast
NLRI that restart is negotiated for: inet-unicast
NLRI of received end-of-rib markers: inet-unicast
NLRI of all end-of-rib markers sent: inet-unicast
Peer supports 4 byte AS extension (peer-as 7224)
Table inet.0 Bit: 10000
RIB State: BGP restart is complete
Send state: in sync
Active prefixes: 1
Received prefixes: 1
Accepted prefixes: 1
Suppressed due to damping: 0
Advertised prefixes: 1
Last traffic (seconds): Received 4 Sent 8 Checked 4
Input messages: Total 24 Updates 2 Refreshes 0 Octets 505
Output messages: Total 26 Updates 1 Refreshes 0 Octets 582
Output Queue[0]: 0
```
您應該會在此看到每個列出的 `Received prefixes` 與 `Advertised prefixes` 皆為 1。這應屬於 `Table inet.0` 區段。
如果 `State` 不是 `Established`,請檢查 `Last State` 和 `Last Error` 以取得所需詳細資訊來更正問題。
如果 BGP 對等互連已啟動,請確認您的客戶閘道裝置是否向 VPC 公告預設路由 (0.0.0.0/0)。
```
user@router> show route advertising-protocol bgp 169.254.255.1
```
```
inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 0.0.0.0/0 Self I
```
此外,確定您會從虛擬私有閘道收到對應至您 VPC 的字首。
```
user@router> show route receive-protocol bgp 169.254.255.1
```
```
inet.0: 10 destinations, 11 routes (10 active, 0 holddown, 0 hidden)
Prefix Nexthop MED Lclpref AS path
* 10.110.0.0/16 169.254.255.1 100 7224 I
```
# 對 Juniper ScreenOS 客戶閘道裝置的 AWS Site-to-Site VPN 連線進行故障診斷
當您對 Juniper ScreenOS 型客戶閘道裝置的連線問題進行故障診斷時,請考量四件事:IKE、IPsec、通道和 BGP。您可依任何順序故障診斷這些區域,但建議您從 IKE 開始 (網路堆疊底部的),一路向上。
## IKE 和 IPsec
使用下列 命令。回應顯示客戶閘道裝置的 IKE 設定正確。
```
ssg5-serial-> get sa
```
```
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000002< 72.21.209.225 500 esp:a128/sha1 80041ca4 3385 unlim A/- -1 0
00000002> 72.21.209.225 500 esp:a128/sha1 8cdd274a 3385 unlim A/- -1 0
00000001< 72.21.209.193 500 esp:a128/sha1 ecf0bec7 3580 unlim A/- -1 0
00000001> 72.21.209.193 500 esp:a128/sha1 14bf7894 3580 unlim A/- -1 0
```
您應該會看到一或多行包含通道中所指定的遠端閘道遠端地址。`Sta` 數值應為 `A/-`,而 `SPI` 應為非 `00000000` 的十六進位數字。其他狀態下的項目表示 IKE 未正確設定。
如需進一步故障診斷,請如範例組態檔案中所建議,啟用 IKE 追蹤選項。
## 通道
首先,請再次檢查您有沒有必要的防火牆規則。如需規則清單,請參閱[AWS Site-to-Site VPN 客戶閘道裝置的防火牆規則](FirewallRules.md)。
如果您的防火牆規則設定正確,則繼續使用下列命令來進行故障診斷。
```
ssg5-serial-> get interface tunnel.1
```
```
Interface tunnel.1:
description tunnel.1
number 20, if_info 1768, if_index 1, mode route
link ready
vsys Root, zone Trust, vr trust-vr
admin mtu 1500, operating mtu 1500, default mtu 1500
*ip 169.254.255.2/30
*manage ip 169.254.255.2
route-deny disable
bound vpn:
IPSEC-1
Next-Hop Tunnel Binding table
Flag Status Next-Hop(IP) tunnel-id VPN
pmtu-v4 disabled
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
OSPF disabled BGP enabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
NHRP disabled
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
```
您一定要看到 `link:ready`,而且 `IP` 地址符合客戶閘道裝置通道內部地址。
接著,使用下列命令,以您虛擬私有閘道的內部 IP 地址取代 `169.254.255.1`。您的結果看起來應該類似此處顯示的回應。
```
ssg5-serial-> ping 169.254.255.1
```
```
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 169.254.255.1, timeout is 1 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=32/32/33 ms
```
如需進一步故障診斷,請檢閱組態。
## BGP
執行下列命令。
```
ssg5-serial-> get vrouter trust-vr protocol bgp neighbor
```
```
Peer AS Remote IP Local IP Wt Status State ConnID Up/Down
--------------------------------------------------------------------------------
