ipsec - peer is coming up but is data passing?

Unanswered Question
Jan 28th, 2008
User Badges:

Hi,


I have an IPSEC tunnel which has one end at my company and the other end at another company, whose routers I don't control.


I have an ipsec tunnel which appears to come up (isa sa is qm_idle but the ipsec sa shows no packets encrypted or decrypted.


How would I debug (without bringing down the router, which is one of our core routers on our net) this connection --- I want to see which packets are being received encrypted and which we're trying to encrypt.


Is it possible to debug just on one peer?


This is a 6500 with an SPA-IPSEC-2G


Thanks,

Lisa G


IPSEC SA info below:

nterface: Vlan900

Crypto map tag: CRX0, local addr. 165.199.221.197


protected vrf:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (208.77.127.224/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249

path mtu 1500, media mtu 1500

current outbound spi: 0


inbound esp sas:


inbound ah sas:


inbound pcp sas:


outbound esp sas:


outbound ah sas:


outbound pcp sas:


protected vrf:

local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249

path mtu 1500, media mtu 1500

current outbound spi: 0


inbound esp sas:


inbound ah sas:


inbound pcp sas:


outbound esp sas:


outbound ah sas:


outbound pcp sas:


protected vrf:

local ident (addr/mask/prot/port): (65.119.115.5/255.255.255.255/0/0)



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Mon, 01/28/2008 - 09:48
User Badges:
  • Blue, 1500 points or more

this tunnel is not up. there are no SPI numbers. deb crypto isakmp

deb crypto ipsec

Actions

This Discussion