Cisco Systems C7200 manual Troubleshooting Tips, Router# show diag

Page 55

Chapter 4 Configuring the VSA

Troubleshooting Tips

A crypto map joins the transform set and specifies where the protected traffic is sent (the remote IPSec peer):

crypto map toRemoteSite 10 ipsec-isakmp match address 101

set peer 10.0.0.3

set transform-set auth1

The crypto map is applied to an interface:

interface Serial0

ip address 10.2.2.3 crypto map toRemoteSite

An IPSec access list defines which traffic to protect:

access-list 101 permit ip host 10.2.2.2 host 10.0.0.2

access-list 101 permit ip host 10.2.2.3 host 10.0.0.3

Troubleshooting Tips

To verify that Cisco IOS software has recognized the VSA, enter the show diag command and check the output. In the following example, the IOS software recognizes the C7200-VSA, which is found in slot 0 in the router.

Router# show diag 0

Slot 0:

VSA IPsec Card Port

adapter

 

 

 

 

 

 

 

 

 

Port adapter is analyzed

 

 

 

 

 

 

 

 

 

 

Port adapter insertion

time 00:23:25 ago

 

 

 

 

 

EEPROM contents at hardware discovery:

 

 

 

 

 

 

PCB Serial

Number

 

 

 

: PRTA4404055

 

 

 

 

 

 

Product (FRU)

Number

 

 

: C7200-VSA

 

 

 

 

 

 

EEPROM format

version 4

 

 

 

 

 

 

 

 

 

 

 

EEPROM contents (hex):

 

 

 

 

 

 

 

 

 

 

 

0x00: 04

FF

C1

8B

50

52

54

41

34

34

30

34

30

35

35

40

0x10: 05

0D

CB 94

43

37

32

30

30

2D

56

53

41

20

20

20

0x20: 20

20

20

20

20

20

20

20

D9

03

C1

40

CB FF FF FF

0x30: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

0x40: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

0x50: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

0x60: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

0x70: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

To see if the VSA is currently processing crypto packets, enter the show crypto engine accelerator statistic 0 command. The following is sample output:

Router# show crypto engine accelerator statistic 0

 

Device:

VSA

 

 

 

 

 

 

Location: Service Adapter: 0

 

 

 

 

 

 

VSA Traffic Statistics

 

 

 

 

 

 

Inbound rate: 0pps 0kb/s Outbound rate: 0pps 0kb/s

 

 

 

 

 

TXR0 PKT: 0x00000000000028B2

Byte: 0x000000000006ACF6

Full: 0x0000000000000000

 

RXR0 PKT: 0x00000000000028B2

Byte: 0x0000000000A86398

 

 

 

 

 

TXR1 PKT: 0x0000000000000000

Byte: 0x0000000000000000

Full: 0x0000000000000000

 

RXR1 PKT: 0x0000000000000000

Byte: 0x0000000000000000

 

 

 

 

 

TXR2 PKT: 0x0000000000000000

Byte: 0x0000000000000000

Full: 0x0000000000000000

 

RXR2 PKT: 0x0000000000000000

Byte: 0x0000000000000000

 

 

 

 

 

Inbound Traffic:

 

 

 

 

 

 

 

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

 

 

 

 

 

 

OL-9129-02

 

 

 

 

4-21

 

 

 

 

 

 

 

Page 54 Page 56
Image 55
Page 54 Page 56
Contents Text Part Number OL-9129-02 Corporate HeadquartersPage N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Audience PrefaceOrganization ObjectivesChapter Title Description Obtaining Documentation Related DocumentationCisco.com Cisco Product Security Overview Documentation FeedbackProduct Documentation DVD Ordering Documentation Product Alerts and Field Notices Reporting Security Problems in Cisco ProductsCisco Technical Support & Documentation Website Obtaining Technical AssistanceDefinitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xiv Data Encryption Overview OverviewVSA Overview VSA Module Front View Screws Handle Status LED lightHardware Required FeaturesThis section describes the VSA features, as listed in Table Feature Description/BenefitMIBs Supported Standards, MIBs, and RFCsPerformance StandardsEnabling/Disabling Scheme Command PurposeEnabling/Disabling the VSA Disabling the VSA during OperationCommand Description of VSA Behavior Condition System is ConfiguredLEDs Cisco 7204VXR Router ConnectorsSee -2for the VSA connectors Slot LocationsCisco 7204VXR Router Front View Port adapter VSA in I/O controller slot Port adapter leverCisco 7206VXR Front View Cisco 7206VXR RouterHardware and Software Requirements Required Tools and EquipmentPlatform Software RequirementsHardware Requirements RestrictionsSafety Warnings Safety GuidelinesOnline Insertion and Removal OIR Preventing Electrostatic Discharge Damage Electrical Equipment GuidelinesPreparing for Installation OL-9129-02 VSA circuit board is sensitive to ESD damage Handling the VSAThis section describes how to remove and install the VSA VSA Removal and InstallationRemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Overview Configuration TasksConfiguring an IKE Policy Using the Exec Command InterpreterSignatures as the authentication method Key Management Protocol Isakmp policy configurationConfig-isakmp mode Optional Specifies the authentication method within an IKEDisabling VSA Optional Configuring a Transform SetDefining a Transform Set Transform type Description IPSec Protocols AH and ESP Crypto Transform Configuration ModeSelecting Appropriate Transforms Changing Existing Transforms Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Setting Global Lifetimes for IPSec Security AssociationsStep Command Purpose Creating Crypto Map Entries Creating Crypto Access ListsExits crypto-map configuration mode and return to Only one transform set can be specified when IKE isAuthenticator keys if the transform set includes an ESP authenticator algorithmCreating Dynamic Crypto Maps For this crypto access list Optional Accesses list number or name of anExtended access list. This access list determines If this is configured, the data flow identity proposedApplying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSecRouter# show crypto isakmp policy Verifying IKE and IPSec ConfigurationsVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl This section provides the following configuration examples Configuration ExamplesConfiguring IKE Policies Example Configuring IPSec Configuration ExampleRouter a Configuration Basic IPSec Configuration IllustrationCrypto map is applied to an interface Transform set defines how the traffic will be protected Router B ConfigurationSpecify the parameters to be used during an IKE negotiation Router# show diag Troubleshooting TipsTunnel I/F Monitoring and Maintaining the VSA Using Deny Policies in Access ListsConfiguration Guidelines and Restrictions Monitor and Maintenance CommandsD E Set pfs command Sa command, clear crypto Entries, creatingSet session-key command Set transform-set command Handling VPN Acceleration Module see VAM 1 Features Handling Monitoring and maintaining 4 OverviewIN-4
Top Page Image Contents