7224 169.254.255.1 169.254.255.2 100 Enabled ESTABLISH 10 00:01:01
7224 169.254.255.5 169.254.255.6 100 Enabled ESTABLISH 11 00:00:59
```
兩個 BGP 對等的狀態都應是 `ESTABLISH`,這表示 BGP 對虛擬私有閘道的連線作用中。
如需進一步故障診斷,請使用下列命令,以您虛擬私有閘道的內部 IP 地址取代 `169.254.255.1`。
```
ssg5-serial-> get vr trust-vr prot bgp neigh 169.254.255.1
```
```
peer: 169.254.255.1, remote AS: 7224, admin status: enable
type: EBGP, multihop: 0(disable), MED: node default(0)
connection state: ESTABLISH, connection id: 18 retry interval: node default(120s), cur retry time 15s
configured hold time: node default(90s), configured keepalive: node default(30s)
configured adv-interval: default(30s)
designated local IP: n/a
local IP address/port: 169.254.255.2/13946, remote IP address/port: 169.254.255.1/179
router ID of peer: 169.254.255.1, remote AS: 7224
negotiated hold time: 30s, negotiated keepalive interval: 10s
route map in name: , route map out name:
weight: 100 (default)
self as next hop: disable
send default route to peer: disable
ignore default route from peer: disable
send community path attribute: no
reflector client: no
Neighbor Capabilities:
Route refresh: advertised and received
Address family IPv4 Unicast: advertised and received
force reconnect is disable
total messages to peer: 106, from peer: 106
update messages to peer: 6, from peer: 4
Tx queue length 0, Tx queue HWM: 1
route-refresh messages to peer: 0, from peer: 0
last reset 00:05:33 ago, due to BGP send Notification(Hold Timer Expired)(code 4 : subcode 0)
number of total successful connections: 4
connected: 2 minutes 6 seconds
Elapsed time since last update: 2 minutes 6 seconds
```
如果 BGP 對等互連已啟動,請確認您的客戶閘道裝置是否向 VPC 公告預設路由 (0.0.0.0/0)。此命令適用於 ScreenOS 6.2.0 版及更新版本。
```
ssg5-serial-> get vr trust-vr protocol bgp rib neighbor 169.254.255.1 advertised
```
```
i: IBGP route, e: EBGP route, >: best route, *: valid route
Prefix Nexthop Wt Pref Med Orig AS-Path
--------------------------------------------------------------------------------------
>i 0.0.0.0/0 0.0.0.0 32768 100 0 IGP
Total IPv4 routes advertised: 1
```
此外,確定您會從虛擬私有閘道收到對應至您 VPC 的字首。此命令適用於 ScreenOS 6.2.0 版及更新版本。
```
ssg5-serial-> get vr trust-vr protocol bgp rib neighbor 169.254.255.1 received
```
```
i: IBGP route, e: EBGP route, >: best route, *: valid route
Prefix Nexthop Wt Pref Med Orig AS-Path
--------------------------------------------------------------------------------------
>e* 10.0.0.0/16 169.254.255.1 100 100 100 IGP 7224
Total IPv4 routes received: 1
```
# 對與 Yamaha 客戶閘道裝置的 AWS Site-to-Site VPN 連線進行故障診斷
當您對 Yamaha 客戶閘道裝置的連線問題進行故障診斷時,請考量四件事:IKE、IPsec、通道和 BGP。您可依任何順序故障診斷這些區域,但建議您從 IKE 開始 (網路堆疊底部的),一路向上。
**注意**
根據預設,IKE 第 2 階段中使用的 `proxy ID` 設定會在 Yamaha 路由器上停用。這可能會造成連線至 Site-to-Site VPN 的問題。如果您的路由器上未設定 `proxy ID` ,請參閱 AWS提供的範例組態檔案,以便 Yamaha 正確設定。
## IKE
執行下列命令。回應顯示客戶閘道裝置的 IKE 設定正確。
```
# show ipsec sa gateway 1
```
```
sgw flags local-id remote-id # of sa
--------------------------------------------------------------------------
1 U K YOUR_LOCAL_NETWORK_ADDRESS 72.21.209.225 i:2 s:1 r:1
```
您應該會看到一行包含通道中所指定遠端閘道的 `remote-id` 值。您可藉由省略通道編號,列出所有安全關聯 (SA)。
如需進一步故障診斷,請執行下列命令啟用提供診斷資訊的 DEBUG 層級日誌訊息。
```
# syslog debug on
# ipsec ike log message-info payload-info key-info
```
