9. To verify whether the packets are traversing the firewall or whether they are being
dropped, enter:
debug firewall packet
10.
To verify the VPN configuration by displaying the IKE policy, enter:
show crypto ike policy all detail
Confirm that the IKE proposal properties (such as local-address, and pre-shared
key) match on the peers. When the public interface has a static IP address, the
local-id must be of type ip-address. In this case, the local-address attribute is the
static IP address.
11. To display the IPSec policy, enter:
show crypto ipsec policy all detail
Be sure that the peer IP address is properly configured, the network to be protected
is properly configured, and IPSec proposal properties match on the peers.
12. To display the IKE SA state and counters, enter:
show crypto ike sa all
13. To display the IPSEC SA statistics, enter:
show crypto ipsec sa all
Troubleshooting Static VPN ABOT
Use the following steps to troubleshoot static routing over VPN ABOT (where nailed-up
configuration and periodic DPD are optional).
In
typical ABOT scenarios, the branch offices often use DHCP-acquired IP addresses from the
ISP. This requires enabling a DHCP client on the interface connecting to the public network.
The following is a sample configuration on the public Ethernet interface facing the internet:
interface ethernet 0/2
dhcp-client request-default-router
dhcp-client enable
crypto untrusted
exit
Procedure steps
1.
To display the configured IP interfaces, enter:
show ip interfaces brief
Verify that the status on the public IP interface is up, and that the IP address was
acquired through DHCP.
2. To enable debugging on the router, enter:
Troubleshooting Static VPN ABOT
Troubleshooting August 2013 215
To Next Page
Loading...
