From: David Anderson (dma@xxxxxxxxx)
Date: Sat Jun 02 2001 - 14:59:58 GMT-3
Hi all,
I have a question about IPsec debug output. I have the following debugs
running on both the sending and receiving routers:
debug crypto ipsec
debug crypto isakmp
debug ip packet
When I ping from the source to the destination defined in my access-list, I
get no debug output. It looks like it is working, but I am just curios
as to why I do not receive any debug output. When I use the following show
commands, this is what I get:....it is the same on the receiving
router. Any ideas?
Thanks,
David
router1#sh crypto isakmp sa
dst src state conn-id slot
1.1.1.1 6.6.6.6 QM_IDLE 2 0
6.6.6.6 1.1.1.1 QM_IDLE 1 0
router1#sh crypto map
Crypto Map: "secret" idb: Loopback1 local address: 1.1.1.1
Crypto Map "secret" 10 ipsec-isakmp
Peer = 6.6.6.6
Extended IP access list 101
access-list 101 permit ip host 1.1.1.1 host 6.6.6.6
Current peer: 6.6.6.6
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ TMA, }
Interfaces using crypto map secret:
Serial1
Tunnel0
router1#sh crypto ipsec sa ?
address IPSEC SA table in (dest) address order
detail show counter detail
identity IPSEC SADB identity tree
interface Show info for specific interface
map IPSEC SA table for a specific crypto map
| Output modifiers
<cr>
router1#sh crypto ipsec sa
interface: Tunnel0
Crypto map tag: secret, local addr. 1.1.1.1
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
current_peer: 6.6.6.6
PERMIT, flags={origin_is_acl,}
#pkts encaps: 526, #pkts encrypt: 526, #pkts digest 0
#pkts decaps: 526, #pkts decrypt: 526, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 6.6.6.6
path mtu 1514, media mtu 1514
current outbound spi: 63023E0
inbound esp sas:
spi: 0x99A23FC(161096700)
transform: esp-des ,
in use settings ={Tunnel, }
slot: 0, conn id: 2004, flow_id: 5, crypto map: secret
sa timing: remaining key lifetime (k/sec): (4607982/1903)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x63023E0(103818208)
transform: esp-des ,
in use settings ={Tunnel, }
slot: 0, conn id: 2005, flow_id: 6, crypto map: secret
sa timing: remaining key lifetime (k/sec): (4607978/1894)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
interface: Serial1
Crypto map tag: secret, local addr. 1.1.1.1
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
current_peer: 6.6.6.6
PERMIT, flags={origin_is_acl,}
#pkts encaps: 527, #pkts encrypt: 527, #pkts digest 0
#pkts decaps: 527, #pkts decrypt: 527, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 6.6.6.6
path mtu 1514, media mtu 1514
current outbound spi: 63023E0
inbound esp sas:
spi: 0x99A23FC(161096700)
transform: esp-des ,
in use settings ={Tunnel, }
slot: 0, conn id: 2004, flow_id: 5, crypto map: secret
sa timing: remaining key lifetime (k/sec): (4607981/1894)
IV size: 8 bytes
replay detection support: N
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x63023E0(103818208)
transform: esp-des ,
in use settings ={Tunnel, }
slot: 0, conn id: 2005, flow_id: 6, crypto map: secret
sa timing: remaining key lifetime (k/sec): (4607978/1885)
IV size: 8 bytes
replay detection support: N
outbound ah sas:
outbound pcp sas:
David Anderson
Network Design Engineer
Enterprise Solutions Architecture & Design
(408) 853-5515
dma@cisco.com
| |
..:|||||||:...:|||||||:..
C I S C O S Y S T E M S
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:17 GMT-3