若要取消記錄的項目,請執行下列命令。
```
# no ipsec ike log
# no syslog debug on
```
## IPsec
執行下列命令。回應顯示客戶閘道裝置的 IPsec 設定正確。
```
# show ipsec sa gateway 1 detail
```
```
SA[1] Duration: 10675s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Protocol: IKE
Algorithm: AES-CBC, SHA-1, MODP 1024bit
SPI: 6b ce fd 8a d5 30 9b 02 0c f3 87 52 4a 87 6e 77
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
SA[2] Duration: 1719s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Direction: send
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: a6 67 47 47
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
SA[3] Duration: 1719s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Direction: receive
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: 6b 98 69 2b
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
SA[4] Duration: 10681s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Protocol: IKE
Algorithm: AES-CBC, SHA-1, MODP 1024bit
SPI: e8 45 55 38 90 45 3f 67 a8 74 ca 71 ba bb 75 ee
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
```
對於每個通道界面,您應該都會同時看到 `receive sas` 和 `send sas`。
如需進一步故障診斷,請使用下列命令啟用除錯。
```
# syslog debug on
# ipsec ike log message-info payload-info key-info
```
執行下列命令以停用除錯。
```
# no ipsec ike log
# no syslog debug on
```
## 通道
首先,請檢查您有沒有必要的防火牆規則。如需規則清單,請參閱[AWS Site-to-Site VPN 客戶閘道裝置的防火牆規則](FirewallRules.md)。
如果您的防火牆規則設定正確,則繼續使用下列命令來進行故障診斷。
```
# show status tunnel 1
```
```
TUNNEL[1]:
Description:
Interface type: IPsec
Current status is Online.
from 2011/08/15 18:19:45.
5 hours 7 minutes 58 seconds connection.
Received: (IPv4) 3933 packets [244941 octets]
(IPv6) 0 packet [0 octet]
Transmitted: (IPv4) 3933 packets [241407 octets]
(IPv6) 0 packet [0 octet]
```
確定 `current status` 值為上線,而且 `Interface type` 為 IPsec。確定均於這兩個通道界面上執行此命令。若要解決此處的任何問題,請檢閱組態。
## BGP
執行下列命令。
```
# show status bgp neighbor
```
```
BGP neighbor is 169.254.255.1, remote AS 7224, local AS 65000, external link
BGP version 0, remote router ID 0.0.0.0
BGP state = Active
Last read 00:00:00, hold time is 0, keepalive interval is 0 seconds
Received 0 messages, 0 notifications, 0 in queue
Sent 0 messages, 0 notifications, 0 in queue
Connection established 0; dropped 0
Last reset never
Local host: unspecified
Foreign host: 169.254.255.1, Foreign port: 0
BGP neighbor is 169.254.255.5, remote AS 7224, local AS 65000, external link
BGP version 0, remote router ID 0.0.0.0
BGP state = Active
Last read 00:00:00, hold time is 0, keepalive interval is 0 seconds
Received 0 messages, 0 notifications, 0 in queue
Sent 0 messages, 0 notifications, 0 in queue
Connection established 0; dropped 0
Last reset never
Local host: unspecified
Foreign host: 169.254.255.5, Foreign port:
```
應會列出兩個鄰近項目。每一個都應該會看到 `BGP state` 的數值為 `Active`。
如果 BGP 對等互連已啟動,請確認您的客戶閘道裝置是否向 VPC 公告預設路由 (0.0.0.0/0)。
```
# show status bgp neighbor 169.254.255.1 advertised-routes
```
```
Total routes: 1
*: valid route
Network Next Hop Metric LocPrf Path
* default 0.0.0.0 0 IGP
```
此外,確定您會從虛擬私有閘道收到對應至您 VPC 的字首。
```
# show ip route
```
```
Destination Gateway Interface Kind Additional Info.
default ***.***.***.*** LAN3(DHCP) static
10.0.0.0/16 169.254.255.1 TUNNEL[1] BGP path=10124
```