Чудеса конфигурёжа.
Нужно было кое-что посмотреть на роутере в Краснодаре. Все, что надо выяснил, решил освежить в памяти конфиг. Саму железку изначально конфигурил я, потом отдал на поддержку местным камрадам.
И вот, что я там нарыл:
crypto map CMAP 20 ipsec-isakmp
set peer 10.248.24.37
set peer 10.248.24.9
set peer 10.248.24.1
set peer 10.248.24.25
set peer 10.248.24.33
set peer 10.248.24.53
set peer 10.248.24.57
set peer 10.248.24.73
set peer 10.248.24.49
set peer 10.248.24.77
set peer 10.248.24.5
set peer 10.248.24.17
set peer 10.248.24.21
set peer 10.248.24.29
set peer 10.248.24.61
set peer 10.248.24.65
set peer 10.248.24.81
set peer 10.248.24.85
set peer 10.248.24.89
set peer 10.254.129.25
set peer 10.248.24.13
set peer 10.250.24.25
set peer 10.250.24.57
set peer 10.250.24.61
set peer 10.250.24.65
set peer 10.250.24.81
set peer 10.250.24.85
set peer 10.250.24.89
set transform-set TO-AZS-GPN-UG
match address GPN-UG-AZS-VPN
Extended IP access list GPN-UG-AZS-VPN
10 permit gre host 10.254.129.21 host 10.248.24.37 (79061441 matches)
20 permit gre host 10.254.129.21 host 10.248.24.9 (73883491 matches)
30 permit gre host 10.254.129.21 host 10.248.24.1 (75822751 matches)
40 permit gre host 10.254.129.21 host 10.248.24.25 (56732 matches)
50 permit gre host 10.254.129.21 host 10.248.24.33 (80243600 matches)
60 permit gre host 10.254.129.21 host 10.248.24.53 (1194138 matches)
70 permit gre host 10.254.129.21 host 10.248.24.57 (56703 matches)
80 permit gre host 10.254.129.21 host 10.248.24.73 (78879603 matches)
90 permit gre host 10.254.129.21 host 10.248.24.49 (1175066 matches)
100 permit gre host 10.254.129.21 host 10.248.24.77 (17383391 matches)
110 permit gre host 10.254.129.21 host 10.248.24.5 (1189691 matches)
120 permit gre host 10.254.129.21 host 10.248.24.17 (971912 matches)
130 permit gre host 10.254.129.21 host 10.248.24.21 (15872912 matches)
140 permit gre host 10.254.129.21 host 10.248.24.29 (17117004 matches)
150 permit gre host 10.254.129.21 host 10.248.24.61 (31271 matches)
160 permit gre host 10.254.129.21 host 10.248.24.65 (31273 matches)
170 permit gre host 10.254.129.21 host 10.248.24.81 (31256 matches)
180 permit gre host 10.254.129.21 host 10.248.24.85 (31257 matches)
190 permit gre host 10.254.129.21 host 10.248.24.89 (31259 matches)
200 permit gre host 10.254.129.21 host 10.254.129.25 (30858420 matches)
210 permit gre host 10.254.129.21 host 10.248.24.13 (1874456 matches)
220 permit gre host 10.254.129.21 host 10.250.24.25 (17529251 matches)
230 permit gre host 10.254.129.21 host 10.250.24.57 (765890 matches)
240 permit gre host 10.254.129.21 host 10.250.24.61 (316333 matches)
250 permit gre host 10.254.129.21 host 10.250.24.65 (331918 matches)
260 permit gre host 10.254.129.21 host 10.250.24.81 (385139 matches)
270 permit gre host 10.254.129.21 host 10.250.24.85 (715811 matches)
