Cisco Systems C7200 manual Tunnel I/F

Page 56

Chapter 4 Configuring the VSA

Troubleshooting Tips

Decrypted

PHY I/F:0x0000000000000000

TUNNEL I/F:

0x0000000000000000

SPI Error

PHY I/F:0x0000000000000000

TUNNEL I/F:

0x0000000000000000

Pass clear PHY I/F:0x0000000000000000

TUNNEL I/F:

0x0000000000000000

SPD Drop:

 

0x0000000000000000

IKE Bypass:

0x0000000000000000

Outbound Traffic:

 

 

 

 

Encry

CEF: 0x0000000000000000

FS: 0x0000000000000000

PROC: 0x0000000000000000

Pass

CEF: 0x0000000000000000

FS: 0x0000000000000000

PROC: 0x0000000000000000

ICMP Unreachable: 0x0000000000000000

ICMP Unreach Fail: 0x0000000000000000

SPD Drop:

0x0000000000000000

 

 

 

Special Traffic:

 

 

 

 

VAM mode PKT:

0x0000000000000000

Exception:

0x0000000000000000

N2 Message:

:

0x00000000000028B2

Exception:

0x0000000000000000

IP PKT Exception:

0x0000000000000000

DJ Overflow:

0x0000000000000000

RAE Report PKT::

0x0000000000000000

PKT Consumed:

0x0000000000000000

TCAM WR:

 

0x0000000000000001

TCAM RD:

0x0000000000000000

SARAM WR:

 

0x0000000000008422

SARAM RD:

0x0000000000000000

RAE WR:

 

0x0000000000080000

RAE RD:

0x0000000000000000

Warnings:

 

 

 

 

 

N2 interrupt:

0x0000000000000000

Invalid Op:

0x0000000000000000

RX CTX error:

0x0000000000000000

TX CTX low:

0x0000000000000000

PKT CTX Low:

0x0000000000000000

PKT Info Low:

0x0000000000000000

PKT Header Low:

0x0000000000000000

Particle Low:

0x0000000000000000

Missing SOP:

0x0000000000000000

Missing EOP:

0x0000000000000000

TX Drop IB:

 

0x0000000000000000

TX Drop OB:

0x0000000000000000

MSG Unknown:

0x0000000000000000

MSG too Big:

0x0000000000000000

MSG Empty:

 

0x0000000000000000

MSG No Buffer:

0x0000000000000000

PKT Info Missing:

0x0000000000000000

IB SB Error:

0x0000000000000000

TX Drop Fastsend:

0x0000000000000000

IDMA Full:

0x0000000000000000

Particle Fallback: 0x0000000000000000

STATISTIC:

0x0000000000000000

Elrond statistic:

 

 

 

 

TXDMA PKT Count:

0x00000000000028B2

Byte Count:

0x000000000006ACF6

RXDMA

PKT Count:

0x00000000000028B2

Byte Count:

0x0000000000A86398

IPPE

PKT Count:

0x00000000000028B2

EPPE PKT Count:0x00000000000028B2

PL3TX PKT Count:

0x00000000000028B2

Byte Count:

0x000000000009DADE

PL3RX PKT Count:

0x00000000000028B2

Byte Count:

0x0000000000A86398

CAM search IPPE:

0x0000000000000000

EPPE:

0x0000000000000000

SARAM Req IPPE:

0x0000000000000000

EPPE:

0x0000000000000000

RAE Frag Req IPPE:

0x0000000000000000

EPPE:

0x0000000000000000

RAE ReAssembly:

0x0000000000000000

Re-Ordering:

0x0000000000000000

REA Frag Finished: 0x0000000000000000

 

 

Frag Drop Count:

 

 

 

 

IPPE:

 

 

0x0000000000000000

EPPE:

0x0000000000000000

FIFO:

 

 

0x0000000000000000

RAE:

0x0000000000000000

VSA RX

Exception statistics:

 

 

 

 

IRH

Not valid

:

0

Invalid SA

:

0

SA configuration error

:

0

Enc Dec mismatch

:

0

Insufficient Push

:

0

Next Header mismatch

:

0

Pad

mismatch

:

0

MAC mismatch

:

0

Atomic OP failed

:

0

L2 UDD GE 256

:

0

Max

BMI Read too small

:

0

Max BMI Read No payload :

0

Anti replay failed

:

0

Enc Seq num overflow

:

0

Dec

IPver mismatch

:

0

Enc IPver mismatch

:

0

TTL

Decr

:

0

Selector checks

:

0

UDP

mismatch

:

0

Reserved

:

0

Soft byte lifetime

:

0

hardbyte lifetime

:

0

IP Parse error

:

0

Fragmentation Error

:

0

Unknown Exception

:

0

 

 

 

When the VSA processes packets, the “packets in” and “packets out” counter changes. Counter “packets out” represents the number of packets directed to the VSA. Counter “packets in” represents the number of packets received from the VSA.

