ask customer about topology and some commands outputs as below:
![]()
• Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | profile profile-name |peerip peer-ip-address ] command to check IPSec SA information.
• Run the display ipsec policy [ brief | name policy-name [seq-number ] ] command to check IPSec policy information.
• Run the display ipsec statistics { ah | esp } command to check statistics on IPSec packets.
• Run the display ike statistics { all | msg | v1 | v2 } command to check statistics on IKE packets.
#display ike sa
#display ip routing-table
#dis ACL
#Dis ike peer
the result is:
USG2200]display ipsec sa
16:58:30 2014/08/25
[USG2200]display ipsec policy
16:58:32 2014/08/25
===========================================
IPsec Policy Group: "phase2"
Using interface: {GigabitEthernet0/0/0}
===========================================
-----------------------------
IPsec policy name: "phase2"
sequence number: 10
mode: isakmp
state: active
-----------------------------
security data flow : 3000
ike-peer name: phase1
perfect forward secrecy: None
proposal name: prop25812272047
IPsec sa local duration(time based): 3600 seconds
sa soft-duration time-based buffer: 0 seconds
sa soft-duration traffic-based buffer: 0 kilobytes
IPsec sa local duration(traffic based): 1843200 kilobytes
IPSec sa anti-replay: use global
IPSec sa anti-replay window-size: use global
[USG2200]disp ipsec stat
16:58:43 2014/08/25
the security packet statistics:
input/output security packets: 0/0
input/output security bytes: 0/0
input/output dropped security packets: 0/0
the encrypt packet statistics
send sae:0, recv sae:0, send err:0
local cpu:0, other cpu:0, recv other cpu:0
intact packet:22, first slice:0, after slice:0
the decrypt packet statistics
send sae:0, recv sae:0, send err:0
local cpu:0, other cpu:0, recv other cpu:0
reass first slice:0, after slice:0, len err:0
dropped security packet detail:
no enough memory: 0, too long: 0
can't find SA: 0, wrong SA: 0
authentication: 0, replay: 0
front recheck: 0, after recheck: 0
exceed byte limit: 0, exceed packet limit: 0
change cpu enc: 0, dec change cpu: 0
change datachan: 0, fib search: 0
rcv enc(dec) form sae said err: 0, 0
port number error: 0
send port: 0, output l3: 0, l2tp input: 0
negotiate about packet statistics:
IP packet ok:22, err:0, drop:0
IP rcv other cpu to ike:0, drop:0
IKE packet inbound ok:1344, err:0
IKE packet outbound ok:433, err:0
SoftExpr:0, HardExpr:0, DPDOper:0, SwapSa:0
ModpCnt: 59, SaeSucc: 59, SoftwareSucc: 0
there is no traffic is being encrypted or decrypted on our firewall, so there is no lan traffic passing through it
[USG2200]disp ike sa
16:59:11 2014/08/25
current ike sa number: 2
-----------------------------------------------------------------------------
conn-id peer flag phase vpn
-----------------------------------------------------------------------------
40105 192.168.128.162 NEG v2:2 public
104 192.168.128.162 NEG v2:1 public
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING D--DPD
[USG2200]disp ip routing-table
16:59:16 2014/08/25
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 192.168.128.165 GigabitEthernet0/0/0
10.28.12.0/23 Direct 0 0 D 10.28.12.75 GigabitEthernet0/0/1
10.28.12.75/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.2.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0
192.168.128.164/30 Direct 0 0 D 192.168.128.166 GigabitEthernet0/0/0
192.168.128.166/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[USG2200]disp acl 3000
16:59:23 2014/08/25
Advanced ACL 3000, 2 rules,not binding with vpn-instance
Acl's step is 5
rule 5 permit ip source 10.28.12.75 0 destination 10.28.11.202 0 (13 times matched)
rule 10 permit ip source 192.168.2.2 0 destination 10.28.11.202 0 (5 times matched)
[USG2200]disp ike peer
16:59:27 2014/08/25
---------------------------
IKE peer: phase1
Exchange mode: main on phase 1
Pre-shared key: %$%$_rMuK=kSB2Ccq9MW8VH/.of]%$%$
Local certificate file name:
Proposal: 1
Local ID type: IP
Peer IP address: 192.168.128.162
VPN instance:
Authentic IP address:
IP address pool:
Peer name:
Peer domain name:
VPN instance bound to the SA:
NAT traversal: disable
SA soft timeout buffer time:
OCSP check: disable
OCSP server URL:
Applied to 1 policy: phase2-10-isakmp
---------------------------