Verification Command List :
show crypto ipsec sa
show crypto ipsec spi-lookup
show crypto isakmp profile
show crypto isakmp policy
show crypto isakmp sa
show crypto isakmp peers
show crypto engine connections active
Troubleshooting Command List :
debug crypto isakmp —Displays errors during Phase 1.
debug crypto isakmp —Displays errors during Phase 2.
debug crypto isakmp —Displays information from the crypto engine.
clear crypto connection connection-id [slot | rsm | vip] —Terminates an encrypted session currently in progress. Encrypted sessions normally terminate when the session times out. (Use the show crypto cisco connections command to see the connection-id value.)
clear crypto isakmp —Clears the Phase 1 security associations.
clear crypto sa —Clears the Phase 2 security associations.
R(config) # ip inspect log drop-pkt
Outgoing Traffic - going out as 9_INTERNET_TRAFFIC (match-all)
Incoming Traffic - coming in as default (deny) - not matching back the VPN traffic
%FW-6-DROP_PKT:
Dropping udp session 175.143.101.93:500 192.168.100.229:61197
on zone-pair ZP3-1 class class-default due to DROP action found in policy-map with ip ident 0
%FW-6-LOG_SUMMARY: 6 packets were dropped from
175.143.101.93:500 => 192.168.100.229:61197 (target:class)-(ZP3-1:class-default)
%FW-6-LOG_SUMMARY: 1 packet were dropped from
175.143.101.93:500 => 192.168.100.229:61200 (target:class)-(ZP3-1:class-default)
%FW-6-DROP_PKT: Dropping tcp session 210.187.25.210:80 192.168.100.230:53423
on zone-pair ZP1-3 class 9_INTERNET_TRAFFIC due to Invalid Seq# with ip ident 0
Subscribe to:
Post Comments (Atom)
ISR2811#clear zone-pair inspect session or clear policy-firewall session
ReplyDelete