• TrustSec ASR1k Specific Troubleshooting Information
• How to check the ASR hardware programming of a CTS enabled link?
• ASR1K: How to check if inline tags are successfully being transmitted or received?
• How to check the presence of inline tagging on the ASR by using caching?
• How to check the global ASR drop stats?
• How to Check the SGT and DGT Bindings in the Forwarding Manager?

<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE

TrustSec ASR1k Specific Troubleshooting Information

How to check the ASR hardware programming of a CTS enabled link?

With the following configured:

interface GigabitEthernet0/1/1

cts manual

  policy static sgt 2 trusted

Prompt-ASR#show platform hardware qfp active feature cts client interface

Interface GigabitEthernet0/1/1(11):

        Enable=1, Policy=0, Trust=1, Propagate=1, Internal=0    <----- SGT on the link trusted and propagate SGT enabled

        SGT=2, SGT_caching_in=1 SGT_caching_eg=0    <----- 'policy static sgt 2' configured and caching is enabled

        IN_dbg/ IN_err=0/0, OUT_dbg/ OUT_err=0/0

ASR1K: How to check if inline tags are successfully being transmitted or received?

Prompt-ASR#show platform hardware qfp active feature cts datapath stats

Tagged Packets rcv: 744        xmt: 2278       Def tag: 0

         Unknown SGT: 4052      Unknown DGT: 0

Invalid tags (drop): 0 Bad format (drop): 0

No xmt buffer: 0

IPSec SGT tagged packets received: 0

IPSec Invalid SGT tagged packets received: 0

GRE SGT tagged packets received: 0

GRE Invalid SGT tagged packets received: 0

GRE invalid next protocol 0

LISP SGT tagged packets received: 0

LISP Invalid SGT tagged packets received: 0

How to check the presence of inline tagging on the ASR by using caching?

Caching needs to be enabled:

Be careful in a live deployment. Enabling caching will dramatically reduce platform performance.

Prompt-ASR#show platform hardware qfp active feature cts datapath cache-data

Sgt-caching is Active

Total number of bindings = 2

==============================================================================

IP Address      SGT   Interface                 Age        Exptime Mode VRFID

                                                (hh:mm:ss)   (sec)           

==============================================================================

10.1.100.2      1001  GigabitEthernet0/1/1      00:01:22   297     In   0   

10.3.4.1        2     GigabitEthernet0/1/1      00:01:33   294     In   0   

How to check the global ASR drop stats?

Prompt-ASR#show platform hardware qfp active statistics drop

-------------------------------------------------------------------------

Global Drop Stats                         Packets                  Octets 

-------------------------------------------------------------------------

Disabled                                        2                     792 

Ipv4NoRoute                                   190                   30327 

UnconfiguredIpv4Fia                            13                    2327 

UnconfiguredIpv6Fia                           934                  103102

How to Check the SGT and DGT Bindings in the Forwarding Manager?

Prompt-ASR#show platform software cts forwarding-manager F0|FP|R0|RP [active] SGT Binding Table Number of bindings: 14 1.1.1.1/32 SGT Src: 2 SGT Dst: 2 10.1.100.4/32 SGT Src: 14 SGT Dst: 14 10.3.1.2/32 SGT Src: 2 SGT Dst: 2 SGT Binding Table 10.3.2.2/32 SGT Src: 2 SGT Dst: 2 10.3.4.2/32 SGT Src: 2 SGT Dst: 2 10.3.5.1/32 SGT Src: 2 SGT Dst: 2 10.4.1.1/32 SGT Src: 2 SGT Dst: 2 10.4.1.3/32 SGT Src: 2 SGT Dst: 2 10.5.1.1/32 SGT Src: 2 SGT Dst: 2 10.5.3.1/32 SGT Src: 2 SGT Dst: 2 10.6.1.1/32 SGT Src: 2 SGT Dst: 2 10.7.1.1/32 SGT Src: 2 SGT Dst: 2 SGT Binding Table 10.8.1.1/32 SGT Src: 2 SGT Dst: 2 10.9.1.1/32 SGT Src: 2 SGT Dst: 2

<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE