Manuals / Cisco Systems / Computer Equipment / Network Cables

Cisco Systems C7200 manual Troubleshooting Tips, 4-21, Router# show diag

Models: C7200

1 62

Download 62 pages 7.3 Kb

Page 55

Chapter 4 Configuring the VSA

Troubleshooting Tips

A crypto map joins the transform set and specifies where the protected traffic is sent (the remote IPSec peer):

crypto map toRemoteSite 10 ipsec-isakmp match address 101

set peer 10.0.0.3

set transform-set auth1

The crypto map is applied to an interface:

interface Serial0

ip address 10.2.2.3 crypto map toRemoteSite

An IPSec access list defines which traffic to protect:

access-list 101 permit ip host 10.2.2.2 host 10.0.0.2

access-list 101 permit ip host 10.2.2.3 host 10.0.0.3

Troubleshooting Tips

To verify that Cisco IOS software has recognized the VSA, enter the show diag command and check the output. In the following example, the IOS software recognizes the C7200-VSA, which is found in slot 0 in the router.

Router# show diag 0

Slot 0:

VSA IPsec Card Port

adapter

Port adapter is analyzed

Port adapter insertion

time 00:23:25 ago

EEPROM contents at hardware discovery:

PCB Serial

Number

: PRTA4404055

Product (FRU)

Number

: C7200-VSA

EEPROM format

version 4

EEPROM contents (hex):

0x00: 04

FF

C1

8B

50

52

54

41

34

34

30

34

30

35

35

40

0x10: 05

0D

CB 94

43

37

32

30

30

2D

56

53

41

20

20

20

0x20: 20

20

20

20

20

20

20

20

D9

03

C1

40

CB FF FF FF

0x30: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

0x40: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

0x50: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

0x60: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

0x70: FF

FF

FF FF

FF

FF FF FF FF FF FF FF FF FF FF FF

To see if the VSA is currently processing crypto packets, enter the show crypto engine accelerator statistic 0 command. The following is sample output:

Router# show crypto engine accelerator statistic 0

	Device:	VSA
	Location: Service Adapter: 0
	VSA Traffic Statistics
	Inbound rate: 0pps 0kb/s Outbound rate: 0pps 0kb/s
	TXR0 PKT: 0x00000000000028B2		Byte: 0x000000000006ACF6	Full: 0x0000000000000000
	RXR0 PKT: 0x00000000000028B2		Byte: 0x0000000000A86398
	TXR1 PKT: 0x0000000000000000		Byte: 0x0000000000000000	Full: 0x0000000000000000
	RXR1 PKT: 0x0000000000000000		Byte: 0x0000000000000000
	TXR2 PKT: 0x0000000000000000		Byte: 0x0000000000000000	Full: 0x0000000000000000
	RXR2 PKT: 0x0000000000000000		Byte: 0x0000000000000000
	Inbound Traffic:
		C7200 VSA (VPN Services Adapter) Installation and Configuration Guide

	OL-9129-02					4-21
	OL-9129-02					4-21

Image 55

Cisco Systems C7200 manual Troubleshooting Tips, 4-21, Router# show diag, Router# show crypto engine accelerator statistic

