Cisco MDS 9000 Series

Cisco MDS 9000 Series

16 pages

To Next Page

To Next Page

Loading...

CHAPTER

Send documentation comments to mdsfeedback-doc@cisco.com

22-1

Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x

OL-9285-05

22

Troubleshooting IPsec

This chapter describes how to troubleshoot IP security (IPsec) and Internet Key Exchange (IKE)

encryption in the Cisco MDS 9000 Family. It includes the following sections:

• Overview, page 22-1

• Initial Troubleshooting Checklist, page 22-4

• IPsec Issues, page 22-5

Overview

The IPsec protocol is a framework of open standards that provides data confidentiality, data integrity,

and data authentication between participating peers. It was developed by the Internet Engineering Task

Force (IETF). IPsec provides security services at the IP layer, including protecting one or more data

flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a

host. IPsec is supported for iSCSI and FCIP using IKE and Encapsulated Security Protocol (ESP) in

tunnel mode.

This section contains the following topics:

• IPsec Compatibility, page 22-1

• Supported IPsec and IKE Algorithms for Microsoft Windows and Linux Platforms, page 22-2

• IKE Allowed Transforms, page 22-3

• IPsec Allowed Transforms, page 22-4

IPsec Compatibility

IPsec features are compatible with the following Cisco MDS 9000 Family hardware:

• Cisco 14/2-port Multiprotocol Services (MPS-14/2) modules in Cisco MDS 9200 switches or Cisco

MDS 9500 directors

• Cisco MDS 9216i Switch with the MPS-14/2 capability in the integrated supervisor module. Refer

to the Cisco MDS 9200 Series Hardware Installation Guide for more information on the Cisco MDS

9216i Switch.

• The IPsec feature is not supported on the management interface.

Other manuals for Cisco MDS 9000 Series

Configuration Guide344 pages

Troubleshooting Guide161 pages

Command Reference1464 pages

Rack Installation8 pages

Installing22 pages

Installation Guide20 pages

Questions and Answers:

A
alyssa76Jul 26, 2025
What to do if mirror crypto map ACLs are not configured at the peer on a Cisco MDS 9000 Switch?
- J
  Jennifer PooleJul 26, 2025
  To resolve this, ensure that mirror crypto map ACLs are configured at the peer for every crypto map ACL configured locally.
R
Robert BurtonAug 10, 2025
What to do if SAs are not refreshed after IKEv2 reconfiguration on a Cisco MDS 9000?
- L
  Linda LeeAug 10, 2025
  To resolve this, ensure that you have refreshed SAs after any IKEv2 reconfiguration on your Cisco Switch.

Cisco MDS 9000 Series Specifications

General

Category	Switch
Operating System	Cisco NX-OS
Ports	Varies by model
Protocols	Fibre Channel (FC), Fibre Channel over IP (FCIP), iSCSI
Redundancy	Redundant supervisors, power supplies, and fans
Management	Cisco Data Center Network Manager (DCNM), CLI, SNMP
Virtualization Support	VSANs (Virtual SANs)
Security Features	Fibre Channel Security Protocol (FC-SP)
Hot Swappable Components	power supplies, fans
Power Supply Options	AC and DC options available

Summary

Troubleshooting IPsec

Overview

Explains the IPsec protocol, its framework, and its support for iSCSI and FCIP.

IPsec Compatibility

Lists compatible Cisco MDS 9000 Family hardware for IPsec features.

Supported IPsec and IKE Algorithms for Microsoft Windows and Linux Platforms

Details supported IPsec and IKE encryption and authentication algorithms for Windows and Linux.

IKE Allowed Transforms

Provides a list of allowed transform combinations for IKE configuration.

IPsec Allowed Transforms

Lists allowed transform combinations for IPsec configuration.

Initial Troubleshooting Checklist

A step-by-step checklist to begin troubleshooting IPsec issues.

Common Troubleshooting Tools in Fabric Manager

Guides users on accessing IPsec and IKE tools within Cisco Fabric Manager.

IPsec Issues

Provides procedures to troubleshoot IKE and IPsec issues in FCIP configurations.

Common Troubleshooting Commands in the CLI

Lists essential CLI commands for troubleshooting IPsec issues.

Verifying IKE Configuration Compatibility

Steps to verify IKE configuration compatibility between peers.

Verifying IPsec Configuration Compatibility Using Fabric Manager

How to check IPsec configuration compatibility using the Fabric Manager GUI.

Verifying IPsec Configuration Compatibility Using the CLI

How to check IPsec configuration compatibility using CLI commands.

Verifying Security Policy Databases Compatibility

Steps to ensure Security Policy Databases (SPDs) are compatible between switches.

Verifying Interface Status Using Fabric Manager

How to check interface status and IP addresses using Fabric Manager.

Verifying Interface Status Using the CLI

How to check interface status and IP addresses using CLI commands.

Verifying Security Associations

Steps to verify current peer, mode, and SA index for IPsec.

Security Associations Do Not Re-Key

Troubleshoots issues where Security Associations (SAs) are not re-keying.

Clearing Security Associations

Instructions on how to clear specific Security Associations (SAs).

Debugging the IPsec Process

Lists commands to print debug messages for IPsec process issues.

Debugging the IKE Process

Lists commands to show the internal state of the IKE process.

Obtaining Statistics from the IPsec Process

How to get statistics for IPsec process and interface levels.

Related product manuals

Preview: Cisco MDS 9000

Preview: Cisco MDS 9148

Cisco MDS 9132T

Preview: Cisco MDS 9396T

Cisco MDS 9396T

Preview: Cisco MDS 9148T

Cisco MDS 9148T

Preview: Cisco MDS 9148V-K9

Cisco MDS 9148V-K9

Cisco MDS 9700 Series

Preview: Cisco MDS 9100 Series

Cisco MDS 9100 Series

Preview: Cisco mds 9124 - fabric switch

Cisco mds 9124 - fabric switch

Preview: 9134 - MDS Multilayer Fabric Switch

9134 - MDS Multilayer Fabric Switch

Preview: Cisco 9000 Series

Cisco 9000 Series

Preview: Cisco Nexus 9000 Series

Cisco Nexus 9000 Series