1、查看IKE连接
display ike sa
2、查看IPSec连接
display ipsec sa
3、显示IKE错误
display ike error
4、清除特定对端的IKE信息,让链接重新建立
reset ike sa remote 114.34.85.115
5、查看IKE会话
<USG6300E>display firewall session table verbose destination-port global 500
# 显示
2023-02-03 12:45:26.910 +08:00
Current Total Sessions : 2
# 这里 210 开头的IP是目的地址
udp VPN: public --> public ID: a487f7f3724101bfa63dcf99a
Zone: CHINA_UNICOM --> local TTL: 00:02:00 Left: 00:01:36
Recv Interface: GigabitEthernet0/0/9
Interface: InLoopBack0 NextHop: 127.0.0.1
<--packets: 51 bytes: 5,620 --> packets: 51 bytes: 5,636
171.217.93.22:500 --> 210.13.101.100:500 PolicyName: prohibit_url
# 这里 210 开头的是源地址,这个连接不通,出故障了,发出 240 bytes, 收到 0
udp VPN: public --> public ID: a487f7f156b903c4d63dcf981
Zone: local --> CHINA_UNICOM TTL: 00:02:00 Left: 00:01:55
Recv Interface: InLoopBack0
Interface: GigabitEthernet0/0/9 NextHop: 210.13.101.129
<--packets: 0 bytes: 0 --> packets: 240 bytes: 116,400
210.13.101.100:500 --> 125.228.140.110:500 PolicyName: prohibit_url
6、根据 源/目的 地址 查看会话,这里注意的 两端都可以发起 IKE,具体以IKE会话表来确定源地址和目的地址
<USG6300E>display firewall session table verbose destination global 125.228.140.110 destination-port global 500
# 显示
2023-02-03 12:52:50.230 +08:00
Current Total Sessions : 1
udp VPN: public --> public ID: a487f7f156b903c4d63dcf981
Zone: local --> CHINA_UNICOM TTL: 00:02:00 Left: 00:01:44
Recv Interface: InLoopBack0
Interface: GigabitEthernet0/0/9 NextHop: 210.13.101.129
<--packets: 0 bytes: 0 --> packets: 288 bytes: 139,680
210.13.101.100:500 --> 125.228.140.110:500 PolicyName: prohibit_url
7、清除缓存的会话
<USG6300E>reset firewall session table destination global 125.228.140.110 destination-port global 500
Warning:Reseting session table will affect the system's normal service.
Continue? [Y/N]:Y
# 再次查看
<USG6300Edisplay firewall session table verbose destination global 125.228.140.115 destination-port global 500
2023-02-03 13:01:50.550 +08:00
Current Total Sessions : 1
udp VPN: public --> public ID: a487f90f97e603c4d63dd05bd
Zone: local --> CHINA_UNICOM TTL: 00:02:00 Left: 00:02:00
Recv Interface: InLoopBack0
Interface: GigabitEthernet0/0/9 NextHop: 210.13.101.129
<--packets: 0 bytes: 0 --> packets: 1 bytes: 485 # 之前的成功重置
210.13.101.130:500 --> 125.228.140.115:500 PolicyName: prohibit_url
8、查看IKE协商建立的IPSec隧道被删除的信息
display ike offline-info
9、查看 IP 是从哪个接口出去的
disp ip rout 114.34.85.115