Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
621
Views
0
Helpful
1
Replies

debugging an IPSEC tunnel - is coming up but is data passing?

lgontarsk
Level 1
Level 1

‎01-28-2008 07:44 AM - edited ‎02-21-2020 03:30 PM

Hi,

I have an IPSEC tunnel which has one end at my company and the other end at another company, whose routers I don't control.

I have an ipsec tunnel which appears to come up (isa sa is qm_idle but the ipsec sa shows no packets encrypted or decrypted.

How would I debug (without bringing down the router, which is one of our core routers on our net) this connection --- I want to see which packets are being received encrypted and which we're trying to encrypt.

Is it possible to debug just on one peer?

This is a 6500 with an SPA-IPSEC-2G

Thanks,

Lisa G

IPSEC SA info below:

nterface: Vlan900

Crypto map tag: CRX0, local addr. 165.199.221.197

protected vrf:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (208.77.127.224/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249

path mtu 1500, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf:

local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249

path mtu 1500, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf:

local ident (addr/mask/prot/port): (65.119.115.5/255.255.255.255/0/0)

Labels:
0 Helpful
1 Reply 1

srue
Level 7
Level 7

‎01-28-2008 09:49 AM

the tunnel is not coming up, there is no SPI value.

deb crypto isakmp

deb crypto ipsec

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents