记一次山石和深信服防火墙对接标准IPSEC异常问题现象和解决办法

      

        背景：某单位总部使用深信服防火墙AF出口路由部署，通过标准IPSEC对接分支单位出口山石防火墙。

        现象：IPSEC隧道正常，两边测试对比，IPSEC配置和ACL等均没问题，分支（山石）内网终端到总部（深信服）内网终端可以ping通，但是总部终端到分支终端ping不通，业务访问异常。IPSEC配置和加密算法，认证方式，ACL都ok的，进入隧道的数据（网段）也没问题。从深信服防火墙抓包可以看到数据已经出去了，中间只有运营商线路了，运营商反馈没任何限制。

        排查过程：深信服的AF，分支出口设备公网IP是218.95.215.10， 内网IPsec本地网段是172.16.40.0/23, 对方内网是 192.168.9.0/24 192.168.41.0/24 192.168.0.235/32  192.168.0.236/24  192.168.0.238/32 192.168.46.4/32

山石的防火墙，总部出口设备公网IP 61.133.215.3,  内网IPsec对方网段是172.16.40.0/23, 本端内网段是 192.168.9.0/24 192.168.41.0/24 192.168.0.235/32  192.168.0.236/24  192.168.0.238/32 192.168.46.4/32
检查感兴趣流配置一致，隧道协商正常，深信服内网PC ping山石内网PC，172.16.40.70 ping 192.168.0.238, 山石收到了esp，解封装后丢包，调试信息如上：

Packet: 172.16.40.70 -> 192.168.0.238, id: 64141, ip size 428, prot: 1(ICMP)

dp_prepare_pak_lookup srcip: 172.16.40.70, dstip: 192.168.0.238, src-port:1, dst-port:2488, prot 1
packet's flow hashtag is 285760a3
No session found, try to create session
dp_first_crt_sess_init_flow0_from_pak_iif: set cpuid 0
-----------------First path creating new session-----------------
dp_sess_sm_transtion: Do session state machine transtion, id 195602, state: 0, event: 0!
allocate pending session and install flow0
begin lookup predefine prot:1 port:2488
Identified as app PING (prot=1). timeout 6.
--------VR:trust-vr start--------
172.16.40.70:1->192.168.0.238:2488
No BNAT configured for this VR
NAT: ICMP protocol type/code 0800
NO DNS rewrite dynamic mapping entry found.
No DNAT matches
No inner DNAT matches, skip DNAT
Configured PBR, need lookup appid, proto 0x1, vr_id 1, ip 192.168.0.238, port 2488
Get nexthop if_id: 58, flags: 0, nexthop: 192.168.0.238
Connection route.
Found the reverse route for force or prefer revs-route setting
lookup bnat for snat start!
No BNAT configured for this VR
lookup common snat start!
NAT: ICMP protocol type/code 0800
No SNAT matches, or out of pool, skip SNAT
--------VR:trust-vr end--------
Start policy lookup.
Pak src zone VPNHub, dst zone trust, prot 1, dst-port 2488.
recheck_policy_lookup: profile_mask:0
recheck_policy_lookup: profile_mask:0
Policy 40 matches, ===PERMIT===
crt_sess->flow0_io_cpuid 0
flow0 src 172.16.40.70 --> dst 192.168.0.238 with nexthop 192.168.0.238 ifindex 58
dp_sess_sm_transtion: Do session state machine transtion, id 195602, state: 1, event: 4!
flow1's tunnel id(3721) is not the same with in tunnel's(7240), drop.
Dropped: Failed to create session
-----------------------First path over (session not created)
Dropped: failed to create session, drop the packet (action=0)

从上述调试信息看：
flow0：隧道id7240
flow1：隧道id3721
但是山石这边show ipsec sa | include 7240 或者show ipsec sa | include 3721 都看不到对应的tunnel id，不确认这个debug中的tunnelid还是show看到的是不是同一个东西。还有一个信息就是山石内网PC ping 深信服内网PC ，192.168.0.238, ping 172.16.40.70 深信服这边可以正常收到并应答。

深信服到山石过来的数据被丢弃了，导致没回包。

解决方案：

1、山石防火墙的IPSEC VPN 隧道接口下逆向路由导致的，关闭逆向路由即可；逆向路由应该是严格检查出入路径的；关闭逆向路由即使防火墙未配置回包路由，反向流量仍可通过原入接口返回，业务正常；启用逆向路由，若未配置回包路由，反向流量会被丢弃。