- Table of Contents
-
- 03-Monitor
- 01-Application analysis center
- 02-Blacklist logs
- 03-Single-packet attack logs
- 04-Scanning attack logs
- 05-Flood attack logs
- 06-Threat logs
- 07-Reputation logs
- 08-URL filtering logs
- 09-File filtering logs
- 10-Data filtering logs
- 11-Security policy logs
- 12-IPCAR logs
- 13-Sandbox logs
- 14-NAT logs
- 15-SSL VPN user access logs
- 16-SSL VPN access resource logs
- 17-Terminal status
- 18-DLP logs
- 19-Zero trust policy logs
- 20-Application audit logs
- 21-System logs
- 22-Configuration logs
- 23-Traffic logs
- 24-Load balancing logs
- 25-TopN traffic
- 26-Security policy hit analysis
- 27-TopN threats
- 28-TopN URL filtering statistics
- 29-TopN file filtering statistics
- 30-Attack defense statistics
- 31-Server load balancing statistics
- 32-Outbound link load balancing statistics
- 33-Transparent DNS proxy statistics
- 34-Connection rate ranking
- 35-DLP statistics
- 36-TopN traffic trends
- 37-Security policy hit trend analysis
- 38-TopN threat trends
- 39-TopN URL filtering trends
- 40-TopN file filtering trends
- 41-Link trend
- 42-Routing policy trends
- 43-Virtual server trend
- 44-Server farm trends
- 45-Real server trend
- 46-Domain Requested Times Trend
- 47-TopN file filtering trends
- 48-Online SSL VPN users trend
- 49-Botnet analysis
- 50-Asset security
- 51-Threat case management
- 52-Report settings
- 53-Session list
- 54-LB session information
- 55-DNS cache information
- 56-User information center
- 57-IPv4 online users
- 58-IPv6 online users
- 59-MAC authentication online users
- 60-Terminal status
- 61-Asset scan
- 62-Ping
- 63-Tracert
- 64-Packet capture
- 65-Webpage Diagnosis
- 66-Diagnostic Info
- 67-Packet trace
- 68-Load balancing test
- 69-IPsec diagnosis
- 70-Risk analysis
- 71-Content moderation logs
- 72-Content security top
- Related Documents
-
Title | Size | Download |
---|---|---|
69-IPsec diagnosis | 97.85 KB |
Introduction
IPsec diagnosis can detect the status of IPsec connections. If the diagnosed IPsec connection is faulty, you can use the diagnosis results to check for misconfigurations and find possible causes.
The following diagnosis modes are supported:
· Data flow—The system obtains the IPsec policy according to the specified data flow to initiate diagnosis of IPsec with the peer.
· Interface—The system obtains the IPsec policy according to the specified interface to initiate diagnosis of IPsec with the peer.
· IP address—The system starts diagnosis of IPsec with the peer (specified by its IP address) after the peer initiates the IPsec connection.
Table 1 IPsec diagnosis items
Item |
Description |
IPsec peer reachability |
Determines whether a route to the peer IP address exists in the routing table. |
Interface state |
Determines the physical layer status and IP protocol layer status of the interface. The system determines the interface to check according to the diagnosis mode: · In data flow and IP address modes, the outgoing interface found through routing table lookup is checked. · In interface mode, the interface specified by the user is checked. |
If IPsec policy applied on interface |
Determines whether an IPsec policy is applied to the interface. |
If ACL rule in IPsec policy matches specified flow |
This item is available only for IPsec diagnosis in data flow mode. Check the IPsec policy configuration if this item displays No. |
If ACL rule can match flow on the interface |
This item is available only for IPsec diagnosis in interface mode. This item shows whether the ACL used in the IPsec policy contains permit rules to identify traffic that needs IPsec protection. