<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE
TrustSec ASR1k Specific Troubleshooting Information
How to check the ASR hardware programming of a CTS enabled link?
With the following configured:
interface GigabitEthernet0/1/1
cts manual
policy static sgt 2 trusted
Prompt-ASR#show platform hardware qfp active feature cts client interface
Interface GigabitEthernet0/1/1(11):
Enable=1, Policy=0, Trust=1, Propagate=1, Internal=0 <----- SGT on the link trusted and propagate SGT enabled
SGT=2, SGT_caching_in=1 SGT_caching_eg=0 <----- 'policy static sgt 2' configured and caching is enabled
IN_dbg/ IN_err=0/0, OUT_dbg/ OUT_err=0/0
ASR1K: How to check if inline tags are successfully being transmitted or received?
Prompt-ASR#show platform hardware qfp active feature cts datapath stats
Tagged Packets rcv: 744 xmt: 2278 Def tag: 0
Unknown SGT: 4052 Unknown DGT: 0
Invalid tags (drop): 0 Bad format (drop): 0
No xmt buffer: 0
IPSec SGT tagged packets received: 0
IPSec Invalid SGT tagged packets received: 0
GRE SGT tagged packets received: 0
GRE Invalid SGT tagged packets received: 0
GRE invalid next protocol 0
LISP SGT tagged packets received: 0
LISP Invalid SGT tagged packets received: 0
How to check the presence of inline tagging on the ASR by using caching?
Caching needs to be enabled:
Be careful in a live deployment. Enabling caching will dramatically reduce platform performance.
|
Prompt-ASR#show platform hardware qfp active feature cts datapath cache-data
Sgt-caching is Active
Total number of bindings = 2
==============================================================================
IP Address SGT Interface Age Exptime Mode VRFID
(hh:mm:ss) (sec)
==============================================================================
10.1.100.2 1001 GigabitEthernet0/1/1 00:01:22 297 In 0
10.3.4.1 2 GigabitEthernet0/1/1 00:01:33 294 In 0
How to check the global ASR drop stats?
Prompt-ASR#show platform hardware qfp active statistics drop
-------------------------------------------------------------------------
Global Drop Stats Packets Octets
-------------------------------------------------------------------------
Disabled 2 792
Ipv4NoRoute 190 30327
UnconfiguredIpv4Fia 13 2327
UnconfiguredIpv6Fia 934 103102
How to Check the SGT and DGT Bindings in the Forwarding Manager?
Prompt-ASR#show platform software cts forwarding-manager F0|FP|R0|RP [active]
SGT Binding Table
Number of bindings: 14
1.1.1.1/32
SGT Src: 2
SGT Dst: 2
10.1.100.4/32
SGT Src: 14
SGT Dst: 14
10.3.1.2/32
SGT Src: 2
SGT Dst: 2
SGT Binding Table
10.3.2.2/32
SGT Src: 2
SGT Dst: 2
10.3.4.2/32
SGT Src: 2
SGT Dst: 2
10.3.5.1/32
SGT Src: 2
SGT Dst: 2
10.4.1.1/32
SGT Src: 2
SGT Dst: 2
10.4.1.3/32
SGT Src: 2
SGT Dst: 2
10.5.1.1/32
SGT Src: 2
SGT Dst: 2
10.5.3.1/32
SGT Src: 2
SGT Dst: 2
10.6.1.1/32
SGT Src: 2
SGT Dst: 2
10.7.1.1/32
SGT Src: 2
SGT Dst: 2
SGT Binding Table
10.8.1.1/32
SGT Src: 2
SGT Dst: 2
10.9.1.1/32
SGT Src: 2
SGT Dst: 2
|
<< BACK TO THE MAIN TRUSTSEC TROUBLESHOOTING GUIDE