背景:
公司办公区到租赁机房之间搭建的是一条IPSECVPN,分别是在两边的防火墙设备上搭建的,办公区这边使用的是飞塔防火墙,机房防火墙为juniper防火墙,搭建过程可以参考之前的帖子。之前搭建完成后测试没有问题,一直使用到现在,但昨天晚上公司同事突然说,方法机房网络慢,ping包存在丢包的情况,丢包率大概在1%-2%之间,并且没有规律可言。
解决办法:
1、重启了公司这边的飞塔防火墙上的vpn服务,没有解决问题。
2、重启飞塔防火墙,没有解决问题。
3、在谷歌上查找解决办法,找到以为描述:
Symptoms:
VPN tunnel is up ICMP packet drops to the trust interface through VPN ICMP packet drops to a host on trust zone on other side of VPN set arp age 5 Getting 1% to 6% Packet Drops when Pinging through VPN **** jump to packet:65.34.112.58->67.127.89.44
route is ready
tunnel route to 65.34.112.57
wait for arp rsp for 65.34.112.57
encryption tunnel 1 l2 is not ready.
**** pak processing end.
handle raw/no_session pakcet. If you do a debug flow basic and you see a message "wait for arp rsp for ...", this is a good indication that you are running into this ARP issue.
Solution:
The default ARP timeout is 1200 seconds, or 20 minutes. The ARP age refreshes only after it times out, or if the ARP counts down to 10 seconds. However, if the ARP timeout is set to anything < 10 seconds, you will experience packet drops.
Resolution: Never set the ARP age timeout to anything < 10 seconds.
以上内容大概意思为:juniper的arp表的刷新会在超时到来时,或者还有10s就超时,进行arp表刷新,如果你的juniper设备上设置的arp表的刷新时间设置的小于10s,怎会引起丢包。
更改arp表刷新的方法:
get config | inc arp 命令行查看,arp表的刷新时间。如果是系统默认配置,则不会显示出来。
set arp age 1200 设置刷新时间为1200s, (range: 1 - 65535)