Cisco MDS 9000

16 pages

To Next Page

To Next Page

Loading...

CHAPTER

Send documentation comments to mdsfeedback-doc@cisco.com

22-1

Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x

OL-9285-05

22

Troubleshooting IPsec

This chapter describes how to troubleshoot IP security (IPsec) and Internet Key Exchange (IKE)

encryption in the Cisco MDS 9000 Family. It includes the following sections:

• Overview, page 22-1

• Initial Troubleshooting Checklist, page 22-4

• IPsec Issues, page 22-5

Overview

The IPsec protocol is a framework of open standards that provides data confidentiality, data integrity,

and data authentication between participating peers. It was developed by the Internet Engineering Task

Force (IETF). IPsec provides security services at the IP layer, including protecting one or more data

flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a

host. IPsec is supported for iSCSI and FCIP using IKE and Encapsulated Security Protocol (ESP) in

tunnel mode.

This section contains the following topics:

• IPsec Compatibility, page 22-1

• Supported IPsec and IKE Algorithms for Microsoft Windows and Linux Platforms, page 22-2

• IKE Allowed Transforms, page 22-3

• IPsec Allowed Transforms, page 22-4

IPsec Compatibility

IPsec features are compatible with the following Cisco MDS 9000 Family hardware:

• Cisco 14/2-port Multiprotocol Services (MPS-14/2) modules in Cisco MDS 9200 switches or Cisco

MDS 9500 directors

• Cisco MDS 9216i Switch with the MPS-14/2 capability in the integrated supervisor module. Refer

to the Cisco MDS 9200 Series Hardware Installation Guide for more information on the Cisco MDS

9216i Switch.

• The IPsec feature is not supported on the management interface.

Other manuals for Cisco MDS 9000

Configuration Guide70 pages

Installation And Configuration Note30 pages

Questions and Answers:

R
Robin PetersJul 31, 2025
What to do if mirror crypto map ACLs are not configured at the peer on a Cisco Switch?
- D
  Dawn RushAug 1, 2025
  To resolve this, ensure that mirror crypto map ACLs are configured at the peer for every crypto map ACL configured locally.
J
Jay JohnsonAug 15, 2025
What to do if SAs are not refreshed after IKEv2 reconfiguration on a Cisco Switch?
- A
  Amanda LopezAug 15, 2025
  To resolve this, ensure that you have refreshed SAs after any IKEv2 reconfiguration on your Cisco Switch.

Cisco MDS 9000 Specifications

General

Form Factor	Modular chassis
Port Density	Varies by model
Supported Protocols	Fibre Channel (FC), Fibre Channel over IP (FCIP), iSCSI
Management	Cisco Data Center Network Manager (DCNM), CLI, SNMP
Redundancy	Redundant supervisors, power supplies, and fans
Security Features	FC-SP
Model	MDS 9000 Series

Summary

Troubleshooting IPsec

Overview

Provides an overview of IPsec protocol and its support in Cisco MDS 9000 Family.

IPsec Compatibility

Details hardware compatibility for IPsec features in Cisco MDS 9000 Family.

IKE Allowed Transforms

Lists allowed transform combinations for IKE configuration.

IPsec Allowed Transforms

Lists allowed transform combinations for IPsec configuration.

Initial Troubleshooting Checklist

Provides a checklist for initial IPsec troubleshooting steps.

Common Troubleshooting Tools in Fabric Manager

Guides on accessing IPsec and IKE troubleshooting tools in Fabric Manager.

Common Troubleshooting Commands in the CLI

Lists CLI commands for troubleshooting IPsec issues.

IPsec Issues

Section detailing procedures to troubleshoot IKE and IPsec issues in FCIP configurations.

Simple FCIP Configuration

Illustrates a basic FCIP configuration for encrypted data transfer.

Verifying IKE Configuration Compatibility

Steps to verify IKE configuration compatibility between peers.

Verifying IPsec Configuration Compatibility Using Fabric Manager

Procedures to verify IPsec config compatibility using Cisco Fabric Manager.

Verifying IPsec Configuration Compatibility Using the CLI

Steps to verify IPsec configuration compatibility using the command-line interface.

Verifying Security Policy Databases Compatibility

How to verify compatibility of Security Policy Databases (SPDs).

Verifying Interface Status Using Fabric Manager

Steps to check interface status using Fabric Manager.

Verifying Interface Status Using the CLI

Steps to check interface status using the command-line interface.

Verifying Security Associations

Procedures to verify security associations (SAs).

Security Associations Do Not Re-Key

Troubleshooting steps when security associations fail to re-key.

Clearing Security Associations

How to clear specific security associations (SAs).

Debugging the IPsec Process

Commands for debugging IPsec process messages.

Debugging the IKE Process

Commands to view the internal state of the IKE process.

Obtaining Statistics from the IPsec Process

Commands to get statistics for IPsec.

Related product manuals

Preview: Cisco MDS 9000 Series

Cisco MDS 9000 Series

Preview: Cisco MDS 9148

Cisco MDS 9132T

Preview: Cisco MDS 9396T

Cisco MDS 9396T

Preview: Cisco MDS 9148T

Cisco MDS 9148T

Preview: Cisco MDS 9148V-K9

Cisco MDS 9148V-K9

Cisco MDS 9700 Series

Preview: Cisco MDS 9100 Series

Cisco MDS 9100 Series

Preview: Cisco mds 9124 - fabric switch

Cisco mds 9124 - fabric switch

Preview: 9134 - MDS Multilayer Fabric Switch

9134 - MDS Multilayer Fabric Switch

Preview: Cisco 9000 Series

Cisco 9000 Series

Preview: Cisco Nexus 9000 Series

Cisco Nexus 9000 Series