Troubleshooting IPsec
Q:

What are the commands used for troubleshooting IPSec?

ASE Link:  Go to the solution



A:

Summary

This solution will generate the show and debugging commands to assist you in debugging issues related to IPSec.  They are summarized below.

  • The first set of commands turn on detailed logging for a specific process related with IPSsec.  All these options are in recorded in the security log.  Turning on all these options will help in identifying a problem related to IPSec.
    • logging level debugging security process <option>
  • The command to view the details of these logs is: show log security all.  For example one of the most common filters used to troubleshoot IPSec problems is:
    • show log security all | include IKE
  • The remaining commands are commonly used to give additional information in troubleshooting connectivity:
    • displays remote user/AP connectivity status: show user-table verbose
    • shows IPSec security associations: show crypto ipsec sa
    • displays UDP 4500 connectivity status: show datapath session table | include 4500
    • shows ISAKMP key-pair security associations: show crypto isakmp sa
    • shows more specific ISAKMP information for a target: show crypto isakmp sa peer <IP address>
    • shows status of VPN pool: show vpdn l2tp local pool

Minimum Software Version(s) Required

Aruba OS 5.x or 6.x

Platform(s) Tested

Mobility Wireless Controller 7010   

Licenses

Access Point likely required

References

[1] Understanding and Troubleshooting IPSec Issues

[2] How do I troubleshoot RAP in ArubaOS

[3] Aruba OS 6.4 User Guide

[3.1] Show user-table

[3.2] Show crypto ipsec

[3.3] Show datapath

[3.4] Show crypto isakmp

[3.5] Show vpdn l2tp configuration

 

 

Version History
Revision #:
2 of 2
Last update:
‎12-08-2016 02:23 PM
Updated by:
 
Labels (1)
Contributors
Comments
lavanya bollam

We are hitting switch device registration failure in Airwav e when IPSEC is enabled using 8.2.3.1, could you please help us. I know this is a setup isse, but could not resolve it.

Please see error below:

 

HP-2920-24G#

0000:00:03:52.37 ZTP mairwaveCtrlSmiley Frustratedwitch registration failed 7 -

0000:00:03:52.44 ZTP mairwaveCtrl:Error string: Couldn't connect to server

0000:00:03:52.52 ZTP mairwaveCtrl:Registration with AMP server failed.

   Scheduling retry in 60 seconds

0000:00:03:52.63 ZTP mairwaveCtrl:Received message 0x91000B

0000:00:03:52.70 ZTP mairwaveCtrl:IPSEC ZTP: In Health-Check timer

0000:00:03:52.77 ZTP mairwaveCtrl:IPSEC ZTP: Switch sends HB

  • Are you trying to add switche to Airwave manually or through activate?
  • After pushing the IPsec tunnel configuraiton setting , switch loss connection to Airwave?

 

We have to look in to switch configuration,to check why enabling IPsec configuraiton results server connection issue.

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.