Re: IPSec tunnels [7:34742]
Patrick, What you can also do, is when your within the PIX you can issue the command show crypto ipsec sa. What you're looking for is the Outbound/Inbound SPI's (Security Parameters Index) this is a 32bit number that is negotiated between the peers during the IPSec SA negotiation. There are 2 SA's for each IPSec peer per IP Subnet and they are uni-directional (inbound/outbound). What you should see is on the PIX side your outbound SPI will be equal to the inbound on the Concentrator side then on the PIX inbound SPI will be equal to the outbound on the Concentrator side. If these are equal, then you can look at the IPSec SA counters with the same command (show crypto ipsec sa) and look at the traffic counters, and you should see the enciphering and the deciphering of data on both sides. Such as, use ping with a set packet count and verify on both sides that the enciphering/deciphering of data is happening between the 2 peers. Check those out and give us an update. HTH. Thanks, - jek Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All I'm looking for some information on how to verify the configuration of a PIX with an IPsec tunnel to a VPN concentrator. I have a tunnel that keeps bouncing, I think that instabilities across the internet could be causing some of the problems as I see the path changing quite a lot from the Netherlands to Dubai. I can't find the command(s), or understand the ones I've used, which tells me whether the tunnel is up on the PIX, I can see from the concentrator that it's down but I want to know about the PIX too. Any other advise is appreciated Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34968t=34742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
IPSec tunnels [7:34742]
Hi All I'm looking for some information on how to verify the configuration of a PIX with an IPsec tunnel to a VPN concentrator. I have a tunnel that keeps bouncing, I think that instabilities across the internet could be causing some of the problems as I see the path changing quite a lot from the Netherlands to Dubai. I can't find the command(s), or understand the ones I've used, which tells me whether the tunnel is up on the PIX, I can see from the concentrator that it's down but I want to know about the PIX too. Any other advise is appreciated Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34742t=34742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IPSec tunnels [7:34742]
On the concentrator I would go into Monitoring-Filterable Event Log and change the address to be the remote IP address. See if it gathers any errors. On the PIX, there are several commands. 1) Show Crypto Engine. This command will show you if it thinks a tunnel is up. 2) Show crypto ipsec sa. Show the SA that has been negotiated with the VPN concentrator 3) Show crypto isakmp policy. Make sure that both devices agree on the isakmp policy completely. 4) Debug Crypto isakmp. Make sure you have logging debug enabled! Also, if this is a very active PIX, you will need to redirect this to a syslog server and then parse that file. 5) debug crypto ipsec sa ( verify on your PIX ). Same as above on logging. I found a very good book that will go over what it is your doing and some common mistakes. Its brand new ( 2002 ). Cisco Secure Virtual Private Networks. I am in no way affiliated with the author or Cisco Press, I just found it an excellent book for those wanting to really understand IPSec. Thanks Larry Roberts CCNP Expanets 5758 W. 74th St. Indianapolis IN 46278 317.870.2550 Office 317.402.9730 Cell 317.876-6518 Fax -Original Message- From: Patrick Donlon [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 07, 2002 7:50 AM To: [EMAIL PROTECTED] Subject: IPSec tunnels [7:34742] Hi All I'm looking for some information on how to verify the configuration of a PIX with an IPsec tunnel to a VPN concentrator. I have a tunnel that keeps bouncing, I think that instabilities across the internet could be causing some of the problems as I see the path changing quite a lot from the Netherlands to Dubai. I can't find the command(s), or understand the ones I've used, which tells me whether the tunnel is up on the PIX, I can see from the concentrator that it's down but I want to know about the PIX too. Any other advise is appreciated Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34749t=34742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IPSec tunnels [7:34742]
Make sure you're running keepalive'sdead-peer-detection should keep it in order. Patrick Donlon wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hi All I'm looking for some information on how to verify the configuration of a PIX with an IPsec tunnel to a VPN concentrator. I have a tunnel that keeps bouncing, I think that instabilities across the internet could be causing some of the problems as I see the path changing quite a lot from the Netherlands to Dubai. I can't find the command(s), or understand the ones I've used, which tells me whether the tunnel is up on the PIX, I can see from the concentrator that it's down but I want to know about the PIX too. Any other advise is appreciated Cheers Pat Message Posted at: http://www.groupstudy.com/form/read.php?f=7i=34767t=34742 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]