Wired Networks

How to setup VPN Interface Survivability and default route to VPN in MAS

Feature is available from MAS 7.4.0.0 release.

Mobility access switch (MAS) supports site-to-site VPN in tunnel mode. The IPSEC tunnel endpoints are peer WAN uplink interface IP’s.
Interesting traffic can be forwarded via the VPN tunnel w.r.to the src-net and dst-net configurations in the crypto map.
MAS provides support for a standby uplink, when the existing uplink (primary) interface goes down.
VPN/IPSEC can be re-established over standby uplink when the primary uplink is detected to be down.
Standby uplink is to be pre-defined in the crypto-map configuration which helps in re-establishing over the stand-by.
When primary uplink is detected to be up the crypto/IPSEC tunnel switch back to primary from standby uplink. 
Uplink monitoring  is done via ping probes (Route monitoring)* . An event notification is sent to the ISAKMPD process.

 

“interface vlan” configuration under crypto-map is identified as primary uplink. 
ISAKMPD process initiates the VPN tunnel and set the source of primary uplink as IPSEC end point.
“standby-interface vlan” configuration under crypto map is considered as standby uplink.
This helps in VPN switchover when the primary goes down.
“standby-interface vlan <vlan-id> preempt” configuration is for preempting the switchover to primary.

Whenever the pre-connect timer kicks in ISAKMPD session gets initiated via standby uplink interface.
When primary uplink is UP and UP event notification is received by ISAKMPD a switch-over is made from standby to primary uplink.
This feature is supported only with IKE version 2.

 

 

Network Topology:

 

rtaImage (2).jpg

 

Crypto map Configuration:  MAS to Controller - A

crypto-local ipsec-map BHANU 1
  version v2
  peer-ip 188.88.88.80       ------> H.Q controller WAN IP
  local-fqdn test.arubanetworks.com
  interface vlan 70
  standby-interface vlan 60
  src-net 2.2.2.0 255.255.255.0
  dst-net 199.99.99.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
  force-natt enable
!

Crypto map Configuration:  MAS to Controller - B

crypto-local ipsec-map CORVINA 12
  version v2           
  peer-ip 199.198.197.20               -------> H.Q controller WAN IP
  local-fqdn test.arubanetworks.com
  interface vlan 70                    -------> primary uplink configuration
  standby-interface vlan 60            ------à standby uplink config. with preempt
  src-net 2.2.2.0 255.255.255.0        --------> source net crypto
  dst-net 196.172.1.0 255.255.255.0    --------> destination corporate network
  set transform-set "default-transform"
  pre-connect enable
  force-natt enable
!

Crypto map Configuration:  MAS to Firewall

crypto-local ipsec-map map-firewall 10
  version v2
  peer-ip 45.46.47.50                  ---------à Default gateway Peer-IP
  local-fqdn boc.arubanetworks.com
  interface vlan 70
  standby-interface vlan 60
  src-net 2.2.2.0 255.255.255.0
  dst-net 0.0.0.0 0.0.0.0
  set transform-set "default-transform"
  pre-connect enable
  force-natt enable
!


Default gateway configuration 


•Multiple default gateway support
•Multiple default gateway’s can be configured in MAS.
•One is via DHCP import and another way is static route option.

DHCP Import Option

S2500-8MEM) #show ip-profile
ip-profile "default"
--------------------
Parameter            Value
---------            -----
Default Gateway      N/A
Import DHCP Gateway  Enabled
controller-ip        loopback1
(S2500-8MEM) #

(S2500-8MEM) (config) #interface vlan 70
(S2500-8MEM) (vlan "70") #metric 1
(S2500-8MEM) (vlan "70") #


Controller configuration:

•Firewall configurations



(Aruba651) #show crypto-local ipsec-map
Crypto Map Template"CORVINA" 12
         IKE Version: 2
         IKEv2 Policy: DEFAULT
         Security association lifetime seconds : [300 -86400]
         Security association lifetime kilobytes: N/A
         PFS (Y/N): N
         Transform sets={ default-transform }
         Peer gateway: 0.0.0.0
         Peer ANY FQDN
         Interface: VLAN 500
         Source network: 196.172.1.0/255.255.255.0
         Destination network: 2.2.2.0/255.255.255.0
         Pre-Connect (Y/N): Y
         Tunnel Trusted (Y/N): Y
         Forced NAT-T (Y/N): N

