Testing and Troubleshooting IPSec | CCSP CSPFA Exam Cram 2 (Exam Cram 642-521)

After IPSec has been up, the last task is to verify and monitor the connection and parameters. Table 12.10 displays a list of show commands used to verify configuration settings. Table 12.11 displays a list of show , clear , and debug commands used to monitor or clear IPSec settings.

Table 12.10. show Configuration Commands

Command	Description
show isakmp	This displays the ISAKMP policy settings, similar to the show running config or write terminal command.
show isakmp policy	This displays the default and any other policies created.
show crypt map	This displays the crypto maps created.
show crypto ipsec transform-set	This displays the configured transform sets.
show crypt ipsec security-association lifetime	This displays the global IPSec SA lifetime values.

Table 12.11 displays a list of show , clear , and debug commands used to monitor or clear IPSec settings.

Table 12.11. show, clear, and debug IPSec Commands

Command	Description
show isakmp sa	This displays a list of current statuses of IKE security associations.
show crypto ipsec sa	This displays very detailed information about crypto maps assigned to interfaces and traffic flowing across the maps.
clear crypto isakmp	This clears or resets the IKE security associations.
clear crypto ipsec sa	This clears or resets the IPSec security associations.
debug crypto isakmp	This command enables the debug feature of IKE communication between peers.
debug crypto ipsec	This command enables the debug feature between IPSec peers.

When a PIX firewall is configured to support a VPN tunnel, the VPN tunnel is not created until traffic needs to flow through it, which is similar to interesting traffic on a dial-on demand interface, in which the system does not dial until traffic actually needs to traverse across the line. In addition, several of the PIX firewalls contain VPN lights on their fronts, which show the status of a positive tunnel that has been created.