EasyManua.ls Logo

Cisco MDS 9000 Series User Manual

Cisco MDS 9000 Series
16 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #7 background imageLoading...
Page #7 background image
Send documentation comments to mdsfeedback-doc@cisco.com
22-7
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
OL-9285-05
Chapter 22 Troubleshooting IPsec
IPsec Issues
Verifying IPsec Configuration Compatibility Using the CLI
To verify the compatibility of the IPsec configurations of MDS A and MDS C shown in Figure 22-1
using the CLI, follow these steps:
Step 1 Use the show crypto map domain ipsec command and the show crypto transform-set domain ipsec
command. The following command outputs display the fields discussed in Step 2 through Step 7.
MDSA# show crypto map domain ipsec
Crypto Map “cmap-01” 1 ipsec
Peer = 10.10.100.232
IP ACL = acl1
permit ip 10.10.100.231 255.255.255.255 10.10.100.232 255.255.255.255
Transform-sets: tfs-02,
Security Association Lifetime: 3000 gigabytes/120 seconds
PFS (Y/N): Y
PFS Group: group5
Interface using crypto map set cmap-01:
GigabitEthernet7/1
MDSC# show crypto map domain ipsec
Crypto Map “cmap-01” 1 ipsec
Peer = 10.10.100.231
IP ACL = acl1
permit ip 10.10.100.232 255.255.255.255 10.10.100.231 255.255.255.255
Transform-sets: tfs-02,
Security Association Lifetime: 3000 gigabytes/120 seconds
PFS (Y/N): Y
PFS Group: group5
Interface using crypto map set cmap-01:
GigabitEthernet1/2
MDSA# show crypto transform-set domain ipsec
Transform set:tfs-01 {esp-3des null}
will negotiate {tunnel}
Transform set:tfs-02 {esp-3des esp-md5-hmac}
will negotiate {tunnel}
Transform set:ipsec_default_transform_set {esp-aes 128 esp-sha1-hmac}
will negotiate {tunnel}
MDSC# show crypto transform-set domain ipsec
Transform set:tfs-01 {esp-3des null}
will negotiate {tunnel}
Transform set:tfs-02 {esp-3des esp-md5-hmac}
will negotiate {tunnel}
Transform set:ipsec_default_transform_set {esp-aes 128 esp-sha1-hmac}
will negotiate {tunnel}
Step 2 Ensure that the ACLs are compatible in the show crypto map domain ipsec command outputs for both
switches.
Step 3 Ensure that the peer configuration is correct in the show crypto map domain ipsec command outputs
for both switches.
Step 4 Ensure that the transform sets are compatible in the show crypto transform-set domain ipsec command
outputs for both switches.
Step 5 Ensure that the PFS settings in the show crypto map domain ipsec command outputs are configured
the same on both switches.

Table of Contents

Other manuals for Cisco MDS 9000 Series

Preview: Configuration Guide
Configuration Guide344 pages
Preview: Troubleshooting Guide
Troubleshooting Guide161 pages
Preview: Command Reference
Command Reference1464 pages
Preview: Rack Installation
Rack Installation8 pages
Preview: Installing
Installing22 pages
Preview: Installation Guide
Installation Guide20 pages

Questions and Answers:

Cisco MDS 9000 Series Specifications

General IconGeneral
CategorySwitch
Operating SystemCisco NX-OS
PortsVaries by model
ProtocolsFibre Channel (FC), Fibre Channel over IP (FCIP), iSCSI
RedundancyRedundant supervisors, power supplies, and fans
ManagementCisco Data Center Network Manager (DCNM), CLI, SNMP
Virtualization SupportVSANs (Virtual SANs)
Security FeaturesFibre Channel Security Protocol (FC-SP)
Hot Swappable Componentspower supplies, fans
Power Supply OptionsAC and DC options available

Summary

Troubleshooting IPsec

Overview

Explains the IPsec protocol, its framework, and its support for iSCSI and FCIP.

IPsec Compatibility

Lists compatible Cisco MDS 9000 Family hardware for IPsec features.

Supported IPsec and IKE Algorithms for Microsoft Windows and Linux Platforms

Details supported IPsec and IKE encryption and authentication algorithms for Windows and Linux.

IKE Allowed Transforms

Provides a list of allowed transform combinations for IKE configuration.

IPsec Allowed Transforms

Lists allowed transform combinations for IPsec configuration.

Initial Troubleshooting Checklist

A step-by-step checklist to begin troubleshooting IPsec issues.

Common Troubleshooting Tools in Fabric Manager

Guides users on accessing IPsec and IKE tools within Cisco Fabric Manager.

IPsec Issues

Provides procedures to troubleshoot IKE and IPsec issues in FCIP configurations.

Common Troubleshooting Commands in the CLI

Lists essential CLI commands for troubleshooting IPsec issues.

Verifying IKE Configuration Compatibility

Steps to verify IKE configuration compatibility between peers.

Verifying IPsec Configuration Compatibility Using Fabric Manager

How to check IPsec configuration compatibility using the Fabric Manager GUI.

Verifying IPsec Configuration Compatibility Using the CLI

How to check IPsec configuration compatibility using CLI commands.

Verifying Security Policy Databases Compatibility

Steps to ensure Security Policy Databases (SPDs) are compatible between switches.

Verifying Interface Status Using Fabric Manager

How to check interface status and IP addresses using Fabric Manager.

Verifying Interface Status Using the CLI

How to check interface status and IP addresses using CLI commands.

Verifying Security Associations

Steps to verify current peer, mode, and SA index for IPsec.

Security Associations Do Not Re-Key

Troubleshoots issues where Security Associations (SAs) are not re-keying.

Clearing Security Associations

Instructions on how to clear specific Security Associations (SAs).

Debugging the IPsec Process

Lists commands to print debug messages for IPsec process issues.

Debugging the IKE Process

Lists commands to show the internal state of the IKE process.

Obtaining Statistics from the IPsec Process

How to get statistics for IPsec process and interface levels.

Related product manuals