Scribd Logo
Upload

Welcome to Scribd!

  • Collect Logs6

    Uploaded by

    theajkumar
    13 views2 pages
    Collect Logs6

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Collect Logs6

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    13 views2 pages

    Collect Logs6

    Uploaded by

    theajkumar
    Collect Logs6

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 2

    IPSec Troubleshooting Steps

    Check for interesting traffic to initiate tunnel, check crypto ACLs for hit
    counts
    If not, verify Routing (static or RRI)
    Verify if IKE SA is up (QM_Idle) for that peer
    If not, verify for matching Pre-shared keys
    Verify that the IKE policies (encr, auth, DH) are matching
    Verify for matching IKE Identities
    Verify if IPSec SAs are up (Inbound and Outbound SPIs)
    If not, verify for matching IPSec transform sets
    Verify for mirrored crypto ACLs on each side
    Verify that the Crypto Map is applied on the right interface
    Turn on IKE/IPSec debugs
    IPSec Show Commands
    To show IKE SA information:
    show crypto isakmp sa <vrf> [detail]
    show crypto isakmp peer <ip-addr>
    To show IPSec SA information:
    show crypto ipsec sa [ address | detail | interface | map | per | vrf ]
    To show IKE and IPSec information together :
    show crypto session [ fvrf | group | ivrf ] username | detail ]
    show crypto engine connection active

    Cisco IOS IPSec Debugging


    These are the current IKE/IPSec debugs available; the highlighted ones are the
    most useful typically
    Make sure to use Crypto Conditional Debugs when trying to troubleshoot
    pro
    duction routers
    debug crypto isakmp
    debug crypto isakmp error
    debug crypto isakmp ha
    debug crypto ipsec
    debug crypto ipsec error
    debug crypto routing
    debug crypto ha

    debug crypto engine error


    debug crypto engine packet
    Crypto Conditional Debugging
    We can use crypto conditional debugging when we are troubleshooting live network
    s and specially where there are multiple tunnels running on the device.
    The crypto conditional debug CLIs debug crypto condition, debug crypto condition u
    nmatched, and show crypto debug-condition allow you to specify conditions (filter
    values) in which to generate and display debug messages related only to the spe
    cified conditions
    The router will perform conditional debugging only after at least one of the glo
    bal crypto debug commands debug crypto isakmp, debug crypto ipsec, or debug crypto
    engine has been enabled; thi s requirement helps to ensure that the performance o
    f the router will not be impacted when conditional debugging is not being used
    To enable crypto conditional debugging:
    debug crypto condition <cond-type> <cond-value>
    debug crypto { isakmp | ipsec | engine }
    To view crypto condition debugs that have been enabled:
    show crypto debug-condition [ all | peer | fvrf | ivrf | isakmp | usernam
    e | connid | spi ]
    To disable crypto condition debugs:
    debug crypto condition reset

    You might also like