JUNIPER搭建站點到站點IPSecVPN 丟包問題解決方案
背景:
公司辦公區到租賃機房之間搭建的是一條IPSECVPN,分別是在兩邊的防火墻設備上搭建的,辦公區這邊使用的是飛塔防火墻,機房防火墻為juniper防火墻,搭建過程可以參考之前的帖子。之前搭建完成後測試沒有問題,一直使用到現在,但昨天晚上公司同事突然說,方法機房網絡慢,ping包存在丟包的情況,丟包率大概在1%-2%之間,並且沒有規律可言。
解決辦法:
1、重啟了公司這邊的飛塔防火墻上的vpn服務,沒有解決問題。
2、重啟飛塔防火墻,沒有解決問題。
3、在谷歌上查找解決辦法,找到以為描述:
Symptoms:
VPN tunnel is up ICMP packet drops to the trust interface through VPN ICMP packet drops to a host on trust zone on other side of VPN set arp age 5 Getting 1% to 6% Packet Drops when Pinging through VPN **** jump to packet:65.34.112.58->67.127.89.44
tunnel route to 65.34.112.57
wait for arp rsp for 65.34.112.57
encryption tunnel 1 l2 is not ready.
**** pak processing end.
handle raw/no_session pakcet. If you do a debug flow basic and you see a message "wait for arp rsp for ...", this is a good indication that you are running into this ARP issue.
Solution:
The default ARP timeout is 1200 seconds, or 20 minutes. The ARP age refreshes only after it times out, or if the ARP counts down to 10 seconds. However, if the ARP timeout is set to anything < 10 seconds, you will experience packet drops.
Resolution: Never set the ARP age timeout to anything < 10 seconds.
以上內容大概意思為:juniper的arp表的刷新會在超時到來時,或者還有10s就超時,進行arp表刷新,如果你的juniper設備上設置的arp表的刷新時間設置的小於10s,怎會引起丟包。
更改arp表刷新的方法:
get config | inc arp 命令行查看,arp表的刷新時間。如果是系統默認配置,則不會顯示出來。
set arp age 1200 設置刷新時間為1200s, (range: 1 - 65535)
本文出自 “榮耀屬於前輩” 博客,請務必保留此出處http://lipenglong.blog.51cto.com/5309038/1961165
JUNIPER搭建站點到站點IPSecVPN 丟包問題解決方案