The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco IPsec Diagnostics Enhancement feature adds four sets of event statistics and an error history buffer to the Cisco IOS software for use in troubleshooting a virtual private network (VPN) that encrypts the data path.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IPsec Diagnostics Enhancement" section.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
•Prerequisites for the IPsec Diagnostics Enhancement
•Restrictions for the IPsec Diagnostics Enhancement
•Information About the IPsec Diagnostics Enhancement
•How to Use the IPsec Diagnostics Enhancement
•Feature Information for IPsec Diagnostics Enhancement
•You understand the IP security (IPsec) standard for network security.
Note Contact the Cisco Technical Assistance Center (TAC) before using this feature.
•This feature and its commands are available only on Cisco IOS releases that support IPsec encryption.
•This feature is enabled by default in the encryption data path and has a negligible impact on memory and performance.
To use the enhanced diagnostic tools for troubleshooting an encryption data path, you should understand the following concept:
•Tracking Packet Processing Within a Switch or Router
Standard packet analyzers used for troubleshooting network issues capture packets between devices in the network but they cannot capture packet processing events inside a device, such as a router. Beginning with Cisco IOS Release 12.4(9)T, Cisco IOS software includes four sets of event statistics to track packet processing within a switch or router. These statistics help Cisco TAC engineers diagnose and resolve issues in encrypted networks. Each set of statistics tracks a different aspect of packet processing within a switch or router:
•Error counters track packet processing errors and associated packet drops. When a packet encounters an error, the first 64 bytes of that packet are stored in a buffer, to facilitate troubleshooting.
•Internal counters show the detailed movement of a packet, end to end, across an encryption data path.
•Punt counters track instances when the configured packet processing method failed, and an alternative method was used.
•Success counters record the data path checkpoints where packets are successfully forwarded.
You can view any one set of statistics, or all of them, or only those that have recorded errors. You must choose the display timeframe for the statistics.
Note Contact the Cisco TAC before using this feature.
This section contains the following tasks:
•Displaying the Statistics (optional)
•Displaying the Error History (optional)
•Clearing the Counters or Error History (optional)
You can use the show crypto datapath command to display statistics that help troubleshoot an encrypted network.
1. enable
2. show crypto datapath {ipv4 | ipv6} {snapshot | realtime} {all | non-zero} [error | internal | punt | success]
|
|
|
---|---|---|
Step 1 |
enable Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
show crypto datapath {ipv4 | ipv6} {snapshot | realtime} {all | non-zero} [error | internal | punt | success] Router# show crypto datapath snapshot success |
Displays the statistics from one or more specified counters. Use the keywords to specify the IP version used in the network (IPv4 or IPv6) and to specify whether to capture statistics in real time (realtime) or as of a single point in time (snapshot). You can also choose which statistics to display. The all keyword displays the output of all the counters, whether they have recorded events or not. The non-zero keyword displays only the output of counters that have recorded at least one event. Each of the other keywords displays one specific set of statistics, as described in the "Information About the IPsec Diagnostics Enhancement" section. |
You can display the contents of the buffer that stores information from error events to diagnose the cause of errors. The show monitor event-trace command is updated with the cfd (crypto fault detection) keyword as a possible entry for the component argument to help with troubleshooting an encryption data path. Additional keywords allow you to specify the time span for which you want to display events. For example, you can display all events for the last 30 minutes.
For detailed information about the show monitor event-trace command, see the Master Command List.
1. enable
2. show monitor event-trace [all-traces] [component {all | back time | clock time | from-boot seconds | latest | parameters}]
You can use the clear crypto datapath command to clear the counters or error history buffer in an encrypted network. Use the appropriate keywords to clear all counters or one specific counter.
1. enable
2. clear crypto datapath {ipv4 | ipv6} [error | internal | punt | success]
|
|
---|---|
Cisco IOS commands |
|
Security commands |
|
Configuring Security for VPNs with IPsec |
|
|
---|---|
None. |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Table 1 lists the release history for this feature.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.