AWS连接UDP工作,但TCP超时
AWS连接UDP工作,但TCP超时
提问于 2019-06-05 09:01:22
我在这里有一些问题--我已经构建了一个从我的位置到AWS的L2l虚拟专用网,我可以看到隧道已经开通了,但是当我试图将我们办公室的本地域控制器连接到AWS时,我可以看到超时,但是UDP可以工作。在我的ACL上,我没有任何端口限制,所以我不知道为什么UDP工作,而不是TCP。奇怪的是,当TCP尝试连接时,我在日志中看到以下内容:
Jun 05 2019 03:54:10: %ASA-6-302013: Built inbound TCP connection 408579111 for INSIDE:10.16.10.15/65059 (10.190.0.15/65059) to INSIDE:10.20.0.115/88 (10.20.0.115/88)
Jun 05 2019 03:54:10: %ASA-6-302013: Built inbound TCP connection 408579112 for INSIDE:10.190.0.15/65059 (10.190.0.15/65059) to INSIDE:10.20.0.115/88 (10.20.0.115/88)
Jun 05 2019 03:54:10: %ASA-4-419002: Duplicate TCP SYN from INSIDE:10.190.0.15/65059 to INSIDE:10.20.0.115/88 with different initial sequence number
Jun 05 2019 03:54:10: %ASA-4-419002: Duplicate TCP SYN from INSIDE:10.190.0.15/65059 to INSIDE:10.20.0.115/88 with different initial sequence number
Jun 05 2019 03:54:10: %ASA-4-419002: Duplicate TCP SYN from INSIDE:10.190.0.15/65059 to INSIDE:10.20.0.115/88 with different initial sequence number我看到很多重复的tcp消息,然后它最终超时了。
我的心声如下:
object network dw01
host 10.16.10.103
object network dw01-NATLDN
host 10.190.0.103
object network dc03
host 10.16.10.15
object network dc03-NATLDN
host 10.190.0.15
object-group network Amazon.LocalLDN
network-object 10.190.0.0 255.255.255.0
object-group network Amazon-RemoteLDN
network-object 10.20.0.0 255.255.0.0
access-list OUTSIDE_cryptomap_10 extended permit ip any object-group Amazon-RemoteLDN
access-list amznLDN-filter extended permit ip 10.20.0.0 255.255.0.0 10.190.0.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static dw01 dw01-NATLDN destination static Amazon-RemoteLDN Amazon-RemoteLDN
nat (INSIDE,any) source static network dc03 dc03-NATLDN destination static Amazon-RemoteLDN Amazon-RemoteLDN
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto map OUTSIDE_map 15 match address OUTSIDE_cryptomap_10
crypto map OUTSIDE_map 15 set pfs group2
crypto map OUTSIDE_map 15 set peer 52.56.71.96 3.8.226.22
crypto map OUTSIDE_map 15 set ikev1 transform-set transform-amzn
crypto map OUTSIDE_map 15 set security-association lifetime seconds 3600
crypto map OUTSIDE_map 15 set nat-t-disable
tunnel-group 52.56.71.96 type ipsec-l2l
tunnel-group 52.56.71.96 general-attributes
default-group-policy Amazon-LDN
tunnel-group 52.56.71.96 ipsec-attributes
ikev1 pre-shared-key
isakmp keepalive threshold 10 retry 10
group-policy Amazon-LDN internal
group-policy Amazon-LDN attributes
vpn-idle-timeout none
vpn-session-timeout none
vpn-filter value amznLDN-filter
vpn-tunnel-protocol ikev1 回答 1
Network Engineering用户
回答已采纳
发布于 2019-06-06 04:49:54
我知道问题是什么,但感谢所有试图帮助我的人,所以问题在哪里。我们为AWS使用的子网是10.20.0.0/24,现在我正在检查防火墙上的路由,最后注意到
路线10.0.0.0 255.0.0.0 10.16.169.10 1
因此,由于AWS子网根据路由进入10子网,它将其抛回交换机接口,这就是为什么当我看到日志时,我看到了重复的同步消息。一旦我们将AWS IP地址更改为它工作的10个子网之外的地址。再次感谢杰西·P的帮助,非常感谢!如果你有什么问题请告诉我
页面原文内容由Network Engineering提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://networkengineering.stackexchange.com/questions/59613
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号