cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6366
Views
6
Helpful
0
Comments
athukral
Level 1
Level 1

Introduction: This document describes the useful commands for troubleshooting IPSEC related issues on ASR.

 

What is IPSEC?

IPSEC is a framework for security that operates at the Network Layer by extending the IP packet header (using additional protocol numbers, not options). This gives it the ability to encrypt any higher layer protocol, including arbitrary TCP and UDP sessions, so it offers the greatest flexibility of all the existing TCP/IP cryptosystems. Flexibility, however, often comes at the price of complexity, and IPSEC is not an exception. Configuring which addresses and ports to encrypt using which IPSEC options often begins to look like configuring packet filtering, then add in the additional complexities of key management.

For IPSEC related issues, use the following show commands as applicable           

Summary of FP objects:

show platform software ipsec fx inventory - displays the number of interfaces, spd, spd maps, acls,  aces, crypto maps, DH key pairs, IKE SA and IPsec SA registered with FP              

Checking  for  IKE

show crypto isakmp sa – check if ike SAs have been successfully completed.

Checking  for the life of an IPsec packet

show cryto ipsec sa -  display all SAs (interface, traffic flow, direction, flow Id, souce or destination address)

show platform hardware cpp active statstics drop | inc IPsec

Checking IPsec feature  at the interface level

show platform hardware cpp active feature ipsec interface <interface name>

Checking at SPD level

show platform hardware cpp active feature ipsec spd all

show platform hardware cpp active feature interface <interface name>

show platform software ipsec f0 spd-obj all

show platform hardware cpp active feature ispec spd <id>

show platform hardware cpp active feature ipsec spd <id> ace <id> <id> (checking for ACE information)

show platform ha cpp active feature ipsec sp-obj <id>

show platform hardware cpp active feature ipsec sa <flow id>

Check TCAM

show platform hardware cpp active classification feature-manager class-group tcam ipsec 0 interface <interfacename> both detail

show classification class-group-manager class-group client ipsec 0

show pl so ipsec fx flow all - provides flow_id for use with next command

show platform software ipsec F0 flow identifier <flow id>

Checking for fmrp

show platform software ipsec r0 db

show platform software ipsec r0 stat

Checking for CC statistics

show platform hardware slot <slot number> serdes statistics

Checking for FP statistics

show platform hardware slot F0 serdes statistics

Checking for stats on tunnel interface

show platform hardware cpp active interface <tunnel interface>

Checking for Nitrox context

show platform software ipsec f0 encryption-processor statistics

show  platform software ips f0 flow id X

show platform so ips f0 encryption-processor context 2dc3bffc

Checking for NitroxII operational state

show platform software ipsec f0 encryption-processor statistics

show platform hardware slot r0 serdes statistics internal

Checking for Nitrox queue statistics

show platform hardware cpp active bqs 0 opm statistics channel <queue id>


Debug related Commands


{no} debug plat hard cpp active | standby feature ipsec client {info|trace|warn|err} ==> to turn on/off the client debug

{no} debug plat hard cpp active | standby feature ipsec datapath {info|trace|warn|err} ==> to turn on/off the ucode debug

{no} debug plat hard cpp active | standby feature ipsec counter read-only


To set trace debug level


set plat soft trace forwarding {F0 | F1}  {btrace | imgr | ipsec} <debug level>

debug level =

  debug      Debug messages

  emergency  Emergency possible message

  error      Error messages (default)

  info       Informational messages

  noise      Maximum possible message

  verbose    Verbose debug messages

  warning    Warning messages

  Hope this will be informative. Thanks for viewing.

References-----

http://www.cisco.com/en/US/partner/prod/collateral/routers/ps9343/solution_overview_c22-450825.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: