Display ike sa, Display ipsec statistics – Panasonic 8000 User Manual

2 IPSec and IKE troubleshooting

Nortel Secure Router 8000 Series

_________ Troubleshooting - VAS

display ike sa

nat traversal: disable

The preceding configuration displays the status of NAT: enable or disable.

You can use the nat traversal command to modify the configuration.

display ike sa

connection--id peer

VPN

flag

phase doi

15

202,38,162, 1 0

RD|ST

2

IPSEC

14

202,38,162, 1 0

RD|ST

1

IPSEC

flag meaning :

RD--READY ST--

-STAYALIVE RL- -REPLACED FD-FADING

TO- -TIMEOUT

The following section explains each field in the display lines:

connection-id

This indicates the SA ID automatically generated in IKE negotiation.

peer

This indicates the IP address of the peer .

Flag

This indicates the present SA status:

•

RD (READY): SA setup succeeds.

•

ST (STAYALIVE): The present end is the SA negotiation initiator.

•

RL (REPLACED): The present SA is replaced with a new SA and should be removed
immediately.

•

FD (FADING): The SA has still been used after the soft timeout. Remove the SA before
the hard timeout.

•

TO (TIMEOUT): The SA has not received the Keep Alive packet after the last keep-alive
timeout. If it will receive no Keep Alive packets after the next time keep-alive timeout,
remove this SA.

The present SA can display a combined status. For example, RD|ST indicates that the SA
negotiation is initiated by the local end and is set up.

phase

This indicates the SA phases:

•

Phase 1: indicates ISAKMP SA.

•

Phase 2: indicates IPSec SA.

doi

This indicates the Domain of Interpretation (DOI) of the SA. Nortel Secure Router 8000

Series supports IPSec DOI.

display ipsec statistics

display ipsec statistics

the security packet statistics:

input/output security packets : 56/56

2-58

Nortel Networks Inc.

Issue 01.01 (30 March 2009)