C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

4-22

OL-9129-02

 

 

Page 55 Page 57
Image 56
Page 55 Page 57
Contents Corporate Headquarters Text Part Number OL-9129-02Page N T E N T S Preventing Electrostatic Discharge Damage 2 Creating Dynamic Crypto Maps 4 OL-9129-02 Preface AudienceChapter Title Description ObjectivesOrganization Cisco.com Related DocumentationObtaining Documentation Product Documentation DVD Ordering Documentation Documentation FeedbackCisco Product Security Overview Reporting Security Problems in Cisco Products Product Alerts and Field NoticesObtaining Technical Assistance Cisco Technical Support & Documentation WebsiteObtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity Xiv Overview Data Encryption OverviewVSA Overview Screws Handle Status LED light VSA Module Front ViewFeatures This section describes the VSA features, as listed in TableFeature Description/Benefit Hardware RequiredSupported Standards, MIBs, and RFCs PerformanceStandards MIBsCommand Purpose Enabling/Disabling the VSADisabling the VSA during Operation Enabling/Disabling SchemeLEDs Condition System is ConfiguredCommand Description of VSA Behavior Connectors See -2for the VSA connectorsSlot Locations Cisco 7204VXR RouterPort adapter VSA in I/O controller slot Port adapter lever Cisco 7204VXR Router Front ViewCisco 7206VXR Router Cisco 7206VXR Front ViewRequired Tools and Equipment Hardware and Software RequirementsSoftware Requirements Hardware RequirementsRestrictions PlatformOnline Insertion and Removal OIR Safety GuidelinesSafety Warnings Electrical Equipment Guidelines Preventing Electrostatic Discharge DamagePreparing for Installation OL-9129-02 Handling the VSA VSA circuit board is sensitive to ESD damageVSA Removal and Installation This section describes how to remove and install the VSARemoving and Installing the VSA VSA Removal and Installation OL-9129-02 Configuration Tasks OverviewUsing the Exec Command Interpreter Configuring an IKE PolicyKey Management Protocol Isakmp policy configuration Config-isakmp modeOptional Specifies the authentication method within an IKE Signatures as the authentication methodConfiguring a Transform Set Disabling VSA OptionalDefining a Transform Set Transform type Description Selecting Appropriate Transforms Crypto Transform Configuration ModeIPSec Protocols AH and ESP Configuring IPSec Ensuring That Access Lists Are Compatible with IPSecSetting Global Lifetimes for IPSec Security Associations Changing Existing TransformsStep Command Purpose Creating Crypto Access Lists Creating Crypto Map EntriesOnly one transform set can be specified when IKE is Authenticator keys if the transform set includes anESP authenticator algorithm Exits crypto-map configuration mode and return toCreating Dynamic Crypto Maps Optional Accesses list number or name of an Extended access list. This access list determinesIf this is configured, the data flow identity proposed For this crypto access listMonitoring and Maintaining IPSec Applying Crypto Map Sets to InterfacesVerifying IKE and IPSec Configurations Router# show crypto isakmp policyVerifying the Configuration Currentpeer 172.21.114.67 PERMIT, flags=originisacl Configuration Examples Configuring IKE Policies ExampleConfiguring IPSec Configuration Example This section provides the following configuration examplesCrypto map is applied to an interface Basic IPSec Configuration IllustrationRouter a Configuration Specify the parameters to be used during an IKE negotiation Router B ConfigurationTransform set defines how the traffic will be protected Troubleshooting Tips Router# show diagTunnel I/F Using Deny Policies in Access Lists Monitoring and Maintaining the VSAMonitor and Maintenance Commands Configuration Guidelines and RestrictionsD E Set session-key command Set transform-set command Sa command, clear crypto Entries, creatingSet pfs command Features Handling Monitoring and maintaining 4 Overview Handling VPN Acceleration Module see VAM 1IN-4
Top Page Image Contents