(Aruba651) # show ip interface brief
Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 1                      10.16.73.2 / 255.255.255.192   up      up
vlan 200                  200.200.20.2 / 255.255.255.0     up      up
vlan 300                   201.30.33.3 / 255.255.255.0     up      up
vlan 500                199.198.197.20 / 255.255.255.0     up      up
vlan 100                   100.10.10.1 / 255.255.255.0     up      up
loopback                   196.172.1.2 / 255.255.255.255   up      up
mgmt                        unassigned / unassigned        down    down

Firewall configurations

(Aruba3600) #show crypto-local ipsec-map

Crypto Map Template"map-firewall" 10
         IKE Version: 2
         IKEv2 Policy: DEFAULT
         Security association lifetime seconds : [300 -86400]
         Security association lifetime kilobytes: N/A
         PFS (Y/N): N
         Transform sets={ default-transform }
         Peer gateway: 0.0.0.0
         Peer ANY FQDN
         Interface: VLAN 45
         Source network: 0.0.0.0/0.0.0.0
         Destination network: 0.0.0.0/0.0.0.0
         Pre-Connect (Y/N): N
         Tunnel Trusted (Y/N): Y
         Forced NAT-T (Y/N): N

(Aruba3600) #show ip interface brief

Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 1                    172.16.0.254 / 255.255.255.0     up      up
vlan 4094                  10.16.73.34 / 255.255.255.192   up      up
vlan 501                  150.50.50.50 / 255.255.255.0     up      up
vlan 45                    45.46.47.50 / 255.255.0.0       up      up
loopback                    unassigned / unassigned        up      up
mgmt                        unassigned / unassigned        down    down

 

Running Configuration

(S2500-8MEM) #show running-config
Building Configuration...
crypto-local isakmp key "******" address 45.46.47.50 netmask 255.255.255.255
crypto-local isakmp key "******" address 188.88.88.80 netmask 255.255.255.255
crypto-local isakmp key "******" address 199.198.197.0 netmask 255.255.255.0
crypto-local isakmp key "******" address 10.2.100.0 netmask 255.255.255.0
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto-local ipsec-map map-firewall 10
  version v2
  peer-ip 45.46.47.50
  local-fqdn boc.arubanetworks.com
  interface vlan 70
  standby-interface vlan 60
  src-net 2.2.2.0 255.255.255.0
  dst-net 0.0.0.0 0.0.0.0
  set transform-set "default-transform"
  pre-connect enable
  force-natt enable
!

•Running Configuration    ….. (Contd)

crypto-local ipsec-map BHANU 1
  version v2
  peer-ip 188.88.88.80
  local-fqdn test.arubanetworks.com
  interface vlan 70
  standby-interface vlan 60
  src-net 2.2.2.0 255.255.255.0
  dst-net 199.99.99.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
  force-natt enable
!

crypto-local ipsec-map CORVINA 12
  version v2
  peer-ip 199.198.197.20
  local-fqdn test.arubanetworks.com
  interface vlan 70
  standby-interface vlan 60
  src-net 2.2.2.0 255.255.255.0
  dst-net 196.172.1.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
  force-natt enable
!

