Cisco MDS-9124 Troubleshooting Guide - Page 460
Verifying Security Associations
View all Cisco MDS-9124 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 460 highlights
IPsec Issues Chapter 22 Troubleshooting IPsec Send documentation comments to [email protected] 2 Active TCP connections Control connection:Local 10.10.100.232:65492, Remote 10.10.100.231:3225 Data connection:Local 10.10.100.232:65494, Remote 10.10.100.231:3225 22 Attempts for active connections, 1 close of connections TCP Parameters Path MTU 1400 bytes Current retransmission timeout is 200 ms Round trip time:Smoothed 2 ms, Variance:3 Advertized window:Current:128 KB, Maximum:14 KB, Scale:6 Peer receive window:Current:118 KB, Maximum:118 KB, Scale:6 Congestion window:Current:15 KB, Slow start threshold:204 KB Current Send Buffer Size:14 KB, Requested Send Buffer Size:0 KB CWM Burst Size:50 KB 5 minutes input rate 3192 bits/sec, 399 bytes/sec, 4 frames/sec 5 minutes output rate 2960 bits/sec, 370 bytes/sec, 4 frames/sec 3626 frames input, 359324 bytes 3610 Class F frames input, 357516 bytes 16 Class 2/3 frames input, 1808 bytes 1 Reass frames 0 Error frames timestamp error 0 3630 frames output, 340828 bytes 3612 Class F frames output, 338580 bytes 18 Class 2/3 frames output, 2248 bytes 0 Error frames Verifying Security Associations To verify security associations (SAs), follow these steps: Step 1 Issue the show crypto sad domain ipsec command to verify the current peer, mode, and inbound and outbound index of each switch. The example command outputs follow: MDSA# show crypto sad domain ipsec interface:GigabitEthernet7/1 Crypto map tag:cmap-01, local addr. 10.10.100.231 protected network: local ident (addr/mask):(10.10.100.231/255.255.255.255) remote ident (addr/mask):(10.10.100.232/255.255.255.255) current_peer:10.10.100.232 local crypto endpt.:10.10.100.231, remote crypto endpt.:10.10.100.232 mode:tunnel, crypto algo:esp-3des, auth algo:esp-md5-hmac tunnel id is:1 current outbound spi:0x822a202 (136487426), index:1 lifetimes in seconds::3600 lifetimes in bytes::483183820800 current inbound spi:0x38147002 (940863490), index:1 lifetimes in seconds::3600 lifetimes in bytes::483183820800 MDSC# show crypto sad domain ipsec interface:GigabitEthernet1/2 Crypto map tag:cmap-01, local addr. 10.10.100.232 protected network: local ident (addr/mask):(10.10.100.232/255.255.255.255) remote ident (addr/mask):(10.10.100.231/255.255.255.255) current_peer:10.10.100.231 local crypto endpt.:10.10.100.232, remote crypto endpt.:10.10.100.231 22-12 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x OL-9285-05