ipsec - peer is coming up but is data passing?

Unanswered Question
Jan 28th, 2008

Hi,

I have an IPSEC tunnel which has one end at my company and the other end at another company, whose routers I don't control.

I have an ipsec tunnel which appears to come up (isa sa is qm_idle but the ipsec sa shows no packets encrypted or decrypted.

How would I debug (without bringing down the router, which is one of our core routers on our net) this connection --- I want to see which packets are being received encrypted and which we're trying to encrypt.

Is it possible to debug just on one peer?

This is a 6500 with an SPA-IPSEC-2G

Thanks,

Lisa G

IPSEC SA info below:

nterface: Vlan900

Crypto map tag: CRX0, local addr. 165.199.221.197

protected vrf:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (208.77.127.224/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249

path mtu 1500, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf:

local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249

path mtu 1500, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf:

local ident (addr/mask/prot/port): (65.119.115.5/255.255.255.255/0/0)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
srue Mon, 01/28/2008 - 09:48

this tunnel is not up. there are no SPI numbers. deb crypto isakmp

deb crypto ipsec

Actions

This Discussion