Send documentation comments to mdsfeedback-doc@cisco.com
22-5
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
OL-9285-05
Chapter 22 Troubleshooting IPsec
IPsec Issues
Common Troubleshooting Commands in the CLI
Use the following commands to troubleshoot IPsec issues:
• show crypto transform-set domain ipsec
• show crypto global domain ipsec
• show crypto global domain ipsec security-association lifetime
• show crypto sad domain ipsec
Use the following internal commands to gather more information for IPsec issues:
• show ipsec internal error—Displays a log of error history.
• show ipsec internal mem-stats detail—Displays memory usage.
• show ipsec internal event-history msgs —Displays a log of message history.
Use the following commands to gather information from the hardware accelerator:
• show ipsec internal crypto-accelerator interface gigabit 2/1 sad inbound/outbound sa-index—
Displays detailed information of an SA from the hardware accelerator.
• show ipsec internal crypto-accelerator interface gigabit 2/1 stats—Displays detailed information
per interface from the hardware accelerator.
IPsec Issues
This section provides the procedures required to troubleshoot IKE and IPsec issues in an FCIP
configuration. Figure 22-1 shows a simple FCIP configuration where FCIP Tunnel 2 carries encrypted
data between switches MDS A and MDS C.
Figure 22-1 Simple FCIP Configuration
This section includes the following topics:
• Verifying IKE Configuration Compatibility, page 22-6
• Verifying IPsec Configuration Compatibility Using Fabric Manager, page 22-6
• Verifying IPsec Configuration Compatibility Using the CLI, page 22-7
• Verifying Security Policy Databases Compatibility, page 22-8
• Verifying Interface Status Using Fabric Manager, page 22-9
• Verifying Interface Status Using the CLI, page 22-9
• Verifying Security Associations, page 22-12
10.10.100.231
MDS A
FCIP
Tunnel 2
10.10.100.232
MDS C
120483
To Next Page
Loading...
Need help?
General