Debugging IPSec Tunneling
IPSec Troubleshooting - Basic
When debugging IPSec tunneling, look out for:
- If you have bi-directional traffic via ESP or NAT-T then the appliances are trying to establish an IPSec tunnel.
- Silver Peak Recommendation: Set the MTU size to 1400 to account for IPSec overhead.
- Another common scenario occurs when another device appliance responds to IPSec requests, rather than the Silver Peak. If you encounter tunnel connectivity issues, it may be necessary to validate the IPSec response is coming from the correct Silver Peak appliance. If this is found to be happening, most firewalls have an IPSec pass-through feature that can be enabled to get around this.
- A third scenario to be aware of is the case where no IPSec devices are responding to IPSec requests from the Silver Peak appliance. This scenario could be caused by a misconfiguration of the pre-shared key or IPSec setup. It could also be caused when the IPSec requests are blocked by a firewall or other device somewhere between the Silver Peak appliances.
IMPORTANT: If you’re not familiar with IPSec or comfortable troubleshooting using a CLI , we recommend that you involve your network or firewall administrator for assistance in troubleshooting connectivity issues. Making changes to routers, firewalls, and other devices in production environments can cause disruptions in service. |
IPSec Troubleshooting – Advanced
Broadcast CLI
Silver Peak Orchestrator provides the Broadcast CLI (BCLI) tool that enables administrators to issue CLI commands centrally from the Orchestrator interface. The BCLI can be used to issue commands to one or many appliances at a time. As long as the Orchestrator can communicate with remote appliances, Broadcast CLI can be used to issue commands for troubleshooting IPSec.
Broadcast CLI can be accessed on the Orchestrator by choosing Maintenance > [Tools] Broadcast CLI
To identify if another device is responding to IPSec requests:
-
Use the BCLI to issue the following command on the remote silver peak:
(Tunnel name in this example is tun1. Replace tun1 with appropriate tunnel name in your environment.)
BRSUPP86 (config) # show int tunnel tun1 ipsec status
Tunnel tun1 ipsec state
Tunnel Oper: DownIPSec Enabled: yes
IPSec Oper: Healthy
Total IPSec SAs: in:1 out:1**
IPSec Key Size: 256 bits
Replay Window(bits): 1024NOTE: 1 SA (security association) sent (out) and 1 SA received (in), but we can’t validate which device responded to our SA.
-
Issue the following command from the BCLI:
BRSUPP86 (config) # show int tunnel tun1 ipsec debug
IPSec stats for tid 2
-----Key-management---
Current state: 2
Req key by dp: 1
Rekey dp: 0
Rekey TO: 0
Rekey # in pkts: 0
Rekey # out pkts: 0
Key wait TO: 0
Passive key TO: 0-----In-bound---
Total packets: 0**Aligment: 0
No sa: 0
Verify fail: 0
Replay check: 0
Decryption fail: 0
Other reason: 0-----Out-bound---
Total packets: 453
No sa: 6
Encryption fail: 0
Authentication fail: 0
Other reason: 0
NOTE: “Total packets” should not be 0. This indicates the firewall in front of us responded, and the Silver Peak appliance never got the request. (Scenario 2, above) In this situation, it is necessary to enable “ipsec passthrough” on the firewall. Alternatively, you could elect to connect the Silver Peak appliance directly to the public internet. (Make sure WAN hardening is enabled and proper security precautions are in place.) |
To validate a deeper issue with IPSec packets traversing the network:
- If the tunnel debug command shows no SAs at all, you could have an issue with the IKE exchange. This scenario could be caused by a misconfiguration of the pre-shared key or IPSec setup. It could also be caused when the IPSec requests are blocked by a firewall or other device somewhere between the Silver Peak appliances.
-
Issue the following command from the BCLI:
(Replace tun1 with appropriate tunnel name in your environment.)
BRSUPP86 (config) # show int tunnel tun1 ipsec debug
IPSec stats for tid 2
-----Key-management---
Current state: 2
Req key by dp: 1
Rekey dp: 0
Rekey TO: 0
Rekey # in pkts: 0
Rekey # out pkts: 0
Key wait TO: 0
Passive key TO: 0-----In-bound---
Total packets: 435
Alignment: 0
No sa: 0
Verify fail: 0
Replay check: 0
Decryption fail: 0
Other reason: 0-----Out-bound---
Total packets: 453
No sa: 6
Encryption fail: 0
Authentication fail: 0
Other reason: 0
The Current State output indicates the ISAKMP key exchange state. For reference, here’s a table of ISAKMP key exchange states as they map to the Current State value:
ISAKMP Key Exchange State |
Current State ID |
---|---|
ST_INIT |
1 |
ST_ACTIVE_KEY_WAIT |
2 |
ST_ACTIVE_READY |
3 |
ST_PASSIVE_READY |
4 |
|