01-28-2008 09:28 AM - edited 02-21-2020 03:30 PM
Hi,
I have an IPSEC tunnel which has one end at my company and the other end at another company, whose routers I don't control.
I have an ipsec tunnel which appears to come up (isa sa is qm_idle but the ipsec sa shows no packets encrypted or decrypted.
How would I debug (without bringing down the router, which is one of our core routers on our net) this connection --- I want to see which packets are being received encrypted and which we're trying to encrypt.
Is it possible to debug just on one peer?
This is a 6500 with an SPA-IPSEC-2G
Thanks,
Lisa G
IPSEC SA info below:
nterface: Vlan900
Crypto map tag: CRX0, local addr. 165.199.221.197
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (208.77.127.224/255.255.255.224/0/0)
current_peer: 62.140.138.249:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (65.119.114.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (62.140.152.0/255.255.255.224/0/0)
current_peer: 62.140.138.249:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 165.199.221.197, remote crypto endpt.: 62.140.138.249
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf:
local ident (addr/mask/prot/port): (65.119.115.5/255.255.255.255/0/0)
01-28-2008 09:48 AM
this tunnel is not up. there are no SPI numbers. deb crypto isakmp
deb crypto ipsec
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide