VPLEX:由于 IP 地址不正确,3 路 VPN 配置失败
Summary: 本文指导您在 IPSEC.conf 文件中未更新分配的新 IP 地址时,如何在 VPlex 群集和 cluster-witness 之间重新建立 VPN 连接。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
用户已更改或更新 VPlex 管理服务器 IP 地址(群集 1 或/群集 2)或群集见证 IP 地址。
问题描述:
在 VPlex 管理服务器(群集 1 或/群集 2)和群集见证服务器之间配置 3 路 VPN 连接失败,并显示以下错误消息:
VPlexcli:/> configuration cw-vpn-configure -i xx.xx.xx.xx --force Please enter the IP address of the remote cluster management server that will be included in the 3-way VPN setup: yy.yy.yy.yy Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address yy.yy.yy.yy is reachable Remote Internal Gateway addresses are reachable Verifying the VPN status between the management server and the cluster witness server... IPSEC is not UP Cluster Witness Server at IP Address 128.221.254.3 is not reachable Error during Cluster Witness VPN Establishment: IPSEC configuration failed: Cannot proceed to configure the Cluster Witness Server IPSec configuration. It is possible that a 3-way VPN has already been established and you have given a wrong Cluster Witness Server public IP address. Please re-run the cluster witness server vpn configuration with the right public IP address. Resetting the Cluster Witness VPN configuration Resetting the Cluster Witness Server VPN configuration . . . <./truncated>
Cause
可能有两种情况,在此期间,在 VPlex 管理服务器(群集 1 或/群集 2)和群集见证服务器之间的 3 路 VPN 连接配置可能会失败,如下所示:
-
用户已更改 VPlex 管理服务器 IP 地址 (eth3)(cluster-1 或//两个 cluster-2),但群集见证服务器 IPsec 配置文件仍包含受影响管理服务器的旧 IP 地址。
和/或,
-
用户已更改群集见证 IP 地址,但 VPlex 管理服务器(群集 1 或/群集 2)IPsec 配置文件仍包含群集见证服务器的旧 IP 地址。
Resolution
请浏览下面的方案详细信息和解决方案步骤,以解决此问题:
情况 1:用户已更改 VPlex 管理服务器 IP 地址 (eth3)(cluster-1 或//两个 cluster-2),但群集见证服务器 IPsec 配置文件仍包含受影响管理服务器的旧 IP 地址。
提醒:在下面的示例中,用户已更改 cluster-1 和 cluster-2 的 VPlex 管理服务器 IP 地址。
-
收集分配给 VPlex 管理服务器(群集 1 和群集 2)的正确 IP 地址,如下所示:
群集-1:
VPlexcli:/> vpn status Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address 14N.NNN.N.NNN is reachable Remote Internal Gateway addresses are reachable . </truncated>
群集 2:
VPlexcli:/> vpn status Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address 14M.MMM.M.MMM is reachable Remote Internal Gateway addresses are reachable . </truncated>
-
使用群集见证服务器的公用 IP 地址通过 SSH 连接到群集见证服务器:
- 要查找群集见证服务器的公用 IP 地址,请运行以下 VPlexcli 命令:
示例:VPlexcli:/> ll /cluster-witness/ /cluster-witness: Attributes: Name Value ------------------ ------------- admin-state unknown private-ip-address 128.221.254.3 public-ip-address XX.XX.XX.XX <<< Cluster-Witness server public IP-address
- 执行 SSH 访问从步骤 1.a 获取的群集见证的公用 IP 地址,如下所示:
service@ManagementServer:~> ssh <cluster-witness-public-IP-address>
示例:service@ManagementServer:~> ssh xx.xx.xx.xx >> cluster-witness-public-IP-address Warning: Permanently added 'xx.xx.xx.xx' (ECDSA) to the list of known hosts. Last login: Mon Jun 06 15:33:14 2016 from xx.xx.xx.xx service@ClusterWitness:~>
- 要查找群集见证服务器的公用 IP 地址,请运行以下 VPlexcli 命令:
-
Cat “IPsec.config” 文件并搜索 VPlex 管理服务器 cluster-1 和 cluster-2 IP 地址,如下所示:
提醒:在执行步骤(3)之前,使用步骤(1)从vpn状态输出中确认VPlex管理服务器的实际IP地址。收集此信息后,将其与下面提到的“IPsec.config”文件进行比较,以检查/确认它是否匹配。示例:
service@ClusterWitness:~> cat /etc/ipsec.conf # Add connections here. # Setup a tunnel between the management servers and the Cluster Witness Server # "left" means local, "right" means remote. # Connection between Cluster Witness Server and Management Server conn witness-cluster2 type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.254.3/32 leftcert=hostCert.pem right=15Y.YYY.Y.YYY <<========== Old/incorrect IP address of VPlex management server-2 rightsubnet=128.221.252.64/27,128.221.253.64/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKxxxxxxxxxxxx, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start # Connection between Cluster Witness Server and Management Server conn witness-cluster1 type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.254.3/32 leftcert=hostCert.pem right=15X.XXX.X.XXX <<========== Old/incorrect IP address of VPlex management server-1 rightsubnet=128.221.252.32/27,128.221.253.32/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKyyyyyyyyyyyy, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start
-
在上面的示例中,我们发现 cluster-witness 的“IPsec.config”文件仍携带 VPlex 管理服务器-1 和 cluster-2 的旧 IP 地址。因此,请使用 vi 编辑器编辑群集见证服务器的文件“IPsec.config”,以更新 VPlex 管理服务器 1 和 cluster-2 的正确 IP 地址。
提醒:将 VPlex cluster-1 和 cluster-2 的正确 IP 地址放在等号后面,等号和 IP 地址之间不能有空格,保存并退出该文件。示例:
service@ClusterWitness:~> vi /etc/ipsec.conf # Add connections here. # Setup a tunnel between the management servers and the Cluster Witness Server # "left" means local, "right" means remote. # Connection between Cluster Witness Server and Management Server conn witness-cluster1 type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.254.3/32 leftcert=hostCert.pem right=14M.MMM.M.MMM <<========== Add/update the correct IP address of VPlex cluster-1. rightsubnet=128.221.252.32/27,128.221.253.32/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKyyyyyyyyyyyy, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start # Connection between Cluster Witness Server and Management Server conn witness-cluster2 type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.254.3/32 leftcert=hostCert.pem right=14N.NNN.N.NNN <<========== Add/update the correct IP address of VPlex cluster-2. rightsubnet=128.221.252.64/27,128.221.253.64/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN: CKxxxxxxxxxxxx, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start
-
在群集见证服务器和 VPlex 管理服务器(群集 1 和群集 2)中重新启动 IPSEC 服务,如下所示:
service@ClusterWitness:~> sudo /usr/sbin/ipsec restart service@ManagementServer:~> sudo /usr/sbin/ipsec restart
- 验证 IPsec 服务的状态,如下所示:
service@ClusterWitness:~> sudo /usr/sbin/ipsec status service@ManagementServer:~> sudo /usr/sbin/ipsec status
- 验证 IPsec 服务的状态,如下所示:
-
重新执行以下命令以重新配置 VPlex 管理服务器和群集见证服务器之间的 3 路 VPN 连接,如下所示:
示例:
Cluster-1 中的 VPlexcli:VPlexcli:/> configuration cw-vpn-configure -i <cluster-witness-public-IP> force
然后从 Cluster-2 中的 VPlexcli
VPlexcli:/> configuration cw-vpn-configure -i <cluster-witness-public-IP> force
-
在步骤 1(群集 1 和群集 2)之后验证群集-见证的状态,如下所示:
示例:VPlexcli:/> ll /cluster-witness/* /cluster-witness/components: Name ID Admin State Operational State Mgmt Connectivity ----------------- -- ----------- ------------------- ----------------- cluster-1 1 enabled in-contact ok cluster-2 2 enabled in-contact ok server - enabled clusters-in-contact ok
-
使用命令 vpn status(cluster-1 和 cluster-2)检查 VPN 连接,如下所示:
示例:
Cluster-1:VPlexcli:/> vpn status Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address 14N.NNN.N.NNN is reachable Remote Internal Gateway addresses are reachable Verifying the VPN status between the management server and the cluster witness server... IPSEC is UP Cluster Witness Server at IP Address 128.221.254.3 is reachable
群集 2:
VPlexcli:/> vpn status Verifying the VPN status between the management servers... IPSEC is UP Remote Management Server at IP Address 14M.MMM.M.MMM is reachable Remote Internal Gateway addresses are reachable Verifying the VPN status between the management server and the cluster witness server... IPSEC is UP Cluster Witness Server at IP Address 128.221.254.3 is reachable
情况 2:用户已更改群集见证 IP 地址,但 VPlex 管理服务器(群集 1 或/群集 2)IPsec 配置文件仍包含群集见证服务器的旧 IP 地址。
-
按照以下命令验证正确的群集见证公用 IP 地址:
VPlexcli:/> ll /cluster-witness/** /cluster-witness: Attributes: Name Value ------------------ ------------- admin-state enabled private-ip-address 128.221.254.3 public-ip-address xx.xx.xx.65 <<< Cluster-Witness server public IP-address Contexts: Name Description ---------- -------------------------- components Cluster Witness Components
-
从 VPlex 管理服务器(cluster-1 或 cluster-2)查找文件 ipsec.conf,如下所示:
提醒:在执行步骤(10)之前,使用步骤(9)从vpn状态输出中确认VPlex管理服务器的实际IP地址。收集此信息后,将其与下面提到的“IPsec.config”文件进行比较,以检查/确认它是否匹配。示例:
service@Managementserver:~> cat /etc/ipsec.conf >> Cluster-1 # Add connections here. # Setup a tunnel between the management servers and their networks # "left" means local, "right" means remote. # Connection between Cluster Witness Server and Management Server conn net-witness type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.252.64/27,128.221.253.64/27 leftcert=hostCert.pem right=xx.xx.xx.45 <<========== Old/incorrect IP address of cluster-witness rightsubnet=128.221.254.3/32 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN CWS, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes128-sha1 auto=start # Connection between Management Server 1 and Management Server 2 conn net-net type=tunnel keyexchange=ikev2 mobike=no reauth=no left=%defaultroute leftsubnet=128.221.252.64/27,128.221.253.64/27 leftcert=hostCert.pem right=14N.NNN.N.NNN <<========== IP address of remote management server rightsubnet=128.221.252.32/27,128.221.253.32/27 rightid="C=US, ST=Massachusetts, O=EMC, OU=EMC, CN=VPlex VPN:CKxxxxxxxxxxxx, E=support@emc.com" ike=3des-sha256-modp2048 esp=aes256-sha256 auto=start
-
在上面的示例中,我们发现 VPlex 管理服务器(cluster-1 或/两个 cluster-2)的“IPsec.config”文件仍携带 群集见证服务器的旧 IP 地址。因此,请使用 vi 编辑器编辑文件“IPsec.config”,以更新群集见证服务器的正确 IP 地址。
提醒:将受影响的 VPlex 管理服务器上群集见证服务器的正确 IP 地址放在等号后面,等号和 IP 地址之间不能有空格,保存并退出该文件。
从情景 1 重复步骤 4 到 8 以解决此问题。
Affected Products
VPLEX SeriesProducts
VPLEX for All Flash, VPLEX GeoSynchrony, VPLEX Series, VPLEX Sizing Tool, VPLEX Virtual Edition, VPLEX VS1, VPLEX VS2, VPLEX VS6Article Properties
Article Number: 000168668
Article Type: Solution
Last Modified: 06 Nov 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.