280 permit gre host 10.254.129.21 host 10.250.24.89 (765248 matches)
Самое смешное, что этот адЪ работает:
KRD01-BR01#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.248.24.37 10.254.129.21 QM_IDLE 5832 ACTIVE
10.248.24.9 10.254.129.21 QM_IDLE 5821 ACTIVE
10.254.128.1 10.254.129.21 QM_IDLE 5778 ACTIVE
10.254.129.21 10.248.24.73 QM_IDLE 5820 ACTIVE
10.250.24.85 10.254.129.21 QM_IDLE 5824 ACTIVE
10.254.129.21 10.254.129.25 QM_IDLE 5777 ACTIVE
10.248.24.21 10.254.129.21 QM_IDLE 5823 ACTIVE
10.248.24.5 10.254.129.21 QM_IDLE 5831 ACTIVE
10.248.24.1 10.254.129.21 QM_IDLE 5829 ACTIVE
10.250.24.89 10.254.129.21 QM_IDLE 5826 ACTIVE
10.254.129.21 10.250.24.25 QM_IDLE 5798 ACTIVE
10.254.129.21 10.250.24.89 QM_IDLE 5825 ACTIVE
10.254.129.21 10.248.24.33 QM_IDLE 5827 ACTIVE
10.254.129.21 10.248.24.77 QM_IDLE 5830 ACTIVE
10.254.129.21 10.250.24.81 QM_IDLE 5834 ACTIVE
10.248.24.13 10.254.129.21 QM_IDLE 5787 ACTIVE
10.254.129.21 10.248.24.37 QM_IDLE 5833 ACTIVE
10.250.24.65 10.254.129.21 QM_IDLE 5819 ACTIVE
10.254.129.21 10.250.24.61 QM_IDLE 5815 ACTIVE
10.248.24.49 10.254.129.21 QM_IDLE 5822 ACTIVE
10.254.129.21 10.248.24.17 QM_IDLE 5817 ACTIVE
10.254.129.21 10.250.24.57 QM_IDLE 5793 ACTIVE
10.254.129.21 10.248.24.53 QM_IDLE 5816 ACTIVE
10.248.24.29 10.254.129.21 QM_IDLE 5818 ACTIVE
IPv6 Crypto ISAKMP SA
Мало того, когда я обнаружил до кучи пустой transform-set и прибил его, подумав, что кто-то игрался и забыл за собой прибрать, не прошло и часа, как позвонили с диким воплем: "Какого хрена все АЗС отвалились?".
И вот, что я там нарыл:
crypto map CMAP 20 ipsec-isakmp
set peer 10.248.24.37
set peer 10.248.24.9
set peer 10.248.24.1
set peer 10.248.24.25
set peer 10.248.24.33
set peer 10.248.24.53
set peer 10.248.24.57
set peer 10.248.24.73
set peer 10.248.24.49
set peer 10.248.24.77
set peer 10.248.24.5
set peer 10.248.24.17
set peer 10.248.24.21
set peer 10.248.24.29
set peer 10.248.24.61
set peer 10.248.24.65
set peer 10.248.24.81
set peer 10.248.24.85
set peer 10.248.24.89
set peer 10.254.129.25
set peer 10.248.24.13
set peer 10.250.24.25
set peer 10.250.24.57
set peer 10.250.24.61
set peer 10.250.24.65
set peer 10.250.24.81
set peer 10.250.24.85
set peer 10.250.24.89
set transform-set TO-AZS-GPN-UG
match address GPN-UG-AZS-VPN
Extended IP access list GPN-UG-AZS-VPN
10 permit gre host 10.254.129.21 host 10.248.24.37 (79061441 matches)
20 permit gre host 10.254.129.21 host 10.248.24.9 (73883491 matches)
30 permit gre host 10.254.129.21 host 10.248.24.1 (75822751 matches)
40 permit gre host 10.254.129.21 host 10.248.24.25 (56732 matches)
50 permit gre host 10.254.129.21 host 10.248.24.33 (80243600 matches)
60 permit gre host 10.254.129.21 host 10.248.24.53 (1194138 matches)
70 permit gre host 10.254.129.21 host 10.248.24.57 (56703 matches)
80 permit gre host 10.254.129.21 host 10.248.24.73 (78879603 matches)
90 permit gre host 10.254.129.21 host 10.248.24.49 (1175066 matches)
100 permit gre host 10.254.129.21 host 10.248.24.77 (17383391 matches)
110 permit gre host 10.254.129.21 host 10.248.24.5 (1189691 matches)
120 permit gre host 10.254.129.21 host 10.248.24.17 (971912 matches)
130 permit gre host 10.254.129.21 host 10.248.24.21 (15872912 matches)
140 permit gre host 10.254.129.21 host 10.248.24.29 (17117004 matches)
150 permit gre host 10.254.129.21 host 10.248.24.61 (31271 matches)
160 permit gre host 10.254.129.21 host 10.248.24.65 (31273 matches)
170 permit gre host 10.254.129.21 host 10.248.24.81 (31256 matches)
180 permit gre host 10.254.129.21 host 10.248.24.85 (31257 matches)
190 permit gre host 10.254.129.21 host 10.248.24.89 (31259 matches)
200 permit gre host 10.254.129.21 host 10.254.129.25 (30858420 matches)
210 permit gre host 10.254.129.21 host 10.248.24.13 (1874456 matches)
220 permit gre host 10.254.129.21 host 10.250.24.25 (17529251 matches)
230 permit gre host 10.254.129.21 host 10.250.24.57 (765890 matches)
240 permit gre host 10.254.129.21 host 10.250.24.61 (316333 matches)
250 permit gre host 10.254.129.21 host 10.250.24.65 (331918 matches)
260 permit gre host 10.254.129.21 host 10.250.24.81 (385139 matches)
270 permit gre host 10.254.129.21 host 10.250.24.85 (715811 matches)
280 permit gre host 10.254.129.21 host 10.250.24.89 (765248 matches)
Самое смешное, что этот адЪ работает:
KRD01-BR01#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.248.24.37 10.254.129.21 QM_IDLE 5832 ACTIVE
10.248.24.9 10.254.129.21 QM_IDLE 5821 ACTIVE
10.254.128.1 10.254.129.21 QM_IDLE 5778 ACTIVE
10.254.129.21 10.248.24.73 QM_IDLE 5820 ACTIVE
10.250.24.85 10.254.129.21 QM_IDLE 5824 ACTIVE
10.254.129.21 10.254.129.25 QM_IDLE 5777 ACTIVE
10.248.24.21 10.254.129.21 QM_IDLE 5823 ACTIVE
10.248.24.5 10.254.129.21 QM_IDLE 5831 ACTIVE
10.248.24.1 10.254.129.21 QM_IDLE 5829 ACTIVE
10.250.24.89 10.254.129.21 QM_IDLE 5826 ACTIVE
10.254.129.21 10.250.24.25 QM_IDLE 5798 ACTIVE
10.254.129.21 10.250.24.89 QM_IDLE 5825 ACTIVE
10.254.129.21 10.248.24.33 QM_IDLE 5827 ACTIVE
10.254.129.21 10.248.24.77 QM_IDLE 5830 ACTIVE
10.254.129.21 10.250.24.81 QM_IDLE 5834 ACTIVE
10.248.24.13 10.254.129.21 QM_IDLE 5787 ACTIVE
10.254.129.21 10.248.24.37 QM_IDLE 5833 ACTIVE
10.250.24.65 10.254.129.21 QM_IDLE 5819 ACTIVE
10.254.129.21 10.250.24.61 QM_IDLE 5815 ACTIVE
10.248.24.49 10.254.129.21 QM_IDLE 5822 ACTIVE
10.254.129.21 10.248.24.17 QM_IDLE 5817 ACTIVE
10.254.129.21 10.250.24.57 QM_IDLE 5793 ACTIVE
10.254.129.21 10.248.24.53 QM_IDLE 5816 ACTIVE
10.248.24.29 10.254.129.21 QM_IDLE 5818 ACTIVE
IPv6 Crypto ISAKMP SA
Мало того, когда я обнаружил до кучи пустой transform-set и прибил его, подумав, что кто-то игрался и забыл за собой прибрать, не прошло и часа, как позвонили с диким воплем: "Какого хрена все АЗС отвалились?".