Several of the troubleshooting commands in the Cisco assay are really similar to the Cisco IOS commands that you already learned in the previous lessons we have the show crypto isakmp si that can be used to show the ika face1 security Association information you can also use the show crypto isakmp by itself so the commands show crypto a second.

P by itself that will show all the active security associations in the cisco sa the ika peer information and other global statistics as I’m shown in this screen you also have the show VPN session database which also shows a summary of all the VPN sessions established in the.

Cisco sa this includes site-to-site VPN and also remote access VPN including SSL VPN so again for IPSec and SSL VPN information in this case we only have one session active and is the site to site VPN tunnel that we actually establish earlier there are several options for that command as.

I’m showing here sever are for remote access VPN but in this case we’re using the L to L key word.

To show information pertaining only to the site to site IPSec tunnels the cisco sa also has the show crypto IPSec sa command to show detailed information about the packets being encrypted things like the information about the peer-to-peer address the local and remote and networks so again basically the same output that the show clip type is like sa in.

As we previously discussed in earlier lessons you can also use the show crypto protocol statistics command to show a very detailed statistic information of ika version 1 or I ke version 2 connections you also.

Have debug commands that are extremely useful for troubleshooting side to side VPNs and any other type of VPNs these d-box are the deeper crypto ika version 1 or a kv-1 followed by a number this number can be 1 to 255 and a lot of these d books actually have this option if the debug is set.

To 1 then it displays less information and if it you know is set to 255 it will it display.

More detail information so again.

In summary the higher the number the more information that will be displayed in the debug so again just like iOS be careful with the debug commands and probably start with level 1 if you have a busy network or a be CAS a for phase 2 issues you can use the debug crypto IPSec and again there are D bucks for ika version 1 and ika version 2 especially when it comes to ICMP ad bugs if you’re not sure what d-box to turn on you can probably start.

With a debug crypto i ke common so again the debug crypto i ka common combines both ika version 1 and our ka version 2d bugs the debug output is.

Pretty similar to iOS but depending on the level they.

Can provide a lot more information as the ones that you saw with iOS such as the actual packet that are received from the peer and also.

The actual packet that is sent to the pier so again a lot of information that is extremely useful for troubleshooting site-to-site VPN connections or any type of IPSec a.

LEAVE A REPLY

Please enter your comment!
Please enter your name here