Troubleshooting IPsec

By esupport posted Dec 08, 2016 05:23 PM

  
Q:

What are the commands used for troubleshooting IPSec?

ASE Link:  Go to the solution



A:

Summary

This solution will generate the show and debugging commands to assist you in debugging issues related to IPSec.  They are summarized below.

  • The first set of commands turn on detailed logging for a specific process related with IPSsec.  All these options are in recorded in the security log.  Turning on all these options will help in identifying a problem related to IPSec.
    • logging level debugging security process <option>
  • The command to view the details of these logs is: show log security all.  For example one of the most common filters used to troubleshoot IPSec problems is:
    • show log security all | include IKE
  • The remaining commands are commonly used to give additional information in troubleshooting connectivity:
    • displays remote user/AP connectivity status: show user-table verbose
    • shows IPSec security associations: show crypto ipsec sa
    • displays UDP 4500 connectivity status: show datapath session table | include 4500
    • shows ISAKMP key-pair security associations: show crypto isakmp sa
    • shows more specific ISAKMP information for a target: show crypto isakmp sa peer <IP address>
    • shows status of VPN pool: show vpdn l2tp local pool

Minimum Software Version(s) Required

Aruba OS 5.x or 6.x

Platform(s) Tested

Mobility Wireless Controller 7010   

Licenses

Access Point likely required

References

[1] Understanding and Troubleshooting IPSec Issues

[2] How do I troubleshoot RAP in ArubaOS

[3] Aruba OS 6.4 User Guide

[3.1] Show user-table

[3.2] Show crypto ipsec

[3.3] Show datapath

[3.4] Show crypto isakmp

[3.5] Show vpdn l2tp configuration

 

 

2 comments
1 view

Comments

Feb 27, 2017 09:13 AM

  • Are you trying to add switche to Airwave manually or through activate?
  • After pushing the IPsec tunnel configuraiton setting , switch loss connection to Airwave?

 

We have to look in to switch configuration,to check why enabling IPsec configuraiton results server connection issue.

 

Feb 27, 2017 06:52 AM

We are hitting switch device registration failure in Airwav e when IPSEC is enabled using 8.2.3.1, could you please help us. I know this is a setup isse, but could not resolve it.

Please see error below:

 

HP-2920-24G#

0000:00:03:52.37 ZTP mairwaveCtrl:Switch registration failed 7 -

0000:00:03:52.44 ZTP mairwaveCtrl:Error string: Couldn't connect to server

0000:00:03:52.52 ZTP mairwaveCtrl:Registration with AMP server failed.

   Scheduling retry in 60 seconds

0000:00:03:52.63 ZTP mairwaveCtrl:Received message 0x91000B

0000:00:03:52.70 ZTP mairwaveCtrl:IPSEC ZTP: In Health-Check timer

0000:00:03:52.77 ZTP mairwaveCtrl:IPSEC ZTP: Switch sends HB