ASA VPN HELP

Szeretném a segítségeteket kérni.

Adott több telephely. A telephelyek közötti hálózati infrastruktúrát egy szolgáltató biztosítja.

A központi telephely és a vidéki telephelyek között VPN kapcsolatot ASA 5500 segítségével épitettük ki.

Az egyik telephely felé csomagvesztés lép fel, ha a felépitett VPN kapcsolaton keresztül kommunikálunk.

A hálózati topologia nagy vonalakban, fiktiv adatokkal.

http://1drv.ms/1fR6r4c

Azért ez a kialakítás mert az ASA 5500.-nak nincs optikai interfésze, (nem is bővíthető) de a 3750.-esnek meg van. Ezért azon kersztül van megjáratva.

Segítségeteket szeretném kérni.

!!!! A HIBA !!!!

192.168.0.2 ping 192.168.1.2
Tehát a VPN tunnel.-en keresztül.

C:\Users\network_admin>ping 192.168.1.2 -t

Pinging 192.168.1.2 with 32 bytes of data:
Request timed out.
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=3ms TTL=254
Reply from 192.168.1.2: bytes=32 time=4ms TTL=254
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Request timed out. <------------- csomag vesztés
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Request timed out.
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Request timed out.
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Request timed out.
Reply from 192.168.1.2: bytes=32 time=2ms TTL=254
Reply from 192.168.1.2: bytes=32 time=5ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=1ms TTL=254
Reply from 192.168.1.2: bytes=32 time=4ms TTL=254

#############################################################################

VPN tunnel.-en keresztül.

1.ASA 5500# ping inside-network 192.168.0.1 size 15000 repeat 999
Type escape sequence to abort.
Sending 999, 15000-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!! <------------- csomag vesztés
!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! <------------- csomag vesztés
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (997/999), round-trip min/avg/max = 1/7/10 ms

############################################################################

VPN tunnel.-en keresztül, de kisebb csomagmérettel!

1.ASA 5500# ping inside-video-network 192.168.0.1 size 1400 repeat 1000
Type escape sequence to abort.
Sending 1000, 1400-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!?!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
<------------- csomag vesztés
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!
Success rate is 99 percent (999/1000), round-trip min/avg/max = 1/3/10 ms

############################################################################

Tunnel.-en kívűl, viszont szuperül működik.

1.ASA 5500# ping outside 10.10.10.1 size 15000 repeat 999
Type escape sequence to abort.
Sending 999, 15000-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (999/999), round-trip min/avg/max = 1/6/10 ms

Nincs csomagvesztés!!
###########################################################################

A két ASA konfig kb ugyanaz:
Fiktiv adatok, és az érzékeny adatokat töröltem.

show run
: Saved
:
: Serial Number:
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(3)
!
hostname
domain-name
enable password encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
description outside
switchport access vlan 400
!
interface Ethernet0/1
description inside
switchport access vlan X
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
shutdown
!
interface Vlan x
description
nameif
security-level 100
ip address 192.168.0.1 255.255.255.0
!
interface Vlan400
description
nameif
security-level 0
ip address 10.10.10.1 255.255.255.0
!

mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-732-102.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected

nat source static tunnel tunnel destination static tunnel-group2 tunnel-group2 no-proxy-arp route-lookup description

access-group (....)
route outside (....)
route inside (....)

timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http server session-timeout 60
http
snmp-server host
snmp-server host
no snmp-server location
no snmp-server contact
snmp-server community *****

crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer
crypto map outside_map 1 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set peer
crypto map outside_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer
crypto map outside_map 5 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure

crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
subject-name CN=,CN=KP-BHB-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA

crypto isakmp identity address
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400

crypto ikev2 enable outside
telnet timeout 5
ssh stricthostkeycheck
ssh
ssh timeout 60
ssh key-exchange group dh-group1-sha1
console timeout 60
management-access

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside-video-network /
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev2 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_ internal
group-policy GroupPolicy_ attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_ internal
group-policy GroupPolicy_ attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_ internal
group-policy GroupPolicy_attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_ internal
group-policy GroupPolicy_attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_ internal
group-policy GroupPolicy_ attributes

vpn-tunnel-protocol ikev2

username password encrypted privilege 15

tunnel-group type ipsec-l2l
tunnel-group general-attributes
default-group-policy GroupPolicy_
tunnel-group ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
Cryptochecksum:
: end

####################################

1. ASA 5500# show crypto ikev2 sa detail
IKEv2 SAs:
Session-id:8, Status:UP-ACTIVE, IKE count:1, CHILD count:4
Tunnel-id Local Remote Status Role
899657123 10.10.10.1/500 10.10.10.2/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/14792 sec
Session-id: 8
Status Description: Negotiation done
Local spi: B5A64AD1DC65B3D8 Remote spi: 040272FDC391BC1F
Local id: 10.10.10.1
Remote id: 10.10.10.2
Local req mess id: 878 Remote req mess id: 846
Local next mess id: 878 Remote next mess id: 846
Local req queued: 878 Remote req queued: 846
Local window: 1 Remote window: 1
DPD configured for 10 seconds, retry 2
NAT-T is not detected

##########################

1. ASA 5500#show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 10.10.10.1
access-list outside_cryptomap_1 extended permit ip
local ident (addr/mask/prot/port):
remote ident (addr/mask/prot/port):
current_peer: 10.10.10.2
#pkts encaps: 1679913, #pkts encrypt: 1679913, #pkts digest: 1679913
#pkts decaps: 1688530, #pkts decrypt: 1688527, #pkts verify: 1688527
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1679913, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.10.10.1/500, remote crypto endpt.: 10.10.10.2/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: clear-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 3C1A7779
current inbound spi : 39A5362D
inbound esp sas:
spi: 0x39A5362D (967128621)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 8187904, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4239233/4102)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x3C1A7779 (1008367481)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 8187904, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4008846/4102)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

########################

1.ASA 5500# show crypto accelerator statistics

Crypto Accelerator Status
-------------------------
[Capability]
Supports hardware crypto: True
Supports modular hardware crypto: False
Max accelerators: 2
Max crypto throughput: 100 Mbps
Max crypto connections: 25
[Global Statistics]
Number of active accelerators: 2
Number of non-operational accelerators: 0
Input packets: 26848140010
Input bytes: 18198213572747
Output packets: 2290628569
Output error packets: 0
Output bytes: 1120851662450

[Accelerator 0]
Status: OK
Software crypto engine
Slot: 0
Active time: 15996796 seconds
Total crypto transforms: 242910
Total dropped packets: 0
[Input statistics]
Input packets: 0
Input bytes: 181536
Input hashed packets: 0
Input hashed bytes: 0
Decrypted packets: 0
Decrypted bytes: 181536
[Output statistics]
Output packets: 0
Output bad packets: 0
Output bytes: 2514048
Output hashed packets: 0
Output hashed bytes: 0
Encrypted packets: 0
Encrypted bytes: 2514256
[Diffie-Hellman statistics]
Keys generated: 1162
Secret keys derived: 872
[RSA statistics]
Keys generated: 1
Signatures: 32
Verifications: 1
Encrypted packets: 3
Encrypted bytes: 91
Decrypted packets: 3
Decrypted bytes: 768
[ECDSA statistics]
Keys generated: 12
Signatures: 12
Verifications: 15
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 69
Random number request failures: 0
[HMAC statistics]
HMAC requests: 71710

[Accelerator 1]
Status: OK
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2_05
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.09
Slot: 1
Active time: 15996798 seconds
Total crypto transforms: 29184122572
Total dropped packets: 5
[Input statistics]
Input packets: 26848147680
Input bytes: 18198219063570
Input hashed packets: 26848145653
Input hashed bytes: 17761521429127
Decrypted packets: 26848147771
Decrypted bytes: 17331449849606
[Output statistics]
Output packets: 2290629811
Output bad packets: 0
Output bytes: 1121076043412
Output hashed packets: 2290091053
Output hashed bytes: 1047193138352
Encrypted packets: 2290629811
Encrypted bytes: 1010256702586
[Diffie-Hellman statistics]
Keys generated: 1267
Secret keys derived: 907
[RSA statistics]
Keys generated: 0
Signatures: 1
Verifications: 1
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[ECDSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
[SSL statistics]
Outbound records: 538758
Inbound records: 2073
[RNG statistics]
Random number requests: 95609
Random number request failures: 0
[HMAC statistics]
HMAC requests: 18126481

Még nem ástam bele magam, de jó lenne valamilyen irányt felvenni, hogy ne menjen rá sok idő.
Eggyenlőre fingom nincs. Mert ugyanilyen hardverkiépitésben és konfigurációval, a többi telephely felé problémamentesen üzemel.
Sajnos a szolgáltató nem tulságosan segítőkész, de azt tudom, hogy az adatforgalm: dedikállt, üvegszálas, internetforgalomtól mentes
összeköttetés, és redundáns, MACsec titkosítva.
Merre induljak el.
Package capture? Igen, de mit érdemes.
Lehet Layer 2 hiba?
Lehet a szolgáltató eszközének (Cisco 6509 és még amit nem látok) configurációs hibája?

Minden segítséget előre is köszönök.