Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ipsec - peer is coming up but is data passing?

Hi,

I have an IPSEC tunnel which has one end at my company and the other end at another company, whose routers I don't control.

I have an ipsec tunnel which appears to come up (isa sa is qm_idle but the ipsec sa shows no packets encrypted or decrypted.

How would I debug (without bringing down the router, which is one of our core routers on our net) this connection --- I want to see which packets are being received encrypted and which we're trying to encrypt.

Is it possible to debug just on one peer?

This is a 6500 with an SPA-IPSEC-2G

Thanks,

Lisa G

IPSEC SA info below:

nterface: Vlan900

Crypto map tag: CRX0, local addr. 165.199.221.197

protected vrf:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (208.77.127.224/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249

path mtu 1500, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf:

local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)

current_peer: 62.140.138.249:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249

path mtu 1500, media mtu 1500

current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf:

local ident (addr/mask/prot/port): (65.119.115.5/255.255.255.255/0/0)

1 REPLY
Gold

Re: ipsec - peer is coming up but is data passing?

this tunnel is not up. there are no SPI numbers. deb crypto isakmp

deb crypto ipsec

119
Views
0
Helpful
1
Replies