Introduction: This document describes the useful commands for troubleshooting IPSEC related issues on ASR. What is IPSEC? IPSEC is a framework for security that operates at the Network Layer by extending the IP packet header (using additional protocol numbers, not options). This gives it the ability to encrypt any higher layer protocol, including arbitrary TCP and UDP sessions, so it offers the greatest flexibility of all the existing TCP/IP cryptosystems. Flexibility, however, often comes at the price of complexity, and IPSEC is not an exception. Configuring which addresses and ports to encrypt using which IPSEC options often begins to look like configuring packet filtering, then add in the additional complexities of key management. For IPSEC related issues, use the following show commands as applicable Summary of FP objects: |
show platform software ipsec fx inventory - displays the number of interfaces, spd, spd maps, acls, aces, crypto maps, DH key pairs, IKE SA and IPsec SA registered with FP |
Checking for IKE |
show crypto isakmp sa – check if ike SAs have been successfully completed. |
Checking for the life of an IPsec packet |
show cryto ipsec sa - display all SAs (interface, traffic flow, direction, flow Id, souce or destination address) |
show platform hardware cpp active statstics drop | inc IPsec |
Checking IPsec feature at the interface level |
show platform hardware cpp active feature ipsec interface <interface name> |
Checking at SPD level |
show platform hardware cpp active feature ipsec spd all |
show platform hardware cpp active feature interface <interface name> |
show platform software ipsec f0 spd-obj all |
show platform hardware cpp active feature ispec spd <id> |
show platform hardware cpp active feature ipsec spd <id> ace <id> <id> (checking for ACE information) |
show platform ha cpp active feature ipsec sp-obj <id> |
show platform hardware cpp active feature ipsec sa <flow id> |
Check TCAM |
show platform hardware cpp active classification feature-manager class-group tcam ipsec 0 interface <interfacename> both detail |
show classification class-group-manager class-group client ipsec 0 |
show pl so ipsec fx flow all - provides flow_id for use with next command |
show platform software ipsec F0 flow identifier <flow id> |
Checking for fmrp |
show platform software ipsec r0 db |
show platform software ipsec r0 stat |
Checking for CC statistics |
show platform hardware slot <slot number> serdes statistics |
Checking for FP statistics |
show platform hardware slot F0 serdes statistics |
Checking for stats on tunnel interface |
show platform hardware cpp active interface <tunnel interface> |
Checking for Nitrox context |
show platform software ipsec f0 encryption-processor statistics |
show platform software ips f0 flow id X |
show platform so ips f0 encryption-processor context 2dc3bffc |
Checking for NitroxII operational state |
show platform software ipsec f0 encryption-processor statistics |
show platform hardware slot r0 serdes statistics internal |
Checking for Nitrox queue statistics |
show platform hardware cpp active bqs 0 opm statistics channel <queue id> |
|
Debug related Commands |
|
{no} debug plat hard cpp active | standby feature ipsec client {info|trace|warn|err} ==> to turn on/off the client debug |
{no} debug plat hard cpp active | standby feature ipsec datapath {info|trace|warn|err} ==> to turn on/off the ucode debug |
{no} debug plat hard cpp active | standby feature ipsec counter read-only |
|
To set trace debug level |
|
set plat soft trace forwarding {F0 | F1} {btrace | imgr | ipsec} <debug level> |
debug level = |
debug Debug messages |
emergency Emergency possible message |
error Error messages (default) |
info Informational messages |
noise Maximum possible message |
verbose Verbose debug messages |
warning Warning messages |