CN118175011A - VPN diagnosis method, management node and associated VPN node - Google Patents
VPN diagnosis method, management node and associated VPN node Download PDFInfo
- Publication number
- CN118175011A CN118175011A CN202410140988.5A CN202410140988A CN118175011A CN 118175011 A CN118175011 A CN 118175011A CN 202410140988 A CN202410140988 A CN 202410140988A CN 118175011 A CN118175011 A CN 118175011A
- Authority
- CN
- China
- Prior art keywords
- vpn
- node
- link
- nodes
- diagnosis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003745 diagnosis Methods 0.000 title claims abstract description 183
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000002405 diagnostic procedure Methods 0.000 claims abstract description 22
- 230000002457 bidirectional effect Effects 0.000 claims description 19
- 238000001514 detection method Methods 0.000 claims description 17
- 230000002596 correlated effect Effects 0.000 claims description 10
- 239000000523 sample Substances 0.000 claims description 5
- 238000007726 management method Methods 0.000 description 87
- 238000004891 communication Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 3
- 230000006870 function Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000005641 tunneling Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000875 corresponding effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0631—Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Environmental & Geological Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a VPN diagnostic method, a management node and an associated VPN node. The method comprises the following steps: the management node determines associated VPN nodes associated with VPN nodes at two ends of the VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request; the management node determines at least two associated VPN nodes associated with a first node, wherein the first node is any endpoint of the VPN link to be diagnosed; the management node sends diagnosis instructions to the at least two associated VPN nodes; the management node receives diagnosis results returned by the at least two associated VPN nodes; the management node transmits a diagnosis instruction to the first node; and the management node outputs VPN diagnosis results based on the diagnosis results returned by the at least two associated VPN nodes and whether the first node returns the diagnosis results or not.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a VPN diagnostic method, a management node, and an associated VPN node.
Background
A virtual private network (Virtual Private Network, VPN) is used to establish a private network over a public network for encrypted communications, typically using tunneling protocols (Tunneling Protocol) to establish virtual private links at both ends of the communication according to rules configured by an administrator. The VPN link state affects the communication quality, and the fault recovery communication can be rapidly removed through the VPN link diagnosis technology.
The related diagnosis technology gives out fault types according to the states of the two ends of the VPN link, and when the problems of unreachable network and the like occur, the specific error of the two ends cannot be distinguished, and further judgment is needed by manual intervention.
Disclosure of Invention
The embodiment of the disclosure provides a VPN diagnosis method, a management node and an associated VPN node. The technical scheme is as follows:
in a first aspect, embodiments of the present disclosure provide a VPN diagnostic method, the method comprising:
the management node determines associated VPN nodes associated with VPN nodes at two ends of the VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request;
The management node determines at least two associated VPN nodes associated with a first node, wherein the first node is any endpoint of the VPN link to be diagnosed;
the management node sends diagnosis instructions to the at least two associated VPN nodes;
the management node receives diagnosis results returned by the at least two associated VPN nodes;
The management node transmits a diagnosis instruction to the first node;
and the management node outputs VPN diagnosis results based on the diagnosis results returned by the at least two associated VPN nodes and whether the first node returns the diagnosis results or not.
Optionally, the management node determines, according to the VPN link to be diagnosed indicated by the diagnosis request, an associated VPN node associated with VPN nodes at both ends of the VPN link to be diagnosed, including:
The management node determines VPN nodes at two ends of the VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request;
And the management node searches VPN nodes at two ends of the VPN link to be diagnosed in VPN rule information, determines nodes with VPN links between the VPN nodes at two ends of the VPN link to be diagnosed, and obtains associated VPN nodes associated with the VPN nodes at two ends of the VPN link to be diagnosed.
Optionally, the management node outputs a VPN diagnostic result based on the diagnostic result returned by the at least two associated VPN nodes and whether the first node returns the diagnostic result, including:
under the condition that the diagnosis results returned by the at least two correlated VPN nodes are all faults and the diagnosis result is not returned by the first node, the management node determines the network fault from the first node to the network access point;
Under the condition that the diagnosis results returned by the at least two correlated VPN nodes are all faults and the diagnosis result is returned by the first node, the management node determines that the network from the first node to the network access point is normal, but the first node is faulty;
In the case that the diagnosis result returned by at least one of the at least two associated VPN nodes is normal and the diagnosis result is not returned by the first node, the management node determines that the network from the first node to the network access point is normal, but the network from the first node to part of VPN nodes fails, and the network from the first node to the management node fails;
and under the condition that the diagnosis result returned by at least one of the at least two correlated VPN nodes is normal and the diagnosis result is returned by the first node, the management node outputs the diagnosis result returned by the first node.
Optionally, the method further comprises:
and under the condition that the number of the associated VPN nodes associated with the first node is smaller than 2, the management node outputs a diagnosis result returned by the first node.
In a second aspect, embodiments of the present disclosure provide a VPN diagnostic method, the method comprising:
The method comprises the steps that an associated VPN node receives a diagnosis instruction sent by a management node, wherein the associated VPN node is an associated VPN node associated with a first node, and the first node is a VPN node at two ends of a VPN link to be diagnosed;
the associated VPN node diagnoses the associated VPN links from the associated VPN node to the VPN nodes at the two ends of the VPN link to be diagnosed;
And the associated VPN node sends a diagnosis result to the management node so that the management node outputs a VPN diagnosis result based on the diagnosis result returned by the associated VPN node and whether the first node returns the diagnosis result or not.
Optionally, the diagnosing, by the associated VPN node, an associated VPN link between the associated VPN node and VPN nodes at both ends of the VPN link to be diagnosed includes:
the associated VPN node determines whether node addresses at two ends of the associated VPN link accord with VPN rules or not;
under the condition that node addresses at two ends of the associated VPN link accord with VPN rules, the associated VPN node constructs a data packet for detection;
under the condition of receiving a detection return packet, the associated VPN node determines that the associated VPN link is normal; in the event that a probe packet is not received, the associated VPN node determines that the associated VPN link failed.
Optionally, the diagnosing, by the associated VPN node, an associated VPN link between the associated VPN node and VPN nodes at both ends of the VPN link to be diagnosed, further includes:
Under the condition that node addresses at two ends of the associated VPN link do not accord with VPN rules, the associated VPN node counts the flow of the associated VPN link;
under the condition that the associated VPN link has bidirectional traffic, the associated VPN node determines that the associated VPN link is normal;
Under the condition that the associated VPN link does not have bidirectional traffic but the node at the other end of the associated VPN link survives, the associated VPN node determines that the associated VPN link is normal;
in the event that there is no bi-directional traffic for the associated VPN link and a node at the other end of the associated VPN link is not alive, the associated VPN node determines that the associated VPN link is down.
In a third aspect, embodiments of the present disclosure provide a management node, the management node comprising:
The determining module is used for determining associated VPN nodes associated with VPN nodes at two ends of the VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request; determining at least two associated VPN nodes associated with a first node, wherein the first node is any endpoint of the VPN link to be diagnosed;
A sending module, configured to send a diagnostic instruction to the at least two associated VPN nodes;
The receiving module is used for receiving diagnosis results returned by the at least two associated VPN nodes;
The sending module is further configured to send a diagnostic instruction to the first node;
And the output module is used for outputting VPN diagnosis results based on the diagnosis results returned by the at least two associated VPN nodes and whether the first node returns the diagnosis results or not.
In a fourth aspect, an embodiment of the present disclosure provides an associated VPN node, where the associated VPN node is an associated VPN node associated with a first node, where the first node is a VPN node at both ends of a VPN link to be diagnosed, and the associated VPN node includes:
the receiving module is used for receiving the diagnosis instruction sent by the management node;
The diagnosis module is used for diagnosing the associated VPN links between the associated VPN nodes and the VPN nodes at the two ends of the VPN link to be diagnosed;
And the sending module is used for sending the diagnosis result to the management node so that the management node outputs the VPN diagnosis result based on the diagnosis result returned by the associated VPN node and whether the first node returns the diagnosis result or not.
In a fifth aspect, embodiments of the present disclosure provide a computer device comprising: a processor; a memory configured to store processor-executable instructions; wherein the processor is configured to perform the VPN diagnostic method of either the first aspect or the second aspect.
In a sixth aspect, embodiments of the present disclosure provide a computer-readable storage medium, which when executed by a processor of a computer device, causes the computer device to perform the VPN diagnostic method of any one of the first or second aspects.
The technical scheme provided by the embodiment of the disclosure has the beneficial effects that:
In the embodiment of the disclosure, VPN diagnosis is performed by setting a management node, the management node firstly determines a VPN node associated with an endpoint of a VPN link to be diagnosed, and the associated VPN node can perform link diagnosis by sending a diagnosis instruction to the associated VPN node, so that the diagnosis of the endpoint of the VPN link to be diagnosed is realized; meanwhile, the management node also sends a diagnosis instruction to an endpoint of the VPN link to be diagnosed; and the final management node obtains the diagnosis result of the VPN link to be diagnosed based on the diagnosis result returned by the at least two related VPN nodes and whether the first node returns the diagnosis result. The diagnosis mode not only considers the nodes at the two ends of the VPN link, but also judges the type of the link fault through the diagnosis results of other nodes with links at the two ends of the VPN link, and even if the end point of the VPN link to be diagnosed is not reachable, the diagnosis results of the other nodes with links at the two ends of the VPN link can be relied on to judge the fault, so that the automation and the accuracy of the VPN link diagnosis are ensured.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings required for the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to these drawings without inventive effort for a person of ordinary skill in the art.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present disclosure;
fig. 2 is a flowchart of a VPN diagnostic method provided in an embodiment of the present disclosure;
fig. 3 is a flowchart of a VPN diagnostic method provided in an embodiment of the present disclosure;
fig. 4 is a flowchart of a VPN diagnostic method provided by an embodiment of the present disclosure;
fig. 5 is a flowchart of a VPN node diagnostic method provided by an embodiment of the present disclosure;
fig. 6 is a flowchart of a VPN link failure cause diagnosis method according to an embodiment of the present disclosure;
FIG. 7 is a schematic structural diagram of a management node according to an embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of a VPN node provided in an embodiment of the present disclosure;
Fig. 9 is a block diagram of a computer device according to an embodiment of the present disclosure.
Detailed Description
For the purposes of clarity, technical solutions and advantages of the present disclosure, the following further details the embodiments of the present disclosure with reference to the accompanying drawings.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present disclosure. Referring to fig. 1, the application scenario includes a management node (or called a central management node) and a plurality of VPN nodes, where the VPN nodes are connected by physical links, and typically each VPN node accesses to the internet through a single network interface, and the VPN link needs to be negotiated for establishment.
Wherein the management node is connected to all VPN nodes by means of a physical network. The management node stores all VPN rule information, and performs fault diagnosis according to the VPN link as an object.
The VPN rule information includes information of each VPN link in the network, including VPN link endpoint node information, VPN link parameter information, and the like.
As shown in fig. 1, when a VPN link fails, a user selects the failed VPN link on a management node to perform diagnosis, and nodes on both sides of the failed VPN link (shown by dotted lines in fig. 1) are referred to as a first VPN node and a second VPN node, respectively.
The management node retrieves all VPN rule information and finds out other associated VPN nodes associated with the first VPN node and the second VPN node, referred to as first associated VPN node and second associated VPN node, respectively. Wherein the first associated VPN node is a node associated with the first VPN node, including the first associated VPN nodes a-D in fig. 1; a VPN link exists between the first associated VPN node and the first VPN node, referred to as an associated VPN link. The second associated VPN node is a node associated with the second VPN node, including the second associated VPN nodes a-C in fig. 1; a VPN link exists between the second associated VPN node and the second VPN node, referred to as an associated VPN link. The bold line in fig. 1 shows the associated VPN link.
Fig. 2 is a flowchart of a VPN diagnostic method provided in an embodiment of the present disclosure. Referring to fig. 2, the method includes the steps of:
101: and the management node determines associated VPN nodes associated with the VPN nodes at the two ends of the VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request.
Taking fig. 1 as an example, VPN nodes at two ends of a VPN link, i.e. a first VPN node and a second VPN node. The associated VPN nodes are i.e. a first associated VPN node a-D and a second associated VPN node a-C.
Wherein the diagnostic request may be generated automatically upon occurrence of a link failure or by a user initiating a diagnosis upon a link failure. Illustratively, all VPN links managed by the management node are presented to the user in the form of an interconnection topology, and the user only needs to retrieve the corresponding failed link on the interconnection topology, and one key initiates a diagnostic request for the link to the management node.
The diagnostic request includes VPN link information to be diagnosed, such as an identification or endpoint information of the VPN link to be diagnosed.
102: The management node determines at least two associated VPN nodes associated with a first node, the first node being any endpoint of the VPN link to be diagnosed.
When the number of the VPN nodes associated with the first node is greater than 2, at least two associated VPN nodes can be selected in a random mode.
And when the number of the VPN nodes associated with the first node is equal to 2, selecting the two associated VPN nodes.
Taking fig. 1 as an example, the first VPN node and the second VPN node are both first nodes in step 102, and the management node may first use the first VPN node as an object to execute steps 102 to 106; steps 102 to 106 are then performed with the second VPN node as the object.
103: The management node sends diagnostic instructions to the at least two associated VPN nodes.
The diagnostic instructions are used for indicating the associated VPN node to diagnose the associated link, wherein the associated link refers to the link between the associated VPN node and the first node.
104: And the management node receives diagnosis results returned by the at least two associated VPN nodes.
105: The management node transmits a diagnostic instruction to the first node.
The diagnostic instruction is used for indicating the first node to diagnose the VPN link to be diagnosed.
106: And the management node outputs VPN diagnosis results based on the diagnosis results returned by the at least two associated VPN nodes and whether the first node returns the diagnosis results or not.
In the embodiment of the disclosure, VPN diagnosis is performed by setting a management node, the management node firstly determines a VPN node associated with an endpoint of a VPN link to be diagnosed, and the associated VPN node can perform link diagnosis by sending a diagnosis instruction to the associated VPN node, so that the diagnosis of the endpoint of the VPN link to be diagnosed is realized; meanwhile, the management node also sends a diagnosis instruction to an endpoint of the VPN link to be diagnosed; and the final management node obtains the diagnosis result of the VPN link to be diagnosed based on the diagnosis result returned by the at least two related VPN nodes and whether the first node returns the diagnosis result. The diagnosis mode not only considers the nodes at the two ends of the VPN link, but also judges the type of the link fault through the diagnosis results of other nodes with links at the two ends of the VPN link, and even if the end point of the VPN link to be diagnosed is not reachable, the diagnosis results of the other nodes with links at the two ends of the VPN link can be relied on to judge the fault, so that the automation and the accuracy of the VPN link diagnosis are ensured.
Fig. 3 is a flowchart of a VPN diagnostic method provided in an embodiment of the present disclosure. Referring to fig. 3, the method includes the steps of:
201: the associated VPN node receives the diagnosis instruction sent by the management node.
The associated VPN node is associated with a first node, and the first node is a VPN node at two ends of a VPN link to be diagnosed. I.e. the VPN node is an associated VPN node.
202: And the associated VPN node diagnoses the associated VPN link between the associated VPN node and the VPN nodes at the two ends of the VPN link to be diagnosed.
203: And the associated VPN node sends a diagnosis result to the management node so that the management node outputs a VPN diagnosis result based on the diagnosis result returned by the associated VPN node and whether the first node returns the diagnosis result or not.
In the embodiment of the disclosure, a VPN node receives a diagnosis instruction sent by a management node, and diagnosis of a first link is performed based on the diagnosis instruction, wherein the first link is a link between the VPN node and VPN nodes at two ends of the VPN link to be diagnosed, so that diagnosis of endpoints of the VPN link to be diagnosed is realized; and sending the diagnosis result to a management node after diagnosis is completed, so that the management node obtains the diagnosis result of the VPN link to be diagnosed based on the diagnosis results returned by the at least two related VPN nodes and whether the first node returns the diagnosis result or not. The diagnosis mode not only considers the nodes at the two ends of the VPN link, but also judges the type of the link fault through the diagnosis results of other nodes with links at the two ends of the VPN link, and even if the end point of the VPN link to be diagnosed is not reachable, the diagnosis results of the other nodes with links at the two ends of the VPN link can be relied on to judge the fault, so that the automation and the accuracy of the VPN link diagnosis are ensured.
Fig. 4 is a flowchart of a VPN diagnostic method provided in an embodiment of the present disclosure. Referring to fig. 4, the method includes the steps of:
301: and the management node determines VPN nodes at two ends of the VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request.
302: And the management node searches VPN nodes at two ends of the VPN link to be diagnosed in VPN rule information, determines nodes with VPN links between the VPN nodes at two ends of the VPN link to be diagnosed, and obtains associated VPN nodes associated with the VPN nodes at two ends of the VPN link to be diagnosed.
Executing step 303 in case the number of associated VPN nodes associated with the first node is not less than 2;
in case the number of associated VPN nodes associated with the first node is smaller than 2, step 309 is performed.
303: The management node determines at least two associated VPN nodes associated with a first node, the first node being any endpoint of the VPN link to be diagnosed.
304: The management node sends diagnosis instructions to the at least two associated VPN nodes; the associated VPN node receives the diagnosis instruction sent by the management node.
305: And diagnosing the associated VPN links between the associated VPN nodes and the VPN nodes at the two ends of the VPN link to be diagnosed by the associated VPN nodes.
In the embodiment of the disclosure, after receiving a diagnosis instruction sent by a management node, a VPN node starts a local VPN link diagnosis flow, and returns a diagnosis result to a central management node, where the diagnosis instruction uses VPN links as units, a single VPN node may receive diagnosis instructions of multiple VPN links at a time, the diagnosis results of VPN nodes are classified into normal and fault, and fault types are classified into three types: VPN link related problems, network configuration related problems, network on-off related problems.
Wherein, the related problem of VPN link refers to the problem of negotiating VPN link between two nodes; the network configuration related problems refer to routing configuration and the like; the network on-off related problem refers to the problem that a physical link is not enabled.
Fig. 5 is a flowchart of a VPN node diagnosis method according to an embodiment of the present disclosure. Referring to fig. 5, step 305 may include:
351: and the associated VPN node determines whether node addresses at two ends of the associated VPN link accord with VPN rules.
For example, it is determined whether the address of the node at both ends of the associated VPN link matches the address of the link in the VPN rule, and the matching meets the rule.
Executing step 352 under the condition that the node addresses at the two ends of the associated VPN link accord with VPN rules;
in case the node addresses at both ends of the associated VPN link do not meet VPN rules, step 353 is performed.
352: And constructing a data packet by the associated VPN node for detection.
The structured data packet may also be referred to herein as a probe request packet, and the received return packet is referred to as a probe response packet. Because the source and destination addresses of the detection packets accord with VPN rules, the detection packets are protected by VPN links, and general data packets are protected in confidentiality and integrity, so that VPN safety links are multiplexed, and a complex detection mechanism is not additionally added. If the detection response packet is received, judging that the VPN link is normal, otherwise judging that the VPN link fails.
That is, under the condition that a detection return packet is received, determining that the associated VPN link is normal; and determining that the associated VPN link fails in the case that the detection back packet is not received.
Optionally, an increment sequence number is added in each request packet, and a required sequence number is returned in a response packet, so that replay and packet loss can be avoided.
353: And the associated VPN node counts the traffic of the associated VPN link.
Illustratively, the associated VPN node counts the VPN link traffic for the most recent period of time. After the VPN node establishes the VPN link, the bidirectional flow change value in a specified time interval is recorded uninterruptedly, and when the bidirectional flow needs to be detected, the record can be checked. If the past bidirectional traffic variance value is greater than 0, it is indicated that there is a bidirectional packet on the communication link. If the past bidirectional traffic change value is 0, waiting for a designated time interval to check the bidirectional traffic change value, and if the past bidirectional traffic change value is not 0, judging that the link is normal.
That is, in the case that there is bidirectional traffic for the associated VPN link, determining that the associated VPN link is normal;
Step 354 is performed in the event that there is no bi-directional traffic for the associated VPN link.
The bidirectional traffic refers to traffic from the associated VPN node to the node at the other end of the associated VPN link and traffic from the node at the other end of the associated VPN link to the associated VPN node.
354: The associated VPN node detects whether a node at the other end of the associated VPN link survives.
Illustratively, peer detection (Dead Peer Detection, DPD) techniques are employed to detect the link's peer VPN nodes to determine whether they survive.
Determining that the associated VPN link is normal under the condition that the associated VPN link does not have bidirectional traffic but a node at the other end of the associated VPN link survives; and determining that the associated VPN link fails under the condition that the associated VPN link does not have bidirectional traffic and the node at the other end of the associated VPN link does not survive.
Optionally, when the associated VPN link fails, the method may further include:
the associated VPN node diagnoses the reasons of the associated VPN link faults, and feeds the diagnosed fault reasons back to the management node through diagnosis results.
Fig. 6 is a flowchart of a VPN link failure cause diagnosis method according to an embodiment of the present disclosure. Referring to fig. 6, diagnosing the cause of the associated VPN link failure may include:
355: checking the status of its own outgoing network interface.
If the outgoing network interface fails (Link down or other faults), the cause of the fault is determined to be a network on-off related problem. If the outbound network interface is normal, step 356 is performed.
356: And initiating link establishment negotiation to the opposite end node of the judged failure link.
The link establishment coordinator exchanges and detects information such as VPN rules, security protection modes, data encapsulation modes and the like of the two parties, if the two parties cannot agree, specific negotiation error reasons can be replied to the other party, and if the negotiation is about to be recovered to be normal through a link; if a negotiation error returns, a VPN link-related problem is declared.
That is, if the negotiation is successful, it is determined that the link is restored to normal; if a negotiation error returns, determining that the failure is due to a VPN link-related problem (e.g., a link negotiation problem); if the negotiation is not returned, step 357 is performed.
357: It is checked whether the VPN rule has a conforming route.
If no matched route exists, determining that the failure cause is a network configuration related problem; if there is a matching route, step 358 is performed.
358: It is checked whether a conforming route next hop is reachable.
For example, an address resolution protocol (Address Resolution Protocol, ARP) or a network control message protocol (Internet Control Message Protocol, ICMP) protocol may be employed in the ethernet link to determine whether a conforming route next hop is reachable.
If the next hop of the matched route is not reachable, determining that the failure cause is a network on-off related problem; if a conforming route next hop is reachable, step 359 is performed.
359: And detecting the path of the actual bearing network of the VPN link.
For example, ICMP, route tracing (traceroute) and other techniques are used to probe the actual carrier network of VPN links.
If the network is interrupted, determining that the fault reason is a network on-off related problem.
The embodiment of the disclosure provides a diagnosis method of a global VPN link, which introduces a central management node, wherein the central management node has all VPN rule information, performs fault management by taking a VPN communication link as an object, and diagnoses the fault of the VPN link. The embodiment of the disclosure provides a method for judging whether a local link of a single VPN node is normal, which utilizes network addresses on two sides conforming to VPN rules to detect to rapidly judge the effectiveness of the VPN link, and combines bidirectional traffic statistics and peer detection to efficiently judge whether the link is normal. The embodiment of the disclosure provides a single VPN node local link diagnosis flow, which divides three fault types, and can obtain fault types and error reasons according to a method for diagnosing local VPN rules, negotiation returns and network configuration.
306: The associated VPN node sends a diagnosis result to the management node; and the management node receives diagnosis results returned by the at least two associated VPN nodes.
307: The management node transmits a diagnostic instruction to the first node.
In the embodiment of the present disclosure, if the first node receives the diagnosis instruction, the first node performs link diagnosis and fault cause diagnosis in the same manner as that of the VPN node associated in step 305, and then feeds back the diagnosis result to the management node.
308: And the management node outputs VPN diagnosis results based on the diagnosis results returned by the at least two associated VPN nodes and whether the first node returns the diagnosis results or not.
Determining a network failure from the first node to a network access point (network access point, NAP) if the diagnostic results returned by the at least two associated VPN nodes are both failed and the diagnostic result is not returned by the first node;
Under the condition that the diagnosis results returned by the at least two correlated VPN nodes are all faults and the diagnosis results are returned by the first node, determining that the network from the first node to the network access point is normal, but the first node is faulty;
Determining that the network from the first node to the network access point is normal, but the network from the first node to part of VPN nodes is faulty, and the network from the first node to the management node is faulty, under the condition that at least one of the at least two associated VPN nodes returns a normal diagnosis result and the first node does not return a diagnosis result;
and executing step 309 in the case that the diagnosis result returned by at least one of the at least two associated VPN nodes is normal and the diagnosis result is returned by the first node.
Optionally, the management node may further analyze a failure cause, such as a VPN link related problem, a network configuration related problem, or a network on-off related problem, based on the diagnosis results of at least two associated VPN nodes.
309: And the management node outputs the diagnosis result returned by the first node.
The diagnostic result may include, among other things, a cause of the fault.
The invention provides a VPN network diagnosis method based on global link state perception, which solves the problem that fault parties cannot be distinguished under the condition of detecting parts at two ends; the problem that partial errors are easily confused is diagnosed based on a single VPN rule, so that the accuracy of diagnosis is improved.
To achieve the above object, the present invention provides a diagnostic method applicable to VPN communication networks that construct VPN communication links based on rules, all entities deploying VPN communication rules being referred to as VPN communication nodes. VPN communication link failures generally fall into three general categories: VPN link related problems such as incorrect rule configuration, two-sided security key failure, etc.; network configuration related issues such as route disagreement with rules, etc.; network break-make related problems such as line breaks, failure of the egress network interface, etc.
Fig. 7 is a schematic structural diagram of a management node according to an embodiment of the present disclosure. The management node may be implemented as all or part of a computer device by software, hardware, or a combination of both. Referring to fig. 7, the management node includes: a determining module 401, a transmitting module 402, a receiving module 403 and an output module 404.
The determining module 401 is configured to determine, according to a VPN link to be diagnosed indicated by the diagnosis request, associated VPN nodes associated with VPN nodes at both ends of the VPN link to be diagnosed; determining at least two associated VPN nodes associated with a first node, wherein the first node is any endpoint of the VPN link to be diagnosed;
a sending module 402, configured to send diagnostic instructions to the at least two associated VPN nodes;
A receiving module 403, configured to receive a diagnosis result returned by the at least two associated VPN nodes;
The sending module 402 is further configured to send a diagnostic instruction to the first node;
And an output module 404, configured to output a VPN diagnostic result based on the diagnostic results returned by the at least two associated VPN nodes and whether the first node returns a diagnostic result.
Optionally, a determining module 401 is configured to determine VPN nodes at two ends of a VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request; and retrieving VPN nodes at the two ends of the VPN link to be diagnosed in VPN rule information, determining the nodes with VPN links between the VPN nodes at the two ends of the VPN link to be diagnosed, and obtaining the associated VPN nodes associated with the VPN nodes at the two ends of the VPN link to be diagnosed.
Optionally, an output module 404, configured to determine, when the diagnostic results returned by the at least two associated VPN nodes are both faulty and the diagnostic result is not returned by the first node, a network fault from the first node to a network access point;
Under the condition that the diagnosis results returned by the at least two correlated VPN nodes are all faults and the diagnosis result is returned by the first node, determining that the network from the first node to the network access point is normal, but the first node is faulty;
determining that the network from the first node to the network access point is normal, but the first node is a network fault to part of VPN nodes, and the first node is a network fault to a management node under the condition that at least one of the at least two correlated VPN nodes returns a normal diagnosis result and the first node does not return a diagnosis result;
And outputting the diagnosis result returned by the first node under the condition that the diagnosis result returned by at least one of the at least two correlated VPN nodes is normal and the diagnosis result returned by the first node.
Optionally, the output module 404 is further configured to output a diagnosis result returned by the first node if the number of associated VPN nodes associated with the first node is less than 2.
It should be noted that: in the VPN diagnosis, the management node provided in the foregoing embodiment is only exemplified by the division of the foregoing functional modules, and in practical application, the foregoing functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the management node provided in the above embodiment and the VPN diagnostic method embodiment belong to the same concept, and specific implementation processes of the management node and the VPN diagnostic method embodiment are detailed in the method embodiment, and are not described herein again.
Fig. 8 is a schematic structural diagram of a VPN node according to an embodiment of the present disclosure. The VPN node may be the aforementioned associated VPN node, which may be implemented as all or part of a computer device by software, hardware or a combination of both. Referring to fig. 8, the vpn node includes: a receiving module 501, a diagnosing module 502 and a transmitting module 503.
The receiving module 501 is configured to receive a diagnostic instruction sent by a management node, where the associated VPN node is an associated VPN node associated with a first node, and the first node is a VPN node at two ends of a VPN link to be diagnosed;
a diagnosing module 502, configured to diagnose an associated VPN link between the associated VPN node and VPN nodes at both ends of the VPN link to be diagnosed;
And the sending module 503 is configured to send a diagnosis result to the management node, so that the management node outputs a VPN diagnosis result based on the diagnosis result returned by the associated VPN node and whether the first node returns the diagnosis result.
Optionally, a diagnosing module 502, configured to determine whether the node addresses at two ends of the associated VPN link meet VPN rules;
under the condition that node addresses at two ends of the associated VPN link accord with VPN rules, constructing a data packet for detection;
Under the condition of receiving a detection return packet, determining that the associated VPN link is normal; and determining that the associated VPN link fails in the case that the detection back packet is not received.
Optionally, the diagnostic module 502 is further configured to, if the node addresses at two ends of the associated VPN link do not conform to VPN rules, count the traffic of the associated VPN link;
Under the condition that the associated VPN link has bidirectional traffic, determining that the associated VPN link is normal;
Determining that the associated VPN link is normal under the condition that the associated VPN link does not have bidirectional traffic but a node at the other end of the associated VPN link survives;
And determining that the associated VPN link fails under the condition that the associated VPN link does not have bidirectional traffic and the node at the other end of the associated VPN link does not survive.
It should be noted that: in the VPN node provided in the foregoing embodiment, only the division of the foregoing functional modules is used for illustration when performing VPN diagnosis, and in practical application, the foregoing functional allocation may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the VPN node provided in the foregoing embodiment and the VPN diagnostic method embodiment belong to the same concept, and specific implementation processes of the VPN node and the VPN diagnostic method embodiment are detailed in the method embodiment, which is not described herein again.
Fig. 9 is a block diagram of a computer device provided in an embodiment of the present disclosure, which may be the aforementioned management node or VPN node (e.g., an associated VPN node). The computer device 600 includes a Central Processing Unit (CPU) 601, a system memory 604 including a Random Access Memory (RAM) 602 and a Read Only Memory (ROM) 603, and a system bus 605 connecting the system memory 604 and the central processing unit 601. The computer device 600 also includes a basic input/output system (I/O system) 606 for facilitating the transfer of information between various devices within the computer, and a mass storage device 607 for storing an operating system 613, application programs 614, and other program modules 615.
The basic input/output system 606 includes a display 608 for displaying information and an input device 609, such as a mouse, keyboard, etc., for a user to input information. Wherein both the display 608 and the input device 609 are coupled to the central processing unit 601 via an input output controller 610 coupled to the system bus 605. The basic input/output system 606 may also include an input/output controller 610 for receiving and processing input from a number of other devices, such as a keyboard, mouse, or electronic stylus. Similarly, the input output controller 610 also provides output to a display screen, a printer, or other type of output device.
The mass storage device 607 is connected to the central processing unit 601 through a mass storage controller (not shown) connected to the system bus 605. The mass storage device 607 and its associated computer-readable media provide non-volatile storage for the computer device 600. That is, the mass storage device 607 may include a computer readable medium (not shown) such as a hard disk or CD-ROM drive.
Computer readable media may include computer storage media and communication media without loss of generality. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes RAM, ROM, EPROM, EEPROM, flash memory, or other solid state memory technology, CD-ROM, DVD, or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage, or other magnetic storage devices. Of course, those skilled in the art will recognize that computer storage media are not limited to the ones described above. The system memory 604 and mass storage device 607 described above may be collectively referred to as memory.
According to various embodiments of the present disclosure, the computer device 600 may also operate by a remote computer connected to the network through a network, such as the Internet. I.e., the computer device 600 may be connected to the network 612 through a network interface unit 611 connected to the system bus 605, or alternatively, the network interface unit 611 may be used to connect to other types of networks or remote computer systems (not shown).
The memory further includes one or more programs, one or more programs being stored in the memory, and the central processor 601 implements the VPN diagnostic method shown in any of fig. 2 to 6 by executing the one or more programs.
In an exemplary embodiment, a non-transitory computer readable storage medium is also provided, such as a memory including instructions executable by a processor of a computer device to perform the VPN diagnostic method shown in various embodiments of the present disclosure. For example, the non-transitory computer readable storage medium may be ROM, random Access Memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, etc.
The foregoing description of the preferred embodiments of the present disclosure is provided for the purpose of illustration only, and is not intended to limit the disclosure to the particular embodiments disclosed, but on the contrary, the intention is to cover all modifications, equivalents, alternatives, and alternatives falling within the spirit and principles of the disclosure.
Claims (10)
1. A VPN diagnostic method, the method comprising:
the management node determines associated VPN nodes associated with VPN nodes at two ends of the VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request;
The management node determines at least two associated VPN nodes associated with a first node, wherein the first node is any endpoint of the VPN link to be diagnosed;
the management node sends diagnosis instructions to the at least two associated VPN nodes;
the management node receives diagnosis results returned by the at least two associated VPN nodes;
The management node transmits a diagnosis instruction to the first node;
and the management node outputs VPN diagnosis results based on the diagnosis results returned by the at least two associated VPN nodes and whether the first node returns the diagnosis results or not.
2. The method of claim 1, wherein the managing node determining, according to the VPN link to be diagnosed indicated by the diagnosis request, associated VPN nodes associated with VPN nodes at both ends of the VPN link to be diagnosed, comprises:
The management node determines VPN nodes at two ends of the VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request;
And the management node searches VPN nodes at two ends of the VPN link to be diagnosed in VPN rule information, determines nodes with VPN links between the VPN nodes at two ends of the VPN link to be diagnosed, and obtains associated VPN nodes associated with the VPN nodes at two ends of the VPN link to be diagnosed.
3. The method of claim 1, wherein the managing node outputting VPN diagnostic results based on the diagnostic results returned by the at least two associated VPN nodes and whether the first node returned the diagnostic results, comprises:
under the condition that the diagnosis results returned by the at least two correlated VPN nodes are all faults and the diagnosis result is not returned by the first node, the management node determines the network fault from the first node to the network access point;
Under the condition that the diagnosis results returned by the at least two correlated VPN nodes are all faults and the diagnosis result is returned by the first node, the management node determines that the network from the first node to the network access point is normal, but the first node is faulty;
In the case that the diagnosis result returned by at least one of the at least two associated VPN nodes is normal and the diagnosis result is not returned by the first node, the management node determines that the network from the first node to the network access point is normal, but the network from the first node to part of VPN nodes fails, and the network from the first node to the management node fails;
and under the condition that the diagnosis result returned by at least one of the at least two correlated VPN nodes is normal and the diagnosis result is returned by the first node, the management node outputs the diagnosis result returned by the first node.
4. A method according to any one of claims 1 to 3, further comprising:
and under the condition that the number of the associated VPN nodes associated with the first node is smaller than 2, the management node outputs a diagnosis result returned by the first node.
5. A VPN diagnostic method, the method comprising:
The method comprises the steps that an associated VPN node receives a diagnosis instruction sent by a management node, wherein the associated VPN node is an associated VPN node associated with a first node, and the first node is a VPN node at two ends of a VPN link to be diagnosed;
the associated VPN node diagnoses the associated VPN links from the associated VPN node to the VPN nodes at the two ends of the VPN link to be diagnosed;
And the associated VPN node sends a diagnosis result to the management node so that the management node outputs a VPN diagnosis result based on the diagnosis result returned by the associated VPN node and whether the first node returns the diagnosis result or not.
6. The method of claim 5, wherein the diagnosing the associated VPN link between the associated VPN node to VPN nodes across the VPN link to be diagnosed by the associated VPN node comprises:
the associated VPN node determines whether node addresses at two ends of the associated VPN link accord with VPN rules or not;
under the condition that node addresses at two ends of the associated VPN link accord with VPN rules, the associated VPN node constructs a data packet for detection;
under the condition of receiving a detection return packet, the associated VPN node determines that the associated VPN link is normal; in the event that a probe packet is not received, the associated VPN node determines that the associated VPN link failed.
7. The method of claim 6, wherein the associated VPN node diagnoses an associated VPN link between the associated VPN node and VPN nodes at both ends of the VPN link to be diagnosed, further comprising:
Under the condition that node addresses at two ends of the associated VPN link do not accord with VPN rules, the associated VPN node counts the flow of the associated VPN link;
under the condition that the associated VPN link has bidirectional traffic, the associated VPN node determines that the associated VPN link is normal;
Under the condition that the associated VPN link does not have bidirectional traffic but the node at the other end of the associated VPN link survives, the associated VPN node determines that the associated VPN link is normal;
in the event that there is no bi-directional traffic for the associated VPN link and a node at the other end of the associated VPN link is not alive, the associated VPN node determines that the associated VPN link is down.
8. A management node, the management node comprising:
The determining module is used for determining associated VPN nodes associated with VPN nodes at two ends of the VPN link to be diagnosed according to the VPN link to be diagnosed indicated by the diagnosis request; determining at least two associated VPN nodes associated with a first node, wherein the first node is any endpoint of the VPN link to be diagnosed;
A sending module, configured to send a diagnostic instruction to the at least two associated VPN nodes;
The receiving module is used for receiving diagnosis results returned by the at least two associated VPN nodes;
The sending module is further configured to send a diagnostic instruction to the first node;
And the output module is used for outputting VPN diagnosis results based on the diagnosis results returned by the at least two associated VPN nodes and whether the first node returns the diagnosis results or not.
9. An associated VPN node, wherein the associated VPN node is an associated VPN node associated with a first node, the first node being a VPN node at both ends of a VPN link to be diagnosed, the associated VPN node comprising:
the receiving module is used for receiving the diagnosis instruction sent by the management node;
The diagnosis module is used for diagnosing the associated VPN links between the associated VPN nodes and the VPN nodes at the two ends of the VPN link to be diagnosed;
And the sending module is used for sending the diagnosis result to the management node so that the management node outputs the VPN diagnosis result based on the diagnosis result returned by the associated VPN node and whether the first node returns the diagnosis result or not.
10. A computer device, the computer device comprising: a processor; a memory configured to store processor-executable instructions; wherein the processor is configured to perform the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410140988.5A CN118175011A (en) | 2024-01-31 | 2024-01-31 | VPN diagnosis method, management node and associated VPN node |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410140988.5A CN118175011A (en) | 2024-01-31 | 2024-01-31 | VPN diagnosis method, management node and associated VPN node |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118175011A true CN118175011A (en) | 2024-06-11 |
Family
ID=91357821
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410140988.5A Pending CN118175011A (en) | 2024-01-31 | 2024-01-31 | VPN diagnosis method, management node and associated VPN node |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118175011A (en) |
-
2024
- 2024-01-31 CN CN202410140988.5A patent/CN118175011A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1817855B1 (en) | System and methods for detecting network failure | |
| US8270306B2 (en) | Fault management apparatus and method for identifying cause of fault in communication network | |
| US10103851B2 (en) | Network link monitoring and testing | |
| Cheung et al. | Protecting routing infrastructures from denial of service using cooperative intrusion detection | |
| JP3903437B2 (en) | Reliable fault resolution in clusters | |
| US8356093B2 (en) | Apparatus and system for estimating network configuration | |
| US7864666B2 (en) | Communication control apparatus, method and program thereof | |
| US9083615B2 (en) | Diagnosing network problems in an IPV6 dual stack network | |
| CN111030873A (en) | Fault diagnosis method and device | |
| WO2020173424A1 (en) | Message processing method, and gateway device | |
| CN109120449B (en) | Method and device for detecting link failure | |
| CN118175011A (en) | VPN diagnosis method, management node and associated VPN node | |
| CN114257500B (en) | Fault switching method, system and device for super-fusion cluster internal network | |
| TW202027463A (en) | Monitoring device, network system, topology management device and monitoring program | |
| US11765059B2 (en) | Leveraging operation, administration and maintenance protocols (OAM) to add ethernet level intelligence to software-defined wide area network (SD-WAN) functionality | |
| JP2002164899A (en) | Network monitoring method and its equipment | |
| CN112202634B (en) | Network link fault detection and transmission method and system | |
| WO2018077124A1 (en) | Method, device, and system for service alarm processing | |
| JP4485344B2 (en) | Server apparatus, failure path diagnosis method, and failure path diagnosis program | |
| US9992083B1 (en) | System to detect network egress points | |
| CN115604160A (en) | Network detection processing method and device, electronic equipment and storage medium | |
| CN114513398A (en) | Network equipment alarm processing method, device, equipment and storage medium | |
| CN100525216C (en) | Scalable selective alarm suppression for data communication network | |
| JP3084310B2 (en) | Computer network monitoring method | |
| CN112953789B (en) | Link detection method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |