Diagnostic Commands and Tools

Diagnostic Commands and Tools

Just as with Cisco IOS routers, the show and debug commands are invaluable on PIX Firewall to troubleshoot the IPsec issue. In this section, we work through some of the most important commands that you can use to troubleshoot any IPsec issue on the PIX firewall.

show Commands

IPsec depends on successful policy negotiation. Even though IPsec peers are negotiating Internet Key Exchange (IKE) and IPsec parameters, if the policies do not match, the negotiations will result in failure. You can troubleshoot IKE and IPsec by using the following show commands:

• show crypto isakmp This command shows the state information of phase I of the two-phased IPsec tunnel negotiation. Example 7-1 shows all the options available with this command on version 7.0.

  Example 7-1. show crypto isakmp Command Arguments

  PIX-A# show crypto isakmp ? ipsec-over-tcp Show IPsec over TCP data sa Show ISAKMP sas stats Show ISAKMP statistics | Output modifiers PIX-A#

  Table 7-1 summarizes the meaning of different arguments with this command as shown in Example 7-1.

  Table 7-1. show crypto isakmp Command Arguments

  Command Arguments	Meaning of Arguments
  IPsec-over-tcp stats	Shows various connection information of IPsec-over-TCP tunnel.
  sa	Shows a summary of IKE Phase I SA state information. To see details, use the keyword detail after Security Association (SA) in the arguments.
  stats	Provides various statistics of the Phase I SAs.

  
  

  Example 7-2 shows the output of the show crypto isakmp sa detail command on the PIX firewall, which contains an established phase I of LAN-to-LAN VPN tunnel.

  Example 7-2. show crypto isakmp sa on PIX-A Firewall

  PIX-A# show crypto isakmp sa detail Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 172.16.172.163 Type : L2L Role : initiator ! MM_ACTIVE indicates a successful IKE Phase I Rekey : no State : MM_ACTIVE Encrypt : 3des Hash : MD5 Auth : preshared Lifetime: 43200 Lifetime Remaining: 43177 PIX-A#

• show crypto ipsec This command shows the state information of phase II for the IPsec tunnel. Example 7-3 shows the arguments available for the show crypto ipsec command and all the arguments available for this command.

  Example 7-3. show crypto ipsec Command Arguments

  PIX-A# show crypto ipsec ? df-bit Show IPsec DF policy fragmentation Show IPsec fragmentation policy sa Show IPsec SAs stats Show IPsec global statistics PIX-A#

  Table 7-2 summarizes the arguments available with the show crypto ipsec command.

  Table 7-2. show crypto ipsec Command Arguments

  Arguments	Meaning
  df-bit	Shows the details of IPsec DF policy.
  fragmentation	Shows details of IPsec fragmentation policy.
  sa	Shows the phase II establishment, in addition to the counters for packets encryption and decryption of an IPsec tunnel. This information is veryuseful.
  stats	Shows the statistics of the phase II connection information.

  
  

  Example 7-4 shows the show crypto ipsec sa command output for a successful LAN-to-LAN tunnel.

  Example 7-4. Phase II SA Output With show crypto ipsec sa Command

  PIX-A# show crypto ipsec sa interface: outside Crypto map tag: mymap, local addr: 172.16.172.164 ! Following are the networks defined to be protected by the LAN-to-LAN tunnel. local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer: 172.16.172.163 ! Following two lines indicates that packets are encrypting and decrypting fine ! through the LAN-to-LAN tunnel. #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4 #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.16.172.164, remote crypto endpt.: 172.16.172.163 path mtu 1500, ipsec overhead 60, media mtu 1500 current outbound spi: 6BA480CE ! Following SA is for inbound connection inbound esp sas: spi: 0x2A29F111 (707391761) transform: esp-3des esp-md5-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2, crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (4274999/28244) IV size: 8 bytes replay detection support: Y ! Following SA is for outbound connection outbound esp sas: spi: 0x6BA480CE (1805942990) transform: esp-3des esp-md5-hmac in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2, crypto-map: mymap sa timing: remaining key lifetime (kB/sec): (4274999/28241) IV size: 8 bytes replay detection support: Y PIX-A#

• show commands for configuration You can verify various configurations of IPsec with the command show running-config commands. The commands can be isakmp, crypto, and so on. Example 7-5 shows how to check the Internet Security Association and Key Management Protocol (ISAKMP) configuration.

  Example 7-5. The isakmp Configuration on the PIX Firewall

  PIX-A# show running-config isakmp | include 10 isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 43200 PIX-A#

  Various configuration checks pertaining to IPsec tunnel can be verified with different command options, which are explained in the chapter when the topic is relevant.

debug Commands

IPsec depends on successful policy negotiation. While IPsec peers are negotiating IKE and IPsec parameters, if the policies do not match, the negotiations will result in failure. You can troubleshoot IPsec by using the following commands:

• debug crypto isakmp <1255> Shows the detailed information on phase I in IPsec tunnel build-up process. The level of debug output ranges from 1 to 255, with 1 as the lowest and 255 as the highest.

• debug crypto ipsec <1255> Provides detailed information on the phase II negotiation of the IPsec tunnel build-up process. The level of debug output ranges from 1 to 255, with 1 as the lowest and 255 as the highest.

• debug crypto engine <1255> Shows debug messages for crypto engine-related error operations. The level of debug output ranges from 1 to 255, with 1 as the lowest and 255 as the highest.

From the debug error messages, you can determine what part of the negotiation is failing and correct the appropriate parameter. The amount of detail that you will get from the debug commands output depends on the level you set to run the debug commands. Table 7-3 summarizes different levels of debug commands and the amount of detail you will receive in the output of the debug commands.

Table 7-3. Debug Level Explanation for IPsec

Event Levels	Explanation
1-3 = WARNING and FAULT	Provides the highest-priority severity indicating a potentially serious problem, CRASH or non-recoverable error.
2 = INFORMATIONAL	Provides the lowest level of information. For example user connect/disconnect.
3-4 = INFORMATIONAL	Provides more information than Level 2. Level 3 provides information about Phase 1 and 2 completion. It also provides information about user connection failure. Level 4 provides more details on connect/disconnect of the VPN tunnel.
5-7 = DEBUG	Level 5 provides the lowest level of debugging information. More information is provided by 6 and 7.
8	High-Level Header Decode.
9	Low-Level Header Decode.
10	Hex Dump of Header.
11, 254, 255	Hex Dump of Packet. Debug level 254 specifies IKE packets decode. This displays a sniffer-like decoding of fields and values for each IKE packet. 255 specifies an IKE packet dump, which displays the octets within the packets.

Note

Most of the IPsec problems can be diagnosed by running debug at level 5. Sometimes you may need to run the debug at level 7, but rarely will you need to run the debug at a level higher than 7. Debug Level 8-255 is used by the Cisco Developer for issues with the IPsec tunnel.