There are two new IPsec troubleshooting features you can use in the IOS:
The following three sections will discuss both of these features.
IPsec VPN Monitoring Feature
IPsec VPN monitoring is a feature new in IOS 12.3(4)T. This feature allows you to monitor VPN sessions to provide for enhanced troubleshooting. These enhancements include:
The following two sections will discuss these enhancements.
Configuring IKE Peer Descriptions
To configure IKE peer descriptions, use the following configuration:
Router(config)# crypto isakmp peer {address peer_IP_address | hostname peer_hostname} Router(config-isakmp-peer)# description description
You first must specify the identity of the peer (based on the configuration of the crypto isakmp identity command), which takes you into a subcommand mode. The description command allows you to assign a 80-character description, including spaces, for the remote peer. This description will then appear in the output of various show commands.
Note
If multiple remote peers sit behind the same PAT device, you cannot use address as an identity type for a description, since they'll all have the same IP address.
Seeing Peer Descriptions in show Commands
There are two show commands that take advantage of the use of descriptions:
Example 19-17. Using the show crypto isakmp peer Command
RTRA# show crypto isakmp peer Peer: 192.1.1.42 Port: 500 Local: 192.1.1.40 Description: Connection to SiteA Phase1 id: 192.1.1.42
Example 19-18. Using the show crypto session Command
RTRA# show crypto session Crypto session current status Interface: Ethernet0/0 Session status: UP-ACTIVE Peer: 192.1.1.42 port 500 IKE SA: local 192.1.1.40/500 remote 192.1.1.42/500 Active IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.3.0/255.255.255.0 Active SAs: 2, origin: crypto map
IKE SA |
IPsec SAs |
VPN Tunnel Status |
---|---|---|
Exists, active |
Exists (flow exists) |
UP-ACTIVE |
Exists, active |
None (flow exists) |
UP-IDLE |
Exists, active |
None (no flow exists) |
UP-IDLE |
Exists, inactive |
Exists (flow exists) |
UP-NO-IKE |
Exists, inactive |
None (flow exists) |
DOWN-NEGOTIATING |
Exists, inactive |
None (no flow) |
DOWN-NEGOTIATING |
None |
Exists (flow exists) |
UP-NO-IKE |
None |
None (flow exists) |
DOWN |
None |
None (no flow exists) |
DOWN |
Example 19-19. Using the show crypto session detail Command
RTRA# show crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication Interface: Ethernet0/0 Session status: UP-ACTIVE Peer: 192.1.1.42 port 500 fvrf: (none) ivrf: (none) Desc: Connection to SiteA Phase1_id: 192.1.1.42 IKE SA: local 192.1.1.40/500 remote 192.1.1.42/500 Active Capabilities:D connid:2 lifetime:23:48:48 IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.3.0/255.255.255.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4479991/2929 Outbound: #pkts enc'ed 9 drop 0 life (KB/Sec) 4479991/2929
Tip
I prefer to use the show crypto isakmp peer command over the show crypto isakmp sa command because the former gives me a brief description of the connection. I also prefer to use the show crypto session command over the show crypto ipsec sa command because the former easily summarizes the important information in a short display. The latter display is too verbose for me for a quick determination of whether either the Phase 1 or 2 SAs have been established.
Clearing Crypto Sessions
Another new feature introduced with the IKE description feature is the ability to delete all IKE and IPsec SAs associated with all peers or a specific peer. Before this enhancement, you had to delete the management and data SAs individually. Use the following command to delete all SAs associated with a peer or peers:
Router# clear crypto session [local local_IP_address [port local-port]] [remote ip-address [port remote-port]]
When you execute this command, the session(s) torn down will have "DOWN-NEGOTIATING" as the status in the output of the show crypto session command, indicating that the SAs are either completely down or in the process of being brought back up.
Invalid Security Parameter Index Recovery Feature
The invalid security parameter index (SPI) recovery feature was introduced in IOS 12.3(2)T and integrated into 12.2(18)SXE. This feature allows the router to recover from an invalid security parameter index error (displayed as Invalid SPI in the output of the debug crypto ipsec command. With this feature, the IPsec peers can resynchronize their SA databases and successfully bring up the data connections. The following two sections will discuss more information about how an invalid SPI condition can occur and how to enable the feature.
Invalid SPI Condition and the Invalid SPI Recovery Feature
An invalid SPI condition can occur if one IPsec peer dies (is shut down, is rebooted, has its interface reset, loses its management connection to a peer, and so on) and has an existing IPsec session to a remote peer. The remote peer still might try to use the SA even though a new one is built (with a new SA). The old SPI value from the old SA is no longer in the local peer, and the peer will respond with an "INVALID SPI NOTIFY" message to the remote peer, indicating that the data SA that the remote peer is trying to use is no longer available. The local peer's default action is to continue dropping traffic from the invalid SA (commonly referred to as a "black hole").
Upon receiving the "INVALID SPI NOTIFY" message, the default behavior of the local peer is to drop traffic. With the recovery feature enabled on both routers, the remote router will understand that an abnormal condition occurred with the local peer and that the remote peer should delete the existing SAs and establish new ones.
Note
Dead Peer Detection (DPD) can also detect this problem; however, DPD might take longer to detect it, depending on the keepalive interval. The Invalid SPI Recovery feature is more similar to the Initial Contact supported by Easy VPN devices.
Invalid SPI Recovery Configuration
To enable the invalid SPI recovery feature, use the following command:
Router(config)# crypto isakmp invalid-spi-recovery
This should be configured on all IOS routers that have peer relationships. Once enabled, you can use the debug crypto ipsec and show crypto ipsec sa commands to verify that the feature is enabled. When an invalid SPI condition exists, you'll see a message similar to Example 19-20, where the destination and source addresses are replaced by the peer addresses. In this example, a data SA using ESP was determined to be invalid.
Example 19-20. Message from an Invalid SPI Condition
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x1214F0D(18960141), srcaddr=y.y.y.y
Tip
To test the configuration of the invalid SPI recovery feature, from the local peer, bring up an IPsec session to a remote peer (if one doesn't exist). On the local peer, execute the debug crypto ipsec command. Clear the Phase 1 and 2 SAs on the remote peer. From the local peer, send traffic to the remote peer. A small number of packets might be dropped, but on the remote peer you should see the message in Example 19-20 and on the local peer you should see the old data SAs torn down from the debug output and new ones built.
Caution
A denial of service (DoS) attack can occur if the invalid SPI recovery is enabled. The feature has a built-in mechanism to reduce the likelihood of this occurring, but there is still a chance that a DoS can occur; therefore, Cisco has disabled this feature by default, requiring you to enable it manually.
Part I: VPNs
Overview of VPNs
VPN Technologies
IPsec
PPTP and L2TP
SSL VPNs
Part II: Concentrators
Concentrator Product Information
Concentrator Remote Access Connections with IPsec
Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN
Concentrator Site-to-Site Connections
Concentrator Management
Verifying and Troubleshooting Concentrator Connections
Part III: Clients
Cisco VPN Software Client
Windows Software Client
3002 Hardware Client
Part IV: IOS Routers
Router Product Information
Router ISAKMP/IKE Phase 1 Connectivity
Router Site-to-Site Connections
Router Remote Access Connections
Troubleshooting Router Connections
Part V: PIX Firewalls
PIX and ASA Product Information
PIX and ASA Site-to-Site Connections
PIX and ASA Remote Access Connections
Troubleshooting PIX and ASA Connections
Part VI: Case Study
Case Study
Index