Jump to content
Калькуляторы

Миграция с 7206 на ASR1002 (ISG) Не проходит трафик через vpn

Добрый день!

Решили заменить cisco 7206 на ASR1002.

Перенес конфиг на новую железку, сессия поднимается трафик не ходит. Подскажите куда копать.

Если я правильно понимаю, проблема с отработкой ACL, т.к. исходящий трафик от vpn я wireshark'ок вижу и в ACL (LOCAL_in) он попадает, нету входящего на vpn подключение. Но содержание ACL (всех) - permit ip any any (для тестов)

 

Данные:

Настройки ISG

class-map type traffic match-any class-local
match access-group input name LOCAL_in
match access-group output name LOCAL_out
!
policy-map type service policy-local
class type traffic class-local
!
class type traffic default in-out
!
!
policy-map type control RULE1
class type control service-check event service-start
 9 service-policy type service name policy-local
 10 service-policy type service identifier service-name
!
class type control always event service-start
 10 service-policy type service aaa list PPPoE identifier service-name
 20 service-policy type service identifier service-name
 21 service-policy type service name policy-local
!

 

вывод ссесии

#sh sss ses de
Current Subscriber Information: Total sessions 1
--------------------------------------------------
Type: VPDN, UID: 30, State: authen, Identity: 123
IPv4 Address: 192.168.100.21
Session Up-time: 00:06:21, Last Changed: 00:06:21
Interface: Virtual-Access2.1
Switch-ID: 4394

Policy information:
 Context 439C2780: Handle 4C00008A
 AAA_id 0000002D: Flow_handle 0
 Authentication status: authen
 Config history for session (recent to oldest):
   Access-type: Web-service-logon Client: SM
    Policy event: Got More Keys (Service)
   Access-type: Web-service-logon Client: SM
    Policy event: Got More Keys (Service)
   Access-type: PPP Client: SM
    Policy event: Got More Keys
 Active services associated with session:
   name "ex2"
   name "policy-local"
 Rules, actions and conditions executed:
   subscriber rule-map RULE1
     condition always event session-start
       1 authenticate aaa list PPPoE
       subscriber condition-map match-any service-check
         match identifier service-name ex2 [TRUE]
   subscriber rule-map RULE1
     condition service-check event service-start
       9 service-policy type service name policy-local
       10 service-policy type service identifier service-name

Classifiers:
Class-id    Dir   Packets    Bytes                  Pri.  Definition
0           In    191        18772                  0    Match Any
1           Out   0          0                      0    Match Any
110         In    191        18772                  0    Match ACL LOCAL_in
111         Out   0          0                      0    Match ACL LOCAL_out
112         In    0          0                      100  Match ACL Inet_in
113         Out   0          0                      100  Match ACL Inet_out
4294967294  In    0          0                      -    Drop
4294967295  Out   0          0                      -    Drop

Features:

Absolute Timeout:
Class-id   Timeout Value    Time Remaining       Source
0          86400            23:53:38             Peruser
112        86400            23:53:38             ex2

Prepaid Time Monitor:
Class-id   Dir  Threshold  Quota    Session Time Source
112        In   86397      86400    381          ex2
113        Out  86397      86400    381          ex2

Policing:
Class-id   Dir  Avg. Rate   Normal Burst  Excess Burst Source
113        Out  104857500   19660780      0            ex2

Prepaid Volume Monitor:
Class-id   Dir  Packets    Bytes                  Source
112        In   159        11256                  ex2
113        Out  0          0                      ex2

 Usage(since last update): 11256 - Total: 11256
 Threshold:N/A - Quota:Unlimited
 Current states: Start

Configuration Sources:
Type  Active Time  AAA Service ID  Name
SVC   00:06:21     -               policy-local
SVC   00:06:21     1946157087      ex2
USR   00:06:21     -               Peruser
INT   00:06:21     -               Virtual-Template1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.