Contents

800 553-NETS Fax 408 C7200 VSA VPN Services Adapter Installation and Configuration GuideCorporate Headquarters Cisco Systems, Inc 170 West Tasman Drive San Jose, CATurn the television or radio antenna until the interference stops Preface FeaturesDefinitions of Service Request Severity C O N T E N T SRemoving and Installing the VSA The Crypto Transform Configuration Mode 4Configuration Tasks 4 Safety WarningsTroubleshooting Tips Verifying the Configuration 4Router A Configuration Router B ConfigurationC7200 VSA VPN Services Adapter Installation and Configuration Guide ContentsOL-9129-02 Audience, page Warnings, page Objectives, page Organization, page PrefaceAudience WarningsObjectives Preparing for InstallationRemoving and Installing the VSA Configuring the VSAObtaining Documentation Related DocumentationCisco.com Ordering Documentation Documentation FeedbackCisco Product Security Overview Product Documentation DVDProduct Alerts and Field Notices Reporting Security Problems in Cisco ProductsFor emergencies only - security-alert@cisco.com Cisco Technical Support & Documentation Website Obtaining Technical Assistancehttp//tools.cisco.com/RPF/register/register.do xiii Submitting a Service RequestDefinitions of Service Request Severity Obtaining Additional Publications and InformationThe Cisco Product Quick Reference Guide is a handy, compact reference tool that includes brief product overviews, key features, sample part numbers, and abbreviated technical specifications for many Cisco products that are sold through channel partners. It is updated twice a year and includes the latest Cisco channel product offerings. To order and find out more about the Cisco Product Quick Reference Guide, go to this URL Data Encryption Overview Hardware Required, page Features, pageEnabling/Disabling the VSA, page LEDs, page Connectors, page OverviewVSA Overview Screws Description/Benefit FeaturesHardware Required FeatureMIBs Supported Standards, MIBs, and RFCsPerformance StandardsEnabling/Disabling the VSA Disables the C7200 VSAEnables the C7200 VSA after it has been disabledHw-module slot 0 shutdown -Not supported LEDsno crypto engine slot accelerator 0 -See Table Cisco 7204VXR Router, page Cisco 7206VXR Router, page ConnectorsSlot Locations Cisco 7204VXR RouterChapter 1 Overview Slot Locations C7200 VSA VPN Services Adapter Installation and Configuration GuideENABLED Figure 1-4 Cisco 7204VXR Router - Front ViewFigure 1-5 Cisco 7206VXR - Front View Cisco 7206VXR Router1-10 C7200 VSA VPN Services Adapter Installation and Configuration GuideHardware and Software Requirements Preparing for InstallationOnline Insertion and Removal OIR, page Safety Guidelines, page Required Tools and EquipmentPlatform Software RequirementsHardware Requirements RestrictionsOnline Insertion and Removal OIR Safety GuidelinesSafety Warnings Safety Warnings, page Electrical Equipment Guidelines, pagePreventing Electrostatic Discharge Damage Electrical Equipment GuidelinesCompliance with U.S. Export Laws and Regulations Regarding Encryption Compliance with U.S. Export Laws and Regulations Regarding EncryptionOL-9129-02 Chapter 2 Preparing for InstallationC7200 VSA VPN Services Adapter Installation and Configuration Guide Compliance with U.S. Export Laws and Regulations Regarding EncryptionHandling the VSA, page Online Insertion and Removal OIR, page Removing and Installing the VSAWarnings and Cautions, page VSA Removal and Installation, page Handling the VSAOnline Insertion and Removal OIR VSA Removal and InstallationWarnings and Cautions The safety cover is an integral part of the product. Do not operate the unit without the safety cover installed. Operating the unit without the cover in place will invalidate the safety approvals and pose a risk of fire and electrical hazardsStep 3 Unscrew the screws holding the VSA in the slot OL-9129-02 Chapter 3 Removing and Installing the VSAVSA Removal and Installation C7200 VSA VPN Services Adapter Installation and Configuration GuideBasic IPSec Configuration Illustration, page Configuring the VSAConfiguration Tasks Overview, page Configuration Tasks, page Configuration Examples, pageConfiguring IPSec Configuration Example, page 4-18 optional Using the EXEC Command InterpreterConfiguring an IKE Policy Verifying IKE and IPSec Configurations, page 4-15 optionalDefines an IKE policy and enters Internet Security Association system reboot Configuring a Transform SetDisables VSA VSA will be enabled after the nextTransform Example The Crypto Transform Configuration Mode Changing Existing TransformsDefining a Transform Set Selecting Appropriate Transformsah-sha-hmac Authentication Transform is used, you mustESP Authentication Transform Pick up to ah-md5-hmacesp-aes and esp-sha-hmac ah-sha-hmac and esp-aes and esp-sha-hmac The Crypto Transform Configuration ModeIPSec Protocols AH and ESP Selecting Appropriate TransformsEnsuring That Access Lists Are Compatible with IPSec required Configuring IPSecEnsuring That Access Lists Are Compatible with IPSec Setting Global Lifetimes for IPSec Security AssociationsRouter# clear crypto sa spi destination-address CommandStep PurposeRouterconfig# ip access-list extended name Creating Crypto Access ListsCreating Crypto Map Entries 4-10Routerconfig-crypto-m# set session-key inbound ah 4-11spi cipher hex-key-string authenticator esp spi cipher hex-key-string authenticatorSpecifies which transform sets are allowed for the This is the only configuration statement required inCreating Dynamic Crypto Maps Creates a dynamic crypto map entryCommand 4-13Purpose Applying Crypto Map Sets to Interfaces Monitoring and Maintaining IPSec4-14 Displays information about IPSec security associations Verifying IKE and IPSec ConfigurationsDisplays your transform set configuration Displays your crypto map configuration4-16 Verifying the ConfigurationOL-9129-02 4-17Chapter 4 Configuring the VSA Configuration Tasks C7200 VSA VPN Services Adapter Installation and Configuration GuideConfiguring IKE Policies Example, page Configuration ExamplesConfiguring IKE Policies Example Configuring IPSec Configuration ExampleRouter A Configuration Basic IPSec Configuration Illustration4-19 4-20 Router B ConfigurationRouter# show crypto engine accelerator statistic Troubleshooting Tips4-21 Router# show diagChapter 4 Configuring the VSA Troubleshooting Tips 4-22C7200 VSA VPN Services Adapter Installation and Configuration Guide Monitoring and Maintaining the VSA Using Deny Policies in Access ListsUsing Deny Policies in Access Lists, page Monitor and Maintenance Commands, pageVerifies the VSA is currently processing crypto packets Monitor and Maintenance CommandsConfiguration Guidelines and Restrictions Displays integrated service adapter as part of the interfacesIN-1 I N D Ecreating 4 IN-2definition IN-3 OL-9129-02 IN-4C7200 VSA VPN Services Adapter Installation and Configuration Guide Index