Troubleshoot
Troubleshoot
This section provides information you can use to confirm that your configuration is working properly.
See the following tech notes:
•
Troubleshooting Commands
Note
Before issuing debug commands, please see
The following debug commands must be running on both IPSec routers (peers). Security associations
must be cleared on both peers.
•
•
•
•
•
•
The following is an example of output for the debug crypto isakmp and debug crypto ipsec commands.
Relevant display output is shown in bold text, and comments are preceded by an exclamation point and
shown in italics.
router# debug crypto isakmp
router# debug crypto ipsec
Jul 29 16:06:33.619 PDT: ISAKMP (0:134217730): received packet from 10.32.150.46 dport 500
sport 500 Global (I) MM_SA_SETUP
Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1):Old State = IKE_I_MM3
Jul 29 16:06:33.619 PDT: ISAKMP:(0:2:SW:1): processing KE payload. message ID = 0
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing NONCE payload. message ID = 0
Jul 29 16:06:33.635 PDT: ISAKMP: Looking for a matching key for 10.32.150.46 in default :
success
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):found peer pre-shared key matching 10.32.150.46
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1):SKEYID state generated
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing vendor id payload
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): vendor ID is Unity
Jul 29 16:06:33.635 PDT: ISAKMP:(0:2:SW:1): processing vendor id payload
OL-6573-01
40
crypto engine name:
crypto engine type:
serial number:
crypto engine state:
crypto engine in slot:
IP Security Troubleshooting - Understanding and Using debug Commands
debug crypto engine—Displays information pertaining to the crypto engine, such as when the
Cisco IOS software is performing encryption or decryption operations.
debug crypto ipsec—Displays IPSec negotiations of phase 2.
debug crypto isakmp—Displays ISAKMP negotiations of phase 1.
debug ip pim auto-rp—Displays the contents of each PIM packet used in the automatic discovery
of group-to-rendezvous point (RP) mapping as well as the actions taken on the address-to-RP
mapping database.
clear crypto isakmp—Clears the security associations related to phase 1.
clear crypto sa—Clears the security associations related to phase 2.
Cisco VPN Software Implementation
software
FFFFFFFF
installed
N/A
Important Information on Debug
Hoot and Holler over V3PN Configuration Example
Commands.
New State = IKE_I_MM4