•Probe-Profile Configuration
(S2500-8MEM) (config) #probe-profile VPN
(S2500-8MEM) (probe profile "VPN") #?
clone                   Copy data from another probe profile
destination             Specify destination
no                      Delete Command
pkt-found-cnt           Packet Found Count [2-32]. Default: 6
pkt-lost-cnt            Packet Lost Count [2-32]. Default: 6
pkt-send-freq           Packet Send Frequency [1-32] seconds. Default: 5
protocol                Probe Protocol
(S2500-8MEM) (probe profile "VPN") #
(S2500-8MEM) #show probe-profile VPN
probe profile "VPN" (N/A)
-------------------------
Parameter                     Value
---------                     -----
Destination IP                8.8.8.8
Destination IP                199.198.197.10
Destination Host Name         N/A
Packet Lost Count             6
Packet Found Count            6
Packet Send Frequency (Secs)  1
Protocol                      icmp
(S2500-8MEM) #

 

 

PROBE table when Primary uplink is UP

(S2500-8MEM) #show probe
IPV4 PROBE Table
----------------
Vlan    Server          Protocol  Port   Probe-State  Sent  Received
-----   ------          --------  ----   -----------  ----  --------
vlan60  8.8.8.8         ICMP      N/A    Down         1920  0
vlan60  199.198.197.10  ICMP      N/A    Up           1920  1848
vlan70  8.8.8.8         ICMP      N/A    Down         1920  0
vlan70  199.198.197.10  ICMP      N/A    Up           1920  1870

Total Probe host entries: 4
(S2500-8MEM) #
•PROBE table when primary uplink is down

(S2500-8MEM) #show probe
IPV4 PROBE Table
----------------
Vlan    Server          Protocol  Port   Probe-State  Sent  Received
-----   ------          --------  ----   -----------  ----  --------
vlan60  8.8.8.8         ICMP      N/A    Down         2066  0
vlan60  199.198.197.10  ICMP      N/A    Up           2066  1994
vlan70  8.8.8.8         ICMP      N/A    Down         2066  0
vlan70  199.198.197.10  ICMP      N/A    Down         2066  1870
Total Probe host entries: 4

Crypto ISAKMP SA  through  Primary uplink

(S2500-8MEM) #show crypto isakmp sa
ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
7.70.70.4        45.46.47.50    i-v2-p    Jul 31 13:26:24     -
7.70.70.4        188.88.88.80   i-v2-p    Jul 31 13:20:10     -              
7.70.70.4        199.198.197.20 i-v2-p    Jul 31 13:20:41     -              

Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP, A = Aruba VPN
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 3
(S2500-8MEM) #

Crypto ISAKMP SA  through Standby uplink

(S2500-8MEM) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP
------------     ------------   -----     ---------------   ----------
60.6.6.2         188.88.88.80   i-v2-p    Jul 31 14:11:08     -
60.6.6.2         45.46.47.50    i-v2-p    Jul 31 14:11:09     -
Flags: i = Initiator; r = Responder
       m = Main Mode; a = Agressive Mode v2 = IKEv2
       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature
       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
       3 = 3rd party AP; C = Campus AP; R = RAP, A = Aruba VPN
       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 2
(S2500-8MEM) #

Crypto ISAKMP SA  through Standby uplink

(S2500-8MEM) #show crypto ipsec sa

IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
60.6.6.2         188.88.88.80     add63b00/9991ab00  UT2   Jul 31 14:11:08     -
60.6.6.2         45.46.47.50      ed734f00/d9fbd900  UT2   Jul 31 14:11:09     -

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 2
(S2500-8MEM) #

Note:

•Default route to VPN
•Branch office MAS has a VPN tunnel which terminated on a FIREWALL.  NON-corporate traffic from any client is forwarded to the firewall through the VPN tunnel.
•A default gateway route is created pointing to a VPN tunnel.
•ISAKMPD process adds a route table entry for dst-net configured under the crypto map after installing the IPSEC SA’s.

(S2500-8MEM) #show ip route
Codes: C – connected O - OSPF, O(IA) - OSPF inter area O(E1) - OSPF external type 1, 
       O(E2) - OSPF external type 2 O(N1) - OSPF NSSA type 1, O(N2) - OSPF NSSA type 2 M - mgmt, 
       S - static, * - candidate default D - DHCP
C        0.0.0.0  /0 [1] is an ipsec map: map-firewall  -à Default route for firewall
C        2.2.2.2  /32 is directly connected: loopback1
C        7.70.70.0/24 is directly connected: vlan70
C        7.70.70.4/32 is directly connected: vlan70
S        45.46.47.50/32 [1] via 7.70.70.1
C        60.6.6.0 /24 is directly connected: vlan60
C        60.6.6.2 /32 is directly connected: vlan60
S        188.88.88.80/32 [1] via 7.70.70.1            --à Static route to the Controller A Peer-IP
C        196.172.1.0/24 [1] is an ipsec map: CORVINA  --à route for dst-net configurations
C        199.99.99.0/24 [1] is an ipsec map: BHANU
S        199.198.197.20/32 [1] via 7.70.70.1          --à Static route to the Controller B Peer-IP

