Cisco IOS XR System Security Debug Command Reference, Release 3.6 - Crypto Debug Commands on Cisco IOS XR Software [Cisco IOS XR Software]

Table Of Contents

Crypto Debug Commands on Cisco IOS XR Software

debug crypto ace

debug crypto engine

debug crypto ipsec

debug crypto isakmp

debug crypto pki

Crypto Debug Commands on Cisco IOS XR Software

This chapter describes the Cisco IOS XR software crypto debug commands.

For high-level, conceptual information about using debug commands generally, see Using Debug Commands on Cisco IOS XR Software, Release 3.6.0.

debug crypto ace

To display information related to the IPSec SPA Crypto Engine Driver, use the debug crypto ace command in EXEC mode. To disable debugging output, use the no form of this command.

debug crypto ace {all | error | ha | hapi | ike | ipsec | stats} [location node-id] [job job-id | process pid]
no debug crypto ace {all | error | ha | hapi | ike | ipsec | stats} [location node-id] [job job-id | process pid]
Syntax Description

all

Enables all debug flags in the Application Control Engine (ACE) driver.

error

Displays errors in the Crypto Engine driver.

ha

Enables the debug High Availability (HA) in the ACE driver.

hapi

Displays debug HAPI messages.

ike

Enables debug Internet Key Exchange (IKE) in the ACE driver.

ipsec

Enables debug IP Security (IPSec) in the ACE driver.

stats

Enables IPSec stats collection.

location node-id

(Optional) Displays debugging information for a node. The node-id argument is entered in the rack/slot/module notation.

job job-id

(Optional) Displays debugging information for a job.

process pid

(Optional) Displays debugging information for a process.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release

Modification

Release 3.4.0

This command was supported on the Cisco XR 12000 Series Router.

Release 3.5.0

This command is not supported.

Release 3.6.0

No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.

Task ID

Task ID

Operations

crypto

read

Examples

The following is sample output from the debug crypto ace ipsec command:
RP/0/RP0/CPU0:router# debug crypto ace ipsec
RP/0/RP0/CPU0:router#RP/0/4/CPU0:Jan 18 12:19:50.014 : ike[379]: Crypto tunnel is UP  .  
Peer 5.0.1.1:500 f_vrf:  default i_vrf:  default   Id: 83886337
LC/0/1/CPU0:Jan 18 12:19:49.930 : ace_driver_lc_1[268]: (ace_ipsec_grp_msg_hdlr): 
msg_type=1 mlen=556 sender=(type:1 nodeid:0x40)
LC/0/1/CPU0:Jan 18 12:19:49.931 : ace_driver_lc_1[268]: 
(ace_ipsec_handle_create_flows_cmd)
LC/0/1/CPU0:Jan 18 12:19:49.932 : ace_driver_lc_1[268]: 
(ace_ipsec_handle_create_flow_cmd): ifHandle=0x501b880, flow=504
LC/0/1/CPU0:Jan 18 12:19:49.933 : ace_driver_lc_1[268]: 
(ace_ipsec_handle_single_create_flow_cmd): ifHandle=0x501b880 flowId=504 vrf=0x60000000
LC/0/1/CPU0:Jan 18 12:19:49.934 : ace_driver_lc_1[268]: CREATE FLOW ifHandle=83998848, 
flowId=504
LC/0/1/CPU0:Jan 18 12:19:49.935 : ace_driver_lc_1[268]:  instance:1, flags=0x1008 
ipSrcAddr=0x4000101 ipDstAddr=0x5000101 aclName=acl1 lineNumber=10
LC/0/1/CPU0:Jan 18 12:19:49.936 : ace_driver_lc_1[268]: lifetime: kb=4194303 seconds=3600 
soft_vol_kb=4193634 soft_sec=3551
LC/0/1/CPU0:Jan 18 12:19:49.937 : ace_driver_lc_1[268]: idleTimeout=0 localUdpPort=0 
remoteUdpPort=0 origRemoteIpAddr=0x0
LC/0/1/CPU0:Jan 18 12:19:49.938 : ace_driver_lc_1[268]: fVrfId=60000000 iVrfId=60000000 
mibIndex=0
LC/0/1/CPU0:Jan 18 12:19:49.939 : ace_driver_lc_1[268]: antiReplayWindowSize=64 
dpdIdleIntervalSec=0
LC/0/1/CPU0:Jan 18 12:19:49.941 : ace_driver_lc_1[268]: transform[ESP]=esp-256-aes
LC/0/1/CPU0:Jan 18 12:19:49.941 : ace_driver_lc_1[268]: transform[AH]=
LC/0/1/CPU0:Jan 18 12:19:49.943 : ace_driver_lc_1[268]: In: seq=0 octHigh=0 octLow=0
LC/0/1/CPU0:Jan 18 12:19:49.944 : ace_driver_lc_1[268]: Out: seq=0 octHigh=0 octLow=0
LC/0/1/CPU0:Jan 18 12:19:49.945 : ace_driver_lc_1[268]:  Inbound ESP SPI : 0x2d9bfc56 
key_len=32
LC/0/1/CPU0:Jan 18 12:19:49.946 : ace_driver_lc_1[268]:  Outbound ESP SPI : 0xd3bb8433 
key_len=32
LC/0/1/CPU0:Jan 18 12:19:49.947 : ace_driver_lc_1[268]: (fill_ha_update_params): flags 0x1 
windowTopSeqNum=0 octetsHigh=0 octetsLow=0
LC/0/1/CPU0:Jan 18 12:19:49.948 : ace_driver_lc_1[268]: (fill_ha_update_params): flags 0x0 
windowTopSeqNum=0 octetsHigh=0 octetsLow=0
LC/0/1/CPU0:Jan 18 12:19:49.950 : ace_driver_lc_1[268]: (ace_ipsec_add_flow): 
ifHandle=0x501b880 , flow=504 instance=1
LC/0/1/CPU0:Jan 18 12:19:49.951 : ace_driver_lc_1[268]: (ace_add_ivrf_entry): 
ivrf_id=60000000
LC/0/1/CPU0:Jan 18 12:19:49.952 : ace_driver_lc_1[268]: (ace_update_ivrf_refcount): 
ivrfId=0x60000000 add=1 cur_ref_count=0
LC/0/1/CPU0:Jan 18 12:19:49.958 : ace_driver_lc_1[268]: (ace_ipsec_hapi_resp_cb)
LC/0/1/CPU0:Jan 18 12:19:49.959 : ace_driver_lc_1[268]: (ace_ipsec_handle_ikea_ack): IKEA 
COMB_SET_SA1 status=No error errcode=0x0
LC/0/1/CPU0:Jan 18 12:19:49.960 : ace_driver_lc_1[268]: (ace_ipsec_handle_end_of_chain): 
CREATE_FLOW: ifHandle=0x501b880. flags 0 sender: type=1 node0x40
LC/0/1/CPU0:Jan 18 12:19:49.961 : ace_driver_lc_1[268]: (ace_ipsec_hapi_resp_cb)
LC/0/1/CPU0:Jan 18 12:19:49.962 : ace_driver_lc_1[268]: (ace_ipsec_handle_ikea_ack): IKEA 
COMB_SET_SA1 status=No error errcode=0x0
LC/0/1/CPU0:Jan 18 12:19:49.963 : ace_driver_lc_1[268]: (ace_ipsec_handle_end_of_chain): 
CREATE_FLOW: ifHandle=0x501b880. flags 0 sender: type=1 node0x40
LC/0/1/CPU0:Jan 18 12:19:49.964 : ace_driver_lc_1[268]: (ace_ipsec_handle_end_of_bundle): 
CREATE_FLOW: ifHandle=0x501b880
debug crypto engine

To display information about crypto engines encryption and decryption functions, use the debug crypto engine command in EXEC mode. To disable debugging output, use the no form of this command.

debug crypto engine {all | dump | error | event | keyevent}
no debug crypto engine {all | dump | error | event | keyevent}
Syntax Description

all

Displays all crypto engine transactional information.

dump

Displays the hex dump for all crypto engine messages.

error

Displays crypto engine transactional errors.

event

Displays crypto engine transactional event.

keyevent

Displays events related to keys.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release

Modification

Release 2.0

This command was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

This command was supported on the Cisco XR 12000 Series Router.

Release 3.3.0

No modification.

Release 3.4.0

No modification.

Release 3.5.0

No modification.

Release 3.6.0

No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Use the debug crypto engine command to display information pertaining to the crypto engine, such as when encryption or decryption operations are performed.

Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.

Note The crypto engine is the actual mechanism that performs encryption and decryption. A crypto engine can be software or a hardware accelerator. Some platforms can have multiple crypto engines; therefore, the router will have multiple hardware accelerators.

Task ID

Task ID

Operations

crypto

read

Examples

The following is sample output from the debug crypto engine command using the events keyword:
RP/0/RP0/CPU0:router# debug crypto engine events
RP/0/RP0/CPU0:Aug 28 00:28:44.303 MET2MET,M3.5.0/: ce_cmd[65679]: 
crypto_generate_dsa_keypair ...
RP/0/RP0/CPU0:Aug 28 00:28:44.455 MET2MET,M3.5.0/: ce_cmd[65679]: 
crypto_convert_dsa_pubkey_in_der ...
RP/0/RP0/CPU0:Aug 28 00:28:44.456 MET2MET,M3.5.0/: ce_cmd[65679]: crypto_set_key_req
RP/0/RP0/CPU0:Aug 28 00:28:44.461 MET2MET,M3.5.0/: ce_cmd[65679]: crypto_set_key_req
debug crypto ipsec

To display IP Security (IPSec) events, use the debug crypto ipsec command in EXEC mode. To disable debugging output, use the no form of this command.

debug crypto ipsec {sa-id {all | errors | events | stats | traffics}
no debug crypto ipsec {sa-id {all | errors | events | stats | traffics}
debug crypto ipsec {crypto-engine | detail | distribute | errors | events | packets | rri | spi | stats | traffics | tunnel-interface} [location node-id]}
no debug crypto ipsec {crypto-engine | detail | distribute | errors | events | packets | rri | spi | stats | traffics | tunnel-interface} [location node-id]}
Syntax Description

sa-id

Displays information for a specific service affecting (SA) ID. Range is 1 to 500.

all

Enables all debugs for events, errors, traffic, and distribute.

errors

Displays crypto engine transactional errors.

events

Displays crypto engine transactional events.

stats

Displays all IPSec statistics.

traffics

Displays IPSec data traffic information.

crypto-engine

Displays all crypto-engine IPSec events.

detail

Displays details for all IPSec events.

distribute

Displays IPSec session control distribution info (between the IPSec control processes).

packets

Displays IPSec packet information.

rri

Displays all reverse route injection (RRI) IPSec events.

spi

Displays all security parameter index (SPI) events.

tunnel-interface

Displays IPSec tunnel interface event information.

location node-id

(Optional) Displays IPSec information for the designated node. The node-id argument is entered in the rack/slot/module notation.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release

Modification

Release 2.0

This command was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

This command was supported on the Cisco XR 12000 Series Router.

Release 3.3.0

Command structure was rearranged and the location keyword was added.

Release 3.4.0

The crypto-engine and spi keywords were introduced on the Cisco XR 12000 Series Router. The detail, rri, and stats keywords were introduced on the Cisco CRS-1 and the Cisco XR 12000 Series Router.

Release 3.5.0

No modification.

Release 3.6.0

No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.

Task ID

Task ID

Operations

crypto

read

Examples

The following is sample output from the debug crypto ipsec command using the errors keyword:
RP/0/RP0/CPU0:router# debug crypto ipsec errors
RP/0/RP1/CPU0:Apr 26 21:47:37.286 PST8PST: ipsec_pp[207]: Rcvd: Pulse Msg: 0
RP/0/RP1/CPU0:Apr 26 21:47:37.286 PST8PST: ipsec_pp[207]: Rcvd: Packet from ICF pak_handle 
= eace99f7, flow_id = 2
RP/0/RP1/CPU0:Apr 26 21:47:37.286 PST8PST: ipsec_pp[207]: Failed to proc pak from ICF - 
Flow 2
RP/0/RP1/CPU0:Apr 26 21:48:01.286 PST8PST: ipsec_pp[207]: Rcvd: Pulse Msg: 0
RP/0/RP1/CPU0:Apr 26 21:48:01.287 PST8PST: ipsec_pp[207]: Rcvd: Packet from ICF pak_handle 
= eacfe677, flow_id = 2
RP/0/RP1/CPU0:Apr 26 21:48:01.288 PST8PST: ipsec_pp[207]: Failed to proc pak from ICF - 
Flow 2
RP/0/RP1/CPU0:Apr 26 21:48:54.333 PST8PST: ipsec_pp[207]: Rcvd: Pulse Msg: 0
debug crypto isakmp

To display messages about Internet Key Exchange (IKE) events, use the debug crypto isakmp command in EXEC mode. To disable debugging output, use the no form of this command.

debug crypto isakmp [error | terse]
no debug crypto isakmp [error | terse]
Syntax Description

error

Displays the failures or errors encountered in the IKE code.

terse

Displays the non-failure occurrences, based on the message exchange of the protocol.

DefaultsDefaults

No default behavior or values

Command Modes

EXEC

Command History

Release

Modification

Release 2.0

This command was introduced on the Cisco CRS-1.

Release 3.0

No modification.

Release 3.2

This command was supported on the Cisco XR 12000 Series Router.

Release 3.3.0

No modification.

Release 3.4.0

The following keywords have been removed: detail, error, flow, packet, payload, trace, and unit.

Release 3.5.0

The following keywords have been added: error and terse.

Release 3.6.0

No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.

Task ID

Task ID

Operations

crypto

read

Examples

The following is sample output from the debug crypto isakmp command:
RP/0/RP0/CPU0:router# debug crypto isakmp
RP/0/RP0/CPU0:Aug 3 20:08:30.149 : rsvp[117]: Forwarding PATH message on POS0/3/0/0 from 
51.51.51.51 to 70.70.70.70 (length=212 bytes, TTL=254, TOS=0xff, flags=0x1 ,RA) 
debug crypto pki

To display messages about public key infrastructure (PKI) client events, use the debug crypto pki command in EXEC mode. To disable debugging output, use the no form of this command.

debug crypto pki {errors | messages | transactions}
no debug crypto pki {errors | messages | transactions}
Syntax Description

errors

Displays PKI error messages.

messages

Displays PKI input and output messages.

transactions

Displays PKI transactions.

Defaults

No default behavior or values

Command Modes

EXEC

Command History

Release

Modification

Release 3.3.0

This command was introduced on the Cisco CRS-1 and the Cisco XR 12000 Series Router.

Release 3.4.0

No modification.

Release 3.5.0

No modification.

Release 3.6.0

No modification.

Usage Guidelines

To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.

Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.

Task ID

Task ID

Operations

crypto

read

Examples

The following is an example of the use of the debug crypto pki command:
RP/0/RP0/CPU0:router# debug crypto pki