show firewall policy internet
show firewall policy corp
From
these commands, if you have the map in hand, you may compare the current configured
policy to the map with the following commands:
show ip in br
show ike po
show crypto ike policy all
show crypto ipsec policy all
show ip route
show firewall policy internet
show firewall policy corp
Getting details
After
comparing the configured policy on each of the two peers, turn on debug with the following
commands:
debug firewall all
debug firewall packet
debug crypto all
Keep in mind that an IKE initiator and an IKE responder will log different chains of events.
From an initiator's perspective, scan through the logged events for "good" messages.
From a responder’s perspective, scan through the logged events for these "good"
messages.
You may see current IKE and IPsec SAs with the following show commands:
show crypto ike sa all [detail]
show crypto ipsec sa all [detail]
You may see current IKE and IPsec policies with the following show commands:
show crypto ike policy all [detail]
show crypto ipsec policy all [detail]
You may clear current IKE and IPsec SAs with the following clear commands:
clear crypto ipsec sa [all | name]
Troubleshooting security
206 Troubleshooting August 2013
Comments? infodev@avaya.com
To Next Page
Loading...