•Default route in datapath route table

(S2500-8MEM) #show datapath route
Route Table Entries
-------------------
Flags: L - Local, P - Permanent,  T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop
       IP             Mask           Gateway       Cost  VLAN  Flags
---------------  ---------------  ---------------  ----  ----  -----
0.0.0.0          0.0.0.0          0.0.0.1             0     1  PT         ----à Adds plus one
60.6.6.0         255.255.255.0    60.6.6.2            0    60  LP
188.88.88.80     255.255.255.255  7.70.70.1           0    70  P
71.1.1.255       255.255.255.255  71.1.1.255          0     0  PD
71.1.1.0         255.255.255.0    71.1.1.4            0    71  LP
199.99.99.0      255.255.255.0    199.99.99.1         0     1  TI
199.198.197.20   255.255.255.255  7.70.70.1           0    70  P
60.6.6.255       255.255.255.255  60.6.6.255          0     0  PD
196.172.1.0      255.255.255.0    196.172.1.1         0     1  TI
7.70.70.255      255.255.255.255  7.70.70.255         0     0  PD
199.36.36.255    255.255.255.255  199.36.36.255       0     0  PD
199.36.36.0      255.255.255.0    199.36.36.1         0   199  LP
7.70.70.0        255.255.255.0    7.70.70.4           0    70  LP
45.46.47.50      255.255.255.255  7.70.70.1           0    70  P
•Data path route-cache table

(S2500-8MEM) #show datapath route-cache

Route Cache Entries
-------------------
Flags: L - local, P - Permanent,  T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop
R - Routed across vlan
       IP              MAC             VLAN      Flags
---------------  -----------------  -----------  -----
2.2.2.2          00:0B:86:84:EC:C0            0  LP
0.0.0.1          00:00:00:00:00:00  tunnel   81  PT
7.70.70.4        00:0B:86:84:EC:C0           70  LP
7.70.70.1        00:0B:86:61:CE:44           70  A
10.16.73.10      00:0B:86:84:EC:C0            0  LP
196.172.1.1      00:00:00:00:00:00  tunnel   79  PT
71.1.1.1         00:1A:1E:00:1C:80           71  A
71.1.1.4         00:0B:86:84:EC:C0           71  LP
199.36.36.1      00:0B:86:84:EC:C0          199  LP
199.36.36.2      00:10:94:00:06:A3          199  A
188.88.88.80     00:0B:86:61:CE:44           70
199.99.99.1      00:00:00:00:00:00  tunnel   69  PT
60.6.6.6         00:0B:86:99:84:77           60  A
60.6.6.2         00:0B:86:84:EC:C0           60  L


Default gateway verification:

(S2500-8MEM) #show interface vlan 70
VLAN70 is administratively Up, Line protocol is Up
Hardware is CPU Interface, Address is 00:0b:86:84:ec:c0
Description: 802.1Q VLAN
Internet address is 7.70.70.4, Netmask is 255.255.255.0
IPV6 link-local address is fe80::b:8600:4684:ecc0
Global Unicast address(es):
IP address is obtained through DHCP
DHCP data&colon; server 7.70.70.1, router 7.70.70.1, domain UNKNOWN, DNS 0.0.0.0, lease time(in secs) 86400 state BOUND
Routing interface is enabled, Forwarding mode is enabled
Directed broadcast is disabled, BCMC Optimization disabled
Encapsulation 802, Loopback not set
Interface index: 50331718
MTU 1500 bytes
Metric 1
Probe Name: VPN, Probe Status: Up

(S2500-8MEM) #


(S2500-8MEM) (config) #show ip route
Codes: C - connected 
       O - OSPF, O(IA) - OSPF inter area
       O(E1) - OSPF external type 1, O(E2) - OSPF external type 2
       O(N1) - OSPF NSSA type 1, O(N2) - OSPF NSSA type 2
       M - mgmt, S - static, * - candidate default
       D - DHCP
Gateway of last resort is 7.70.70.1 to network 0.0.0.0 at cost 1
D       * 0.0.0.0  /0 [1] via 7.70.70.1
C        2.2.2.2  /32 is directly connected: loopback1
C        7.70.70.0/24 is directly connected: vlan70
C        7.70.70.4/32 is directly connected: vlan70
S        8.8.8.8  /32 [1] via 7.70.70.1
M        10.16.73.0/26 is directly connected: mgmt
M        10.16.73.10/32 is directly connected: mgmt
O        13.13.13.0/24 [1001] via 192.168.1.1
O        16.1.1.0 /24 [1001] via 192.168.1.1
C        60.6.6.0 /24 is directly connected: vlan60
C        60.6.6.2 /32 is directly connected: vlan60
C        71.1.1.0 /24 is directly connected: vlan71
C        71.1.1.4 /32 is directly connected: vlan71
S        188.88.88.80/32 [1] via 7.70.70.1
C        192.168.1.1/32 is directly connected: gre-tunnel1
O        192.168.1.2/32 [1000] via 192.168.1.1
C        196.172.1.0/24 [1] is an ipsec map: CORVINA
C        196.178.199.10/32 is directly connected: gre-tunnel2
O        196.178.199.11/32 [1000] via 196.178.199.10
C        199.36.36.0/24 is directly connected: vlan199
C        199.36.36.1/32 is directly connected: vlan199
C        199.99.99.0/24 [1] is an ipsec map: BHANU
S        199.198.197.20/32 [1] via 7.70.70.1


•Static Route Configuration

S2500-8MEM) #show ip-profile
ip-profile "default"
--------------------
Parameter            Value
---------            -----
Default Gateway      N/A
Import DHCP Gateway  N/A
controller-ip        loopback1
route                0.0.0.0 0.0.0.0 7.70.70.1 2   --------à  static route option
route                0.0.0.0 0.0.0.0 60.6.6.6 10
(S2500-8MEM) #


(S2500-8MEM) #show ip route

Codes: C - connected
       O - OSPF, O(IA) - OSPF inter area
       O(E1) - OSPF external type 1, O(E2) - OSPF external type 2
       O(N1) - OSPF NSSA type 1, O(N2) - OSPF NSSA type 2
       M - mgmt, S - static, * - candidate default
       D - DHCP

Gateway of last resort is 7.70.70.1 to network 0.0.0.0 at cost 2
S       * 0.0.0.0  /0 [2] via 7.70.70.1
C        2.2.2.2  /32 is directly connected: loopback1
C        7.70.70.0/24 is directly connected: vlan70
C        7.70.70.4/32 is directly connected: vlan70
S        8.8.8.8  /32 [1] via 7.70.70.1
M        10.16.73.0/26 is directly connected: mgmt
M        10.16.73.10/32 is directly connected: mgmt
O        13.13.13.0/24 [1001] via 192.168.1.1
O        16.1.1.0 /24 [1001] via 192.168.1.1
C        60.6.6.0 /24 is directly connected: vlan60
C        60.6.6.2 /32 is directly connected: vlan60
C        71.1.1.0 /24 is directly connected: vlan71
C        71.1.1.4 /32 is directly connected: vlan71
S        188.88.88.80/32 [1] via 7.70.70.1
C        192.168.1.1/32 is directly connected: gre-tunnel1
O        192.168.1.2/32 [1000] via 192.168.1.1
C        196.172.1.0/24 [1] is an ipsec map: CORVINA
C        199.36.36.0/24 is directly connected: vlan199
C        199.36.36.1/32 is directly connected: vlan199
C        199.99.99.0/24 [1] is an ipsec map: BHANU
S        199.198.197.20/32 [1] via 7.70.70.1

•Firewall configurations

(Aruba3600) #show crypto-local ipsec-map

Crypto Map Template"map-firewall" 10
         IKE Version: 2
         IKEv2 Policy: DEFAULT
         Security association lifetime seconds : [300 -86400]
         Security association lifetime kilobytes: N/A
         PFS (Y/N): N
         Transform sets={ default-transform }
         Peer gateway: 0.0.0.0
         Peer ANY FQDN
         Interface: VLAN 45
         Source network: 0.0.0.0/0.0.0.0
         Destination network: 0.0.0.0/0.0.0.0
         Pre-Connect (Y/N): N
         Tunnel Trusted (Y/N): Y
         Forced NAT-T (Y/N): N

(Aruba3600) #show ip interface brief

Interface                   IP Address / IP Netmask        Admin   Protocol
vlan 1                    172.16.0.254 / 255.255.255.0     up      up
vlan 4094                  10.16.73.34 / 255.255.255.192   up      up
vlan 501                  150.50.50.50 / 255.255.255.0     up      up
vlan 45                    45.46.47.50 / 255.255.0.0       up      up
loopback                    unassigned / unassigned        up      up
mgmt                        unassigned / unassigned        down    down


Firewall Verification:

•Firewall configurations            …… (Contd)

(Aruba3600) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN
Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 10.16.73.1 to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via 10.16.73.1*
O    1.1.1.1/32 [2/0] via 45.46.47.51*
O    7.7.1.0/24 [2/0] via 45.46.47.51*
O    7.70.70.0/24 [3/0] via 45.46.47.51*
O    15.15.15.0/24 [3/0] via 45.46.47.51*
O    20.20.75.0/24 [3/0] via 45.46.47.51*
O    60.6.6.0/24 [4/0] via 45.46.47.51*
O    71.1.1.0/24 [4/0] via 45.46.47.51*
O    72.2.2.0/24 [3/0] via 45.46.47.51*
O    100.10.10.0/24 [4/0] via 45.46.47.51*
O    137.37.37.0/24 [2/0] via 45.46.47.51*
S    142.42.42.0/24 [1/0] via 45.46.47.48*
O    170.169.158.0/24 [2/0] via 45.46.47.51*
O    172.19.0.4/30 [3/0] via 45.46.47.51*
O    177.177.17.0/24 [2/0] via 45.46.47.51*
O    188.88.80.0/20 [3/0] via 45.46.47.51*
O    196.177.1.1/32 [2/0] via 45.46.47.51*
O    199.198.197.0/24 [3/0] via 45.46.47.51*
C    172.16.0.0/24 is directly connected, VLAN1
C    10.16.73.0/26 is directly connected, VLAN4094
C    150.50.50.0/24 is directly connected, VLAN501
C    45.46.0.0/16 is directly connected, VLAN45

 

 

Enabling Security logs

 

(S2500-8MEM) (config) # logging level critical security

 

Security log verification

 

(S2500-8MEM) #show log security 10

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500-> udp_encap_handle_message ver:2 serverInst:3 pktsize:80

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500-> IKE_EXAMPLE_IKE_msgRecv: ip:bc585850  port:4500  server:3   len:80  numSkts:12

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500->   I <--

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500-> #RECV 80 bytes from 188.88.88.80(4500) at 60.6.6.2 (2378.80)

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500->  spi={b778fd8bc439cd22 f2428e96974b4027} np=E{None}

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500->  exchange=INFORMATIONAL msgid=12 len=76

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500-> infoI_in

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500-> IKE2_msgRecv_resume exchange already deleted

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500-> cleanup_and_free_context delete ctx memory

Jul 31 14:17:11 :103063:  <DBUG> |ike|  188.88.88.80:4500-> udp_encap_handle_message IKEv2 pkt status:-8929

(S2500-8MEM) #

Version history
Revision #:
1 of 1
Last update:
‎04-09-2015 05:12 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.