参考
debugging ipsec命令用来打开IPsec调试信息开关。undo debugging ipsec命令用来关闭IPsec调试信息开关。
缺省情况下,IPsec的调试信息开关处于关闭状态。
表1-1 debugging ipsec error命令输出信息描述表
表1-2 debugging ipsec event命令输出信息描述表
字段 | 描述 |
The IPsec IF-CB(ifIndex = ifindex) will be deleted in kernel. | 内核中的IPsec的接口控制快(接口序号为ifindex)将要被删除掉 |
Can't find block-flow-table. | 找不到阻流表 |
Can't find an IPsec tunnel to match the flow. | 找不到匹配流的IPsec隧道 |
IPsec daemon successfully connected. | 成功连接到IPsec用户态守护进程 |
IPsec daemon disconnected. | 与用户态守护进程失去连接 |
Sent SA-Acquire message: SP ID = ID. | 发送SA协商请求,对应SP的ID为ID |
Sent SA-Expire message: SP ID = SPID, tunnel ID = TNLID. | 发送SA重协商请求,对应SP的ID为SPID,Tunnel ID为TNLID |
Sent Invalid-SPI message: SPI = spi. | 发送Invalid-SPI消息, SPI值为spi |
Sent DPD-Request message: DPD ID = DPDID | 发送DPD探测请求消息, DPD ID为DPDID |
Updated outbound SA of IPsec tunnel: SA ID = saindex. | 更新IPsec隧道出方向的SA,SA序号为saindex |
Received an interface event message for interface interface-type interface-num, event: event. | 收到响应接口事件消息,接口名称为interface-type interface-num,接口事件为event |
Received interface network layer event message. | 收到响应接口网络层事件消息 |
Received an event message for slot slot-id, event: event. | 收到响应接口板事件消息,板号为slot-number,消息类型为event |
Received an ACL message for ACL acl-number, event: event. | 收到ACL消息,ACL编号为acl-number,消息类型为event |
Received an address message for interface interface-type interface-num, event: event. | 收到地址消息,接口名称为interface-type interface-num,消息类型为event |
Sent notify message to kernel: slot slot-id, event: event. | 发送notify消息给内核,板号为slot-number,消息类型为event |
Sent msg to kernel. | 向内核发送消息msg,msg是消息类型,包括以下几种: · add SP entry:添加SP entry · update SP entry:更新SP entry · delete SP entry:删除SP entry · add source-if SP entry:添加源接口SP entry · delete source-if SP entry:删除源接口SP entry · add SP:添加SP · update SP:更新SP · delete SP:删除SP · add profile SP:添加profile SP · delete profile SP:删除profile SP · update profile SP:更新profile SP |
Added SA to kernel successfully . | 向内核添加SA成功 |
SA successfully added in kernel. | 内核添加SA成功 |
SA successfully deleted in kernel. | 删除内核中的SA成功 |
Added outbound SA to IPsec tunnel(SA ID = sa-index) | 向IPsec隧道添加出方向SA(SA索引为sa-index) |
Added tunnel to kernel successfully. | 向内核添加IPsec隧道成功 |
IPsec tunnel successfully added in kernel. | 内核添加IPsec隧道成功 |
IPsec tunnel successfully deleted in kernel. | 删除内核中的IPsec隧道成功 |
IPsec tunnel successfully added to list. | 向链表添加IPsec隧道成功 |
IPsec tunnel added to aggregation-hash | 向聚合哈希表中添加IPsec隧道成功 |
Added SP entry. | 添加SP entry |
Added SP by policy. | 根据策略添加SP |
SP entry successfully added in kernel. | 内核成功添加SP entry |
SP successfully added in kernel. | 内核成功添加SP |
Added policy SA by manual SP, SP index: index, SP sequence number: sp-seq. | 成功根据手工SP添加策略SA,SP索引为sp-index,SP序号为sp-seq |
Successfully added an IPsec tunnel during ISSU update process. | 在ISSU升级时成功添加IPsec隧道 |
Added an IPsec tunnel when adding manual SA: tunnel index = tunnel-id, tunnel sequence number = tunnel_seq. | 添加手工SA过程中成功添加IPsec隧道。IPsec隧道索引是tunnel-id,IPsec隧道序号是tunnel_seq |
Added manual SAs. Number of SAs added is number. | 成功添加手工SA。添加的SA的个数number |
No. ordinal-number SA: index = sa-id, sequence number = sa-seq. | 第ordinal-number个SA的索引是sa-id,SA的序列号是sa-seq |
Added SA context to SP. | 成功向SP中添加SA内容 |
Added an IPsec tunnel when adding ISAKMP SA: tunnel index = tunnel-id, tunnel sequence number = tunnel_seq. | 添加ISAKMP方式SA过程中成功添加IPsec隧道。IPsec隧道索引是tunnel-id,IPsec隧道序号是tunnel_seq |
Added ISAKMP SAs. Number of SAs added is number. No. ordinal-number SA: index = sa-id, sequence number = sa-seq. | 成功添加ISAKMP方式SA。添加的SA的个数number,第ordinal-number个的SA索引是sa-id,SA序号是sa-seq |
Added SA context to IKE. | 向IKE发送SA内容 |
Timer successfully added when adding ISAKMP SA. | 添加ISAKMP方式SA时添加定时器成功 |
Started to smoothly process SA with IKE. | 开始和IKE进行平滑SA |
Finished smooth processing SA with IKE. | 结束和IKE平滑SA |
Started to smoothly process IPsec tunnel with IKE. | 开始和IKE进行平滑IPsec隧道 |
Finished smooth processing IPsec tunnel with IKE. | 结束和IKE平滑IPsec隧道 |
Started to smoothly process DPD with IKE. | 开始和IKE进行平滑DPD |
Finished smooth processing DPD with IKE. | 结束和IKE平滑DPD |
Sent msg message to slot:slot-id, message type is type-id. | 向slot-id号接口板发送msg消息,消息ID是type-id 消息类型和其对应的类型ID如下: · debug:调试,类型ID为3 · anti-replay check:抗重放检查,类型ID为4 · decryption check:解封装后检查,类型ID为5 · log switch:log开关,类型ID为6 · idle:空闲,类型ID为7 · global df-bit:全局df-bit设置,类型ID为8 · df-bit:接口df-bit设置,类型ID为9 · all global configuration:所有全局配置,类型ID为10 · add SP entry:添加SP entry,类型ID为11 · update SP entry:更新SP entry,类型ID为12 · delete SP entry:删除SP entry/类型ID为13 · add SP:添加SP/类型ID为14 · update SP:更新SP/类型ID为15 · delete SP:删除SP/类型ID为16 · add profile SP:添加profile SP,类型ID为17 · update profile SP:更新profile SP,类型ID为18 · delete profile SP:删除profile SP,类型ID为19 · add tunnel:添加tunnel,类型ID为20 · delete tunnel:删除tunnel,类型ID为21 · add SA:添加SA,类型ID为22 · delete SA:删除SA,类型ID为23 · update MTU:更新MTU,类型ID为24 · switch SA:切换SA,类型ID为25 · delete block-flow table:删除阻流表/类型ID为26 · add DPD:添加DPD/类型ID为27 · update DPD:更新DPD,类型ID为28 · delete DPD:删除DPD,类型ID为29 · update DPD index of SA:更新SA的DPD索引,类型ID为30 · reset statistics:重置统计计数,类型ID为31 · idle report:idle报告,类型ID为32 · smooth start:平滑开始,类型ID为32 · smooth end:平滑结束,类型ID为34 |
Adding route: Dest/Mask: ip-address/mask-length, Next hop: ip-address , Source vpn instance: vpn-name, Destination vpn instance: vpn-name, Tag: tag-value, Preference: preference-num | 新建IPsec隧道时,即将添加一条静态路由信息 · Dest/Mask:目的IP地址/掩码长度 · Next hop:下一跳IP地址 · Source vpn instance:路由目的地址所属的VPN · Destination vpn instance:路由下一跳地址所属的VPN · Tag:路由标记 · Preference:路由优先级 |
Deleting route: Dest/Mask: ip-address/mask-length, Next hop: ip-address, Source vpn instance: vpn-name, Destination vpn instance: vpn-name, Tag: tag-value, Preference: preference-num | 删除IPsec隧道时,即将删除一条静态路由信息 |
Successfully added a static route. | 新建IPsec隧道时,路由模块添加静态路由成功 |
Only increased the reference count of the static route but didn't add it. | 新建IPsec隧道时,发现已经向路由模块添加过相同的静态路由,则不再通知路由模块添加此路由仅增加该路由的引用计数 |
Successfully deleted a static route. | 删除IPsec隧道时,路由模块删除静态路由成功 |
Only reduced the reference count of the static route but didn't delete it. | 删除IPsec隧道时,发现两个以上IPsec隧道对应同一条静态路由,则不通知路由模块删除该静态路由仅减少该路由的引用计数 |
Started to smoothly process the IPv4 static routes. | 开始对IPv4静态路由进行平滑处理 |
Started to smoothly process the IPv6 static routes. | 开始对IPv6静态路由进行平滑处理 |
Finished smooth processing of the IPv4 static routes. | 结束对IPv4静态路由的平滑处理 |
Finished smooth processing of the IPv6 static routes. | 结束对IPv6静态路由的平滑处理 |
Successfully subscribed service events. | 成功订阅所有的服务事件 |
Received a service event: the status of IPv4 route service is up. | 接收到一个IPv4路由服务up事件 |
Received a service event: the status of IPv4route service is down. | 接收到一个IPv4路由服务down事件 |
Received a service event: the status of IPv6 route service is up. | 接收到一个IPv6路由服务up事件 |
Received a service event: the status of IPv6 route service is down. | 接收到一个IPv6路由服务down事件 |
表1-3 debugging ipsec packet命令输出信息描述表
【举例】
# 设备上已存在满配的SP,配置手工方式的IPsec安全策略mypolicy,并打开IPsec错误调试信息开关。当将策略mypolicy应用于接口GigabitEthernet1/0/1上的时候,输出如下IPsec错误调试信息。
<Sysname> debugging ipsec error
<Sysname> system-view
[Sysname] interface gigabitethernet 1/0/1
[Sysname-GigabitEthernet1/0/1] ipsec policy mypolicy
*Jul 14 16:45:16:157 2012 Sysname IPSEC/7/ERROR: -MDC=1;
Failed to alloc SP index.
// 分配SP索引失败
# 在设备上配置手工方式的IPsec安全策略mypolicy,并打开IPsec事件调试开关。当将策略mypolicy应用于接口GigabitEthernet1/0/1上时,会生成SP和SA,输出如下IPsec事件调试信息。
<Sysname> debugging ipsec event
*Jul 18 15:28:55:020 2012 Sysname IPSEC/7/event:
SP entry successfully added in kernel.
// 内核成功添加SP entry
*Jul 18 15:28:55:020 2012 Sysname IPSEC/7/ERROR:
Sent add SP entry message to kernel.
// 向内核发送添加SP entry的消息
*Jul 18 15:28:55:020 2012 Sysname IPSEC/7/ERROR:
Added SP entry.
// 添加SP entry
*Jul 18 15:28:55:022 2012 Sysname IPSEC/7/event:
SP successfully added in kernel.
// 内核成功添加SP
*Jul 18 15:28:55:022 2012 Sysname IPSEC/7/ERROR:
Sent add SP message to kernel.
// 向内核发送添加SP的消息
*Jul 18 15:28:55:023 2012 Sysname IPSEC/7/ERROR:
Added SP by policy.
// 根据策略添加SP
*Jul 18 15:28:55:024 2012 Sysname IPSEC/7/ERROR:
Added policy SA by manual SP, SP index is 0, SP sequence number is 2.
// 成功根据手工SP添加策略SA,SP索引为0,SP序号为2
*Jul 18 15:28:55:026 2012 Sysname IPSEC/7/event:
IPsec tunnel added to aggregation-hash.
// 向聚合哈希表中添加IPsec隧道成功
*Jul 18 15:28:55:026 2012 Sysname IPSEC/7/event:
IPsec tunnel successfully added in kernel.
// 内核添加IPsec隧道成功
*Jul 18 15:28:55:026 2012 Sysname IPSEC/7/ERROR:
Added tunnel to kernel successfully.
// 向内核添加IPsec隧道成功
*Jul 18 15:28:55:026 2012 HP IPSEC/7/ERROR:
Added an IPsec tunnel when adding manual SA: tunnel index = 0, tunnel sequence number = 2.
// 添加手工SA过程中添加IPsec隧道,隧道索引为0,隧道序号为2
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
SA succussfully added in kernel.
// 内核成功添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
SA succussfully added in kernel.
// 内核成功添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
Added outbound SA to IPsec tunnel(SA ID = 1).
// 成功向IPsec隧道添加出方向SA(SA索引为1)
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
SA succussfully added in kernel.
// 内核成功添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/event:
SA succussfully added in kernel.
// 内核成功添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/ERROR:
Added SA to kernel successfully.
// 成功向内核添加SA
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/ERROR:
Added manual SAs. Number of SAs added is 4.
// 成功添加手工SA,SA的个数为4
*Jul 18 15:28:55:027 2012 Sysname IPSEC/7/ERROR:
No.1 SA: index = 3, sequence number = 2.
*Jul 18 15:28:55:028 2012 Sysname IPSEC/7/ERROR:
No.2 SA: index = 2, sequence number = 2.
*Jul 18 15:28:55:028 2012 Sysname IPSEC/7/ERROR:
No.3 SA: index = 1, sequence number = 2.
*Jul 18 15:28:55:028 2012 Sysname IPSEC/7/ERROR:
No.4 SA: index = 0, sequence number = 2.
// 第一个SA的索引为3,SA的序号为2
// 第二个SA的索引为2,SA的序号为2
// 第三个SA的索引为1,SA的序号为2
// 第四个SA的索引为0,SA的序号为2
*Jul 18 15:28:55:029 2012 Sysname IPSEC/7/ERROR:
Added SA context to SP.
// 成功向SP添加SA上下文
# 在设备上配置手工方式的IPsec安全策略,应用于接口GigabitEthernet1/0/1上,并打开IPsec的报文调试信息开关。当从本机ping对端的时候,输出如下IPsec报文调试信息。
<Sysname> debugging ipsec packet
<Sysname> ping -c 1 10.10.10.2
PING 10.10.10.2 (10.10.10.2): 56 data bytes, press CTRL_C to break
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
--- Sent IPsec packet ---
// 出方向发送IPsec处理的报文
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Added IP fast forwarding entry.
// 添加快转表项
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec processing: Src : 10.10.10.1 Dst : 10.10.10.2 SPI : 1114
// 出方向IPsec处理:源地址:10.10.10.1,目的地址:10.10.10.2,SPI: 1114
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec processing: ESP auth algorithm: SHA1, ESP encp algorithm: DES-CBC.
// 出方向IPsec处理:ESP认证算法为SHA1,ESP加密算法为DES-CBC
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Packet will be sent to CCF for sync-encryption.
// 报文将被发送到CCF执行同步加密操作
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec ESP processing: Encryption succeeded, anti-replay SN is 0.
// 出方向IPsec ESP处理:加密完成,抗重放序号为0
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec processing: AH auth algorithm: MD5.
// 出方向IPsec处理:AH认证算法为MD5
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Packet will be sent to CCF for sync-encryption.
// 报文将被发送到CCF执行同步加密操作
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec AH processing: Authentication finished, anti-replay SN is 0.
// 出方向IPsec AH处理:认证完成,抗重放序号为0
*Jul 14 16:55:10:211 2012 Sysname IPSEC/7/packet: -MDC=1-Slot=1;
Outbound IPsec processing: Sent packet back to IP forwarding.
// 出方向IPsec处理:将报文重新发送给IP转发
暂无评论