When troubleshooting Cisco to Check Point VPN's, it is often necessary to verify and collect debug information from the Cisco side. Cisco IOS provides debug functionality to collect this information. The Nokia GTAC will sometimes request the Cisco IOS VPN debugs as well as configuration information.
Cisco IOS configuration is best collected as the output of the show tech-support command - this will strip out sensitive password information.The Cisco IOS VPN debug commands which are most useful are:
debug crypto map
debug crypto engine
debug crypto ipsec
debug crypto isakmp
debug ike all
debug ipsec all
show ike
show ipsec
show ipsec full
show statistic ike
show statistic ipsec
Another useful command is
sh crypto isakmp sa
which will show you the remote side's encryption domain, IKE and IPSEC encryption method, and whether the remote side is trying to tunnel per subnet or host.
It is important to match up both sides of an IPSEC VPN. The above commands should help you do that.
Post a Comment