Src_proxy and dest_proxy are the client subnets. This command shows the source and destination of IPsec tunnel endpoints. message ID = 800032287 debug crypto ipsec message ID = 0Ĭhecking ISAKMP transform against priority 1 policy This output shows an example of the debug crypto isakmp command. This command shows each phase 2 SA built and the amount of traffic sent.īecause phase 2 Security Associations (SAs) are unidirectional, each SA shows traffic in only one direction (encryptions are outbound, decryptions are inbound). Outbound pcp sas: show crypto engine connection active Slot: 0, conn id: 3443, flow_id: 1444, crypto map: test Sa timing: remaining key lifetime (k/sec): (4608000/52) Slot: 0, conn id: 3442, flow_id: 1443, crypto map: test #pkts decompress failed: 0, #send errors 1, #recv errors 0 #pkts compressed: 0, #pkts decompressed: 0 interface: FastEthernet0Ĭrypto map tag: test, local addr. This output shows an example of the show crypto ipsec sa command. Authentication Header (AH) is not used since there are no AH SAs. You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound. The encrypted tunnel is built between 10.1.0.1 and 10.1.0.2 for traffic that goes between networks 10.1.0.0 and 10.1.1.0. This command shows IPsec SAs built between peers. dst src state conn-id slotġ0.1.0.2 10.1.0.1 QM_IDLE 1 0 show crypto ipsec sa This command shows the Internet Security Association Management Protocol (ISAKMP) Security Associations (SAs) built between peers. Refer to IPSec Negotiation/IKE Protocolsfor more details. The topics in this section describe the Cisco IOS® Software debug commands. Refer to Cisco Technical Tips Conventions for more information on document conventions. PIX-V5.0 and later, which requires a single or triple DES license key in order to activate. Triple DES is available on the Cisco 2600 series and later. K2-Indicates triple DES feature (on Cisco IOS® Software Release 12.0 and later). The information in this document is based on these software and hardware versions:ĥ6i-Indicates single Data Encryption Standard (DES) feature (on Cisco IOS® Software Release 11.2 and later). If your network is live, ensure that you understand the potential impact of any command. All of the devices used in this document started with a cleared (default) configuration. The information in this document was created from the devices in a specific lab environment. This document assumes you have configured IPsec. It contains a checklist of common procedures that you can try before you begin to troubleshoot a connection and call Cisco Technical Support. Refer to Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions for information on the most common solutions to IPsec VPN problems. This document describes commondebugcommands used to troubleshoot IPsec issues on both the Cisco IOS ®Software and PIX/ASA.
0 Comments
Leave a Reply. |