Diagnostic Commands and Tools


Just as with Cisco IOS routers, the show and debug commands are invaluable on PIX Firewall to troubleshoot the IPsec issue. In this section, we work through some of the most important commands that you can use to troubleshoot any IPsec issue on the PIX firewall.

show Commands

IPsec depends on successful policy negotiation. Even though IPsec peers are negotiating Internet Key Exchange (IKE) and IPsec parameters, if the policies do not match, the negotiations will result in failure. You can troubleshoot IKE and IPsec by using the following show commands:

  • show crypto isakmp This command shows the state information of phase I of the two-phased IPsec tunnel negotiation. Example 7-1 shows all the options available with this command on version 7.0.

    Example 7-1. show crypto isakmp Command Arguments

    PIX-A# show crypto isakmp ?   ipsec-over-tcp  Show IPsec over TCP data   sa              Show ISAKMP sas   stats           Show ISAKMP statistics   |               Output modifiers   <cr> PIX-A# 

    Table 7-1 summarizes the meaning of different arguments with this command as shown in Example 7-1.

    Table 7-1. show crypto isakmp Command Arguments

    Command Arguments

    Meaning of Arguments

    IPsec-over-tcp stats

    Shows various connection information of IPsec-over-TCP tunnel.

    sa

    Shows a summary of IKE Phase I SA state information. To see details, use the keyword detail after Security Association (SA) in the arguments.

    stats

    Provides various statistics of the Phase I SAs.


    Example 7-2 shows the output of the show crypto isakmp sa detail command on the PIX firewall, which contains an established phase I of LAN-to-LAN VPN tunnel.

    Example 7-2. show crypto isakmp sa on PIX-A Firewall

    PIX-A# show crypto isakmp sa detail    Active SA: 1     Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1   IKE Peer: 172.16.172.163     Type    : L2L             Role    : initiator ! MM_ACTIVE indicates a successful IKE Phase I     Rekey   : no              State   : MM_ACTIVE     Encrypt : 3des            Hash    : MD5     Auth    : preshared       Lifetime: 43200     Lifetime Remaining: 43177 PIX-A# 

  • show crypto ipsec This command shows the state information of phase II for the IPsec tunnel. Example 7-3 shows the arguments available for the show crypto ipsec command and all the arguments available for this command.

    Example 7-3. show crypto ipsec Command Arguments

    PIX-A# show crypto ipsec ?   df-bit        Show IPsec DF policy   fragmentation Show IPsec fragmentation policy   sa            Show IPsec SAs   stats         Show IPsec global statistics PIX-A# 

    Table 7-2 summarizes the arguments available with the show crypto ipsec command.

    Table 7-2. show crypto ipsec Command Arguments

    Arguments

    Meaning

    df-bit

    Shows the details of IPsec DF policy.

    fragmentation

    Shows details of IPsec fragmentation policy.

    sa

    Shows the phase II establishment, in addition to the counters for packets encryption and decryption of an IPsec tunnel. This information is veryuseful.

    stats

    Shows the statistics of the phase II connection information.


    Example 7-4 shows the show crypto ipsec sa command output for a successful LAN-to-LAN tunnel.

    Example 7-4. Phase II SA Output With show crypto ipsec sa Command

    PIX-A# show crypto ipsec sa interface: outside     Crypto map tag: mymap, local addr: 172.16.172.164 ! Following are the networks defined to be protected by the LAN-to-LAN tunnel.       local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)       remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)       current_peer: 172.16.172.163 ! Following two lines indicates that packets are encrypting and decrypting fine ! through the LAN-to-LAN tunnel.       #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4       #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4       #pkts compressed: 0, #pkts decompressed: 0       #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0       #send errors: 0, #recv errors: 0       local crypto endpt.: 172.16.172.164, remote crypto endpt.: 172.16.172.163       path mtu 1500, ipsec overhead 60, media mtu 1500       current outbound spi: 6BA480CE ! Following SA is for inbound connection     inbound esp sas:       spi: 0x2A29F111 (707391761)          transform: esp-3des esp-md5-hmac          in use settings ={L2L, Tunnel, }          slot: 0, conn_id: 2, crypto-map: mymap          sa timing: remaining key lifetime (kB/sec): (4274999/28244)          IV size: 8 bytes          replay detection support: Y ! Following SA is for outbound connection     outbound esp sas:       spi: 0x6BA480CE (1805942990)          transform: esp-3des esp-md5-hmac          in use settings ={L2L, Tunnel, }          slot: 0, conn_id: 2, crypto-map: mymap          sa timing: remaining key lifetime (kB/sec): (4274999/28241)          IV size: 8 bytes          replay detection support: Y PIX-A# 

  • show commands for configuration You can verify various configurations of IPsec with the command show running-config commands. The commands can be isakmp, crypto, and so on. Example 7-5 shows how to check the Internet Security Association and Key Management Protocol (ISAKMP) configuration.

    Example 7-5. The isakmp Configuration on the PIX Firewall

    PIX-A# show running-config isakmp | include 10 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 43200 PIX-A# 

    Various configuration checks pertaining to IPsec tunnel can be verified with different command options, which are explained in the chapter when the topic is relevant.

debug Commands

IPsec depends on successful policy negotiation. While IPsec peers are negotiating IKE and IPsec parameters, if the policies do not match, the negotiations will result in failure. You can troubleshoot IPsec by using the following commands:

  • debug crypto isakmp <1255> Shows the detailed information on phase I in IPsec tunnel build-up process. The level of debug output ranges from 1 to 255, with 1 as the lowest and 255 as the highest.

  • debug crypto ipsec <1255> Provides detailed information on the phase II negotiation of the IPsec tunnel build-up process. The level of debug output ranges from 1 to 255, with 1 as the lowest and 255 as the highest.

  • debug crypto engine <1255> Shows debug messages for crypto engine-related error operations. The level of debug output ranges from 1 to 255, with 1 as the lowest and 255 as the highest.

From the debug error messages, you can determine what part of the negotiation is failing and correct the appropriate parameter. The amount of detail that you will get from the debug commands output depends on the level you set to run the debug commands. Table 7-3 summarizes different levels of debug commands and the amount of detail you will receive in the output of the debug commands.

Table 7-3. Debug Level Explanation for IPsec

Event Levels

Explanation

1-3 = WARNING and FAULT

Provides the highest-priority severity indicating a potentially serious problem, CRASH or non-recoverable error.

2 = INFORMATIONAL

Provides the lowest level of information. For example user connect/disconnect.

3-4 = INFORMATIONAL

Provides more information than Level 2. Level 3 provides information about Phase 1 and 2 completion. It also provides information about user connection failure. Level 4 provides more details on connect/disconnect of the VPN tunnel.

5-7 = DEBUG

Level 5 provides the lowest level of debugging information. More information is provided by 6 and 7.

8

High-Level Header Decode.

9

Low-Level Header Decode.

10

Hex Dump of Header.

11, 254, 255

Hex Dump of Packet. Debug level 254 specifies IKE packets decode. This displays a sniffer-like decoding of fields and values for each IKE packet. 255 specifies an IKE packet dump, which displays the octets within the packets.


Note

Most of the IPsec problems can be diagnosed by running debug at level 5. Sometimes you may need to run the debug at level 7, but rarely will you need to run the debug at a level higher than 7. Debug Level 8-255 is used by the Cisco Developer for issues with the IPsec tunnel.




Cisco Network Security Troubleshooting Handbook
Cisco Network Security Troubleshooting Handbook
ISBN: 1587051893
EAN: 2147483647
Year: 2006
Pages: 190
Authors: Mynul Hoda

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net