Manual Chapter : Diagnosing IPsec Tunnel Issues

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

Diagnosing IPsec Tunnel Issues

Overview: Diagnosing IPsec tunnel issues

Using the browser interface, you can diagnose problems with the IPsec tunnels you create on the BIG-IP® system. The IPsec diagnostics search capability facilitates quick retrieval of data, even when you have a large number of IPsec tunnels. The search results list the traffic selector that meets your criteria. You can search on source IP address, destination IP address, both source and destination IP addresses, IPsec policy name, or traffic selector name.
To search on the source or destination IP address of a traffic selector, you can type either a valid IPv4 or valid IPv6 address. The BIG-IP system currently finds only exact matches for IP addresses. To use a route domain ID for a non-default route domain, that is, a route domain other than 0, append the character % and the route domain ID number to the end of the IP address. For example, to use route domain 2 with an IPv4 address of 1.1.1.1, you would type
1.1.1.1%2
. For the default route domain (0), do not append any additional characters to the IP address.

Viewing the IPsec diagnostics

Before you begin this task, you must create at least one IPsec tunnel through which you then transmit traffic.
You can view diagnostic statistics for any IPsec tunnel on the BIG-IP system. This task describes searching by the traffic selector name, but you could also search by source and/or destination IP address or IPsec policy name.
  1. On the Main tab, click
    Network
    IPsec
    IPsec Diagnostics
    .
  2. From the
    IPsec Search By
    list, select
    Traffic Selector
    .
    The search field label changes to
    Select Traffic Selector Name
    .
  3. From the
    Select Traffic Selector Name
    list, select the name of the traffic selector that is associated with the communication channel you want to view, and click
    Search
    .
    The search results display the traffic selector you chose, including its source and destination addresses, direction, and associated IPsec policy.
  4. Click the traffic selector.
    Additional details appear for that communication channel.
    • The IPsec Stat Details tab includes the tunnel state, direction, number of packets, and total bytes.
    • The Security Association Details tab includes the state of the association, source and destination IP addresses, direction, IPsec protocol, authentication algorithm, encryption algorithm, and SPI.

IPsec Diagnostics Example

These examples show the diagnostic details that are available as the result of an IPsec traffic selector search.
The color of the icon in the Tunnel State or security association (SA) State column indicates the condition of the connection.
  • Green indicates that the tunnel is up and running.
  • Blue indicates that the SA is in the negotiating phase, before the tunnel is up.
  • Yellow indicates that the SA is still valid, but will be deleted soon.
  • Red indicates that the tunnel is down.
Example of IPsec Stat Details tab diagnostics
Example of IPsec Stat Details tab diagnostics
Example of IPsec Security Association Details tab diagnostics
Example of IPsec SA Details tab diagnostics