VPLEX:三向 VPN 組態因 IP 位址不正確而失敗
Summary: 本文將引導您在 IPSEC.conf 檔案中未更新指派的新 IP 位址時,如何在 VPlex 叢集和叢集見證之間重新建立 VPN 連線。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
使用者已變更或更新 VPlex 管理伺服器 IP 位址 (叢集-1 或/兩者同時為叢集-2) 或叢集見證 IP 位址。
問題說明:
在 VPlex 管理伺服器 (叢集 1 或/兩者 叢集 2) 和叢集見證伺服器之間配置三向 VPN 連線失敗,並顯示以下錯誤訊息:
VPlexcli:/> configuration cw-vpn-configure -i xx.xx.xx.xx --force Please enter the IP address of the remote cluster management server that will be included in the 3-way VPN setup: yy.yy.yy.yy Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address yy.yy.yy.yy is reachable Remote Internal Gateway addresses are reachable Verifying the VPN status between the management server and the cluster witness server... IPSEC is not UP Cluster Witness Server at IP Address 128.221.254.3 is not reachable Error during Cluster Witness VPN Establishment: IPSEC configuration failed: Cannot proceed to configure the Cluster Witness Server IPSec configuration. It is possible that a 3-way VPN has already been established and you have given a wrong Cluster Witness Server public IP address. Please re-run the cluster witness server vpn configuration with the right public IP address. Resetting the Cluster Witness VPN configuration Resetting the Cluster Witness Server VPN configuration . . . <./truncated>
Cause
在兩種情況下,VPlex 管理伺服器 (叢集 1 或/兩者 叢集 2) 和叢集見證伺服器之間的 3 向 VPN 連線組態可能會失敗,如下所示:
-
使用者已變更 VPlex 管理伺服器 IP 位址 (eth3) (叢集 1 或/兩者皆為叢集 2),但叢集見證伺服器 IPsec 組態檔案仍包含受影響管理伺服器的舊 IP 位址。
和/或,
-
使用者已變更叢集見證 IP 位址,但 VPlex 管理伺服器 (叢集-1 或/兩者皆為叢集-2) IPsec 組態檔案仍包含叢集見證伺服器的舊 IP 位址。
Resolution
請瀏覽以下案例詳細資料和解決方案步驟,以解決此問題:
案例 1:使用者已變更 VPlex 管理伺服器 IP 位址 (eth3) (叢集 1 或/兩者皆為叢集 2),但叢集見證伺服器 IPsec 組態檔案仍包含受影響管理伺服器的舊 IP 位址。
注意:在下列範例中,使用者已變更叢集 1 和叢集 2 的 VPlex 管理伺服器 IP 位址。
-
收集指派給 VPlex 管理伺服器 (叢集 1 和叢集 2) 的正確 IP 位址,如下所示:
叢集-1:
VPlexcli:/> vpn status Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address 14N.NNN.N.NNN is reachable Remote Internal Gateway addresses are reachable . </truncated>
叢集-2:
VPlexcli:/> vpn status Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address 14M.MMM.M.MMM is reachable Remote Internal Gateway addresses are reachable . </truncated>
-
使用叢集見證伺服器的公開 IP 位址執行 SSH:
- 若要尋找叢集見證伺服器的公開 IP 位址,請執行下列 VPlexcli 命令:
範例:VPlexcli:/> ll /cluster-witness/ /cluster-witness: Attributes: Name Value ------------------ ------------- admin-state unknown private-ip-address 128.221.254.3 public-ip-address XX.XX.XX.XX <<< Cluster-Witness server public IP-address
- 執行 SSH 至從步驟 1.a 取得的叢集見證的公開 IP 位址,如下所示:
service@ManagementServer:~> ssh <cluster-witness-public-IP-address>
範例:service@ManagementServer:~> ssh xx.xx.xx.xx >> cluster-witness-public-IP-address Warning: Permanently added 'xx.xx.xx.xx' (ECDSA) to the list of known hosts. Last login: Mon Jun 06 15:33:14 2016 from xx.xx.xx.xx service@ClusterWitness:~>
- 若要尋找叢集見證伺服器的公開 IP 位址,請執行下列 VPlexcli 命令:
-
輸入「IPsec.config」檔案,並搜尋 VPlex 管理伺服器叢集 1 和叢集 2 IP 位址,如下所示:
注意:在執行步驟 (3) 之前,請使用步驟 (1) 從 VPN 狀態輸出中確認 VPlex 管理伺服器的實際 IP 位址。收集此資訊後,請將其與下方提及的「IPsec.config」檔案進行比較,以檢查/確認其是否相符。範例:
service@ClusterWitness:~> cat /etc/ipsec.conf # Add connections here. # Setup a tunnel between the management servers and the Cluster Witness Server # "left" means local, "right" means remote. # Connection between Cluster Witness Server and Management Server conn witness-cluster2 type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.254.3/32 leftcert=hostCert.pem right=15Y.YYY.Y.YYY <<========== Old/incorrect IP address of VPlex management server-2 rightsubnet=128.221.252.64/27,128.221.253.64/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKxxxxxxxxxxxx, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start # Connection between Cluster Witness Server and Management Server conn witness-cluster1 type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.254.3/32 leftcert=hostCert.pem right=15X.XXX.X.XXX <<========== Old/incorrect IP address of VPlex management server-1 rightsubnet=128.221.252.32/27,128.221.253.32/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKyyyyyyyyyyyy, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start
-
從上述範例中,我們發現 cluster-witness 的「IPsec.config」檔案仍會攜帶 VPlex 管理伺服器-1 和 cluster-2 的舊 IP 位址。因此,請使用 vi 編輯器編輯叢集見證伺服器的檔案「IPsec.config」,以更新 VPlex 管理伺服器 1 和叢集 2 的正確 IP 位址。
注意:將 VPlex cluster-1 和 cluster-2 的正確 IP 位址放在等號之後,等號和 IP 位址之間不能有空格,保存並退出檔案。範例:
service@ClusterWitness:~> vi /etc/ipsec.conf # Add connections here. # Setup a tunnel between the management servers and the Cluster Witness Server # "left" means local, "right" means remote. # Connection between Cluster Witness Server and Management Server conn witness-cluster1 type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.254.3/32 leftcert=hostCert.pem right=14M.MMM.M.MMM <<========== Add/update the correct IP address of VPlex cluster-1. rightsubnet=128.221.252.32/27,128.221.253.32/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKyyyyyyyyyyyy, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start # Connection between Cluster Witness Server and Management Server conn witness-cluster2 type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.254.3/32 leftcert=hostCert.pem right=14N.NNN.N.NNN <<========== Add/update the correct IP address of VPlex cluster-2. rightsubnet=128.221.252.64/27,128.221.253.64/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKxxxxxxxxxxxx, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start
-
在叢集見證伺服器和 VPlex 管理伺服器 (叢集 1 和叢集 2) 中重新啟動 IPSEC 服務,如下所示:
service@ClusterWitness:~> sudo /usr/sbin/ipsec restart service@ManagementServer:~> sudo /usr/sbin/ipsec restart
- 驗證 IPsec 服務的狀態,如下所示:
service@ClusterWitness:~> sudo /usr/sbin/ipsec status service@ManagementServer:~> sudo /usr/sbin/ipsec status
- 驗證 IPsec 服務的狀態,如下所示:
-
重新執行以下命令,重新設定 VPlex 管理伺服器和叢集見證伺服器之間的三向 VPN 連線,如下所示:
例如叢
集 1 中的 VPlexcli:VPlexcli:/> configuration cw-vpn-configure -i <cluster-witness-public-IP> force
然後從叢集 2 中的 VPlexcli
VPlexcli:/> configuration cw-vpn-configure -i <cluster-witness-public-IP> force
-
按照步驟 1 (叢集 1 和叢集 2) 確認叢集見證的狀態,如下所示:
範例:VPlexcli:/> ll /cluster-witness/* /cluster-witness/components: Name ID Admin State Operational State Mgmt Connectivity ----------------- -- ----------- ------------------- ----------------- cluster-1 1 enabled in-contact ok cluster-2 2 enabled in-contact ok server - enabled clusters-in-contact ok
-
使用命令 vpn 狀態 (cluster-1 和 cluster-2) 檢查 VPN 連線能力,如下所示:
範例:
叢集-1:VPlexcli:/> vpn status Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address 14N.NNN.N.NNN is reachable Remote Internal Gateway addresses are reachable Verifying the VPN status between the management server and the cluster witness server... IPSEC is UP Cluster Witness Server at IP Address 128.221.254.3 is reachable
叢集-2:
VPlexcli:/> vpn status Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address 14M.MMM.M.MMM is reachable Remote Internal Gateway addresses are reachable Verifying the VPN status between the management server and the cluster witness server... IPSEC is UP Cluster Witness Server at IP Address 128.221.254.3 is reachable
案例 2:使用者已變更叢集見證 IP 位址,但 VPlex 管理伺服器 (叢集-1 或/兩者皆為叢集-2) IPsec 組態檔案仍包含叢集見證伺服器的舊 IP 位址。
-
按照以下命令,確認正確的叢集見證公開 IP 位址:
VPlexcli:/> ll /cluster-witness/** /cluster-witness: Attributes: Name Value ------------------ ------------- admin-state enabled private-ip-address 128.221.254.3 public-ip-address xx.xx.xx.65 <<< Cluster-Witness server public IP-address Contexts: Name Description ---------- -------------------------- components Cluster Witness Components
-
從 VPlex 管理伺服器 (cluster-1 或 cluster-2) 將檔案 ipsec.conf 歸入如下:
注意:在執行步驟 (10) 之前,請使用步驟 (9) 從 VPN 狀態輸出中確認 VPlex 管理伺服器的實際 IP 位址。收集此資訊後,請將其與下方提及的「IPsec.config」檔案進行比較,以檢查/確認其是否相符。範例:
service@Managementserver:~> cat /etc/ipsec.conf >> Cluster-1 # Add connections here. # Setup a tunnel between the management servers and their networks # "left" means local, "right" means remote. # Connection between Cluster Witness Server and Management Server conn net-witness type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.252.64/27,128.221.253.64/27 leftcert=hostCert.pem right=xx.xx.xx.45 <<========== Old/incorrect IP address of cluster-witness rightsubnet=128.221.254.3/32 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN CWS, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes128-sha1 auto=start # Connection between Management Server 1 and Management Server 2 conn net-net type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.252.64/27,128.221.253.64/27 leftcert=hostCert.pem right=14N.NNN.N.NNN <<========== IP address of remote management server rightsubnet=128.221.252.32/27,128.221.253.32/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN:CKxxxxxxxxxxxx, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start
-
從上述範例中,我們發現 VPlex 管理伺服器 (叢集 1 或/兩者皆為 cluster-2) 的「IPsec.config」檔案仍會承載 叢集見證伺服器的舊 IP 位址。因此,請使用 vi 編輯器編輯檔案「IPsec.config」,以更新叢集見證伺服器的正確 IP 位址。
注意:將叢集見證伺服器的正確 IP 位址置於受影響的 VPlex 管理伺服器的等號之後,等號和 IP 位址之間不得有空格,接著儲存並退出檔案。
重複案例 1 的步驟 4 至 8,以解決此問題。
Affected Products
VPLEX SeriesProducts
VPLEX for All Flash, VPLEX GeoSynchrony, VPLEX Series, VPLEX Sizing Tool, VPLEX Virtual Edition, VPLEX VS1, VPLEX VS2, VPLEX VS6Article Properties
Article Number: 000168668
Article Type: Solution
Last Modified: 06 Nov 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.