Cisco MDS-9124 Troubleshooting Guide - Page 463
Security Associations Do Not Re-Key, Clearing Security Associations, Debugging the IPsec Process
View all Cisco MDS-9124 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 463 highlights
Chapter 22 Troubleshooting IPsec IPsec Issues Send documentation comments to [email protected] Security Associations Do Not Re-Key A lifetime counter (in seconds and bytes) is maintained as soon as an SA is created. When the time limit expires, the SA is no longer operational and is automatically renegotiated (re-keyed) if traffic is present. If there is no traffic, the SA will not be re-keyed and the tunnel will go down. The re-key operation starts when the soft lifetime expires. That happens approximately 20 to 30 seconds before the time-based lifetime expires, or when approximately 10 to 20 percent of the bytes are remaining in the bytes-based lifetime. To troubleshoot this problem, follow these steps: Step 1 Verify that traffic was flowing when the soft SA lifetime expired. Step 2 Verify that the configurations are still compatible. Clearing Security Associations To clear a specific SA, obtain the SA index value and issue the clear crypto sa domain ipsec interface gigabitethernet slot/port outbound sa-index command. To obtain the SA index value, issue the show crypto sad domain ipsec command. Debugging the IPsec Process Use the following commands to print debug messages to the console: • debug ipsec error for error messages. • debug ipsec warning for warning messages. • debug ipsec config for configuration messages. • debug ipsec flow for SA related messages. Debugging the IKE Process Use the following commands to show the internal state of the IKE process: • show crypto ike domain ipsec initiator • show crypto ike domain ipsec sa Obtaining Statistics from the IPsec Process To obtain statistics from the IPsec process, issue the show crypto global domain ipsec command and the show crypto global domain ipsec interface gigabitethernet slot/port command. The show crypto global domain ipsec command output displays statistics for all SAs. Command output follows: MDSA# show crypto global domain ipsec IPSec global statistics: OL-9285-05 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-15