netscreen VPN无法登陆故障分析及解决
来源:互联网 发布:淘宝店转化率多少合适 编辑:程序博客网 时间:2024/05/16 13:58
safenet softremote软件是一种比较常见的VPN客户端程序,被应用在许多防火墙的VPN客户端上.
比如netscreen 公司的防火墙就采用了它.正好我使用的正是这款,就以它为例netscreen-remote.与大家分享心得.
许多用户反应安装好客户端后,进行登陆时提示:
unable to connect to my connectionsxjmc, please check log for further details.
根据提示分析了日志:
10-13: 22:50:21.421 My Connectionsxjmc - Initiating IKE Phase 1 (IP ADDR=xxx.xxx.xxx.xxx)
10-13: 22:50:21.765 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
10-13: 22:50:36.843 My Connectionsxjmc - message not received! Retransmitting!
10-13: 22:50:36.843 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (Retransmission)
10-13: 22:50:52.015 My Connectionsxjmc - message not received! Retransmitting!
10-13: 22:50:52.015 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (Retransmission)
10-13: 22:51:07.187 My Connectionsxjmc - message not received! Retransmitting!
10-13: 22:51:07.187 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (Retransmission)
10-13: 22:51:22.234 My Connectionsxjmc - Exceeded 3 IKE SA negotiation attempts
防火墙的日志如下
2006-10-13 23:03:25 info IKE Phase 1: Retransmission limit has been reached.
2006-10-13 23:02:36 info IKE
根据提示说明客户端成功发送了请求到防火墙上..但没有通过,或是没有成功连接..
我又是分析了一个成功接入的VPN的日志
10-13: 22:58:35.500 My Connectionsxjmc - Initiating IKE Phase 1 (IP ADDR=xxx.xxx.xxx.xxx)
10-13: 22:58:35.906 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
10-13: 22:58:35.937 My Connectionsxjmc - RECEIVED<<< ISAKMP OAK AG (SA, VID 3x, KE, NON, ID, HASH, VID, NAT-D 2x)
10-13: 22:58:35.937 My Connectionsxjmc - Peer is NAT-T draft-01 capable
10-13: 22:58:35.937 My Connectionsxjmc - NAT is detected for Client
10-13: 22:58:36.156 My Connectionsxjmc - SENDING>>>> ISAKMP OAK AG *(HASH, NAT-D 2x, NOTIFY:STATUS_REPLAY_STATUS, NOTIFY:STATUS_INITIAL_CONTACT)
10-13: 22:58:36.156 My Connectionsxjmc - Established IKE SA
10-13: 22:58:36.156 My Connectionsxjmc - MY COOKIE bf b 31 85 69 55 9f db
10-13: 22:58:36.156 My Connectionsxjmc - HIS COOKIE a4 98 c3 b 41 f e1 81
10-13: 22:58:36.171 My Connectionsxjmc - RECEIVED<<< ISAKMP OAK TRANS *(HASH, ATTR)
10-13: 22:58:42.250 My Connectionsxjmc - RECEIVED<<< ISAKMP OAK TRANS *(Retransmission)
10-13: 22:58:48.250 My Connectionsxjmc - RECEIVED<<< ISAKMP OAK TRANS *(Retransmission)
从提示上,这个过程,是请求然后得到了一个回复..经过协商后,最后成功登陆..
再看防火墙上的日志:
2006-10-13 23:10:50 info IKE: Received initial contact notification and removed Phase 2 SAs.
2006-10-13 23:10:50 info IKE: Received a notification message for DOI <1> <24578> .
2006-10-13 23:10:50 info IKE: Received a notification message for DOI <1> <24577> .
2006-10-13 23:10:50 info IKE Phase 1: IKE responder has detected NAT in front of the remote device.
2006-10-13 23:10:50 info IKE Phase 1: Responder starts AGGRESSIVE mode negotiations.
说明双方进行了成功的连接...
原因是什么呢?根据现有两台客户机的实际情况寻找原因.
都是通过单位ADSL宽带路由器上网,区别就在,
成功的客户机只是通过宽带路由器共享上网,
而失败的客户机却多做一个,端口映射.为了在局域网里实现HTTP和FTP功能,就在宽带路由器上将80和21端口映射到了该机的局域网IP上..为了分析是否是这个原因..将该IP更改后,成功登陆..
看来问题就出现在这上面.怎么解决呢.....经查实,原来当客户机提出认证请求时,服务器将通过UDP500端口进行回复认证..而针映射时,未做该端口映射反而导致了无法远过认证..将UDP500端口也映射到该局域网IP时,问题解决,成功登陆..
总结;
现在许多客户端的上网方式都会造成这方面的影响,还有系统自带的防火墙如果做了这方面端口限制也会造成这个问题..必须保证UDP500端口能达到该机.
使用宽带路由器时,要注意一个问题:端口映射时会造致其他功能受限...有时使用NAT转换时,有些设备没有开放UDP500端口.
本地连接禁用在启用就OK!
- netscreen VPN无法登陆故障分析及解决
- 解决MSN无法登陆的故障
- 解决MSN无法登陆的故障
- msn出现故障无法登陆
- mac-pro连接vpn后无法上网但是可以登录qq故障解决备忘
- Netscreen Firewall L2TP VPN configuration
- Vpn(尝试解决部分医院Vpn连接故障3)
- 故障分析与解决
- openfire无法登陆解决
- remote vpn configure for netscreen 25
- Juniper Netscreen防火墙VPN配置案例
- xmanager登陆AIX远程桌面故障解决
- xmanager登陆AIX远程桌面故障解决
- IIS无法启动故障分析
- 无法连接 mysql 故障分析
- 记一次Gentoo无法连接pptp协议的VPN故障
- 局域网资源共享故障分析解决
- 内存故障分析与解决
- Linux操作系统下/etc/hosts文件配置方法
- 解决IE某元素找不到而打不开某些页面的办法
- DBMS_LOB包使用和维护
- jQuery的一些特性和用法
- dbms_lob包学习笔记之二:append和write存储过程
- netscreen VPN无法登陆故障分析及解决
- 简单计算器
- VeriSign 数字证书
- heartbeat安装手册
- 又见经典除重语句
- 制作jar包时,将第三方jar包一起打包方法
- Thinkpad
- 面试有感
- 文献笔记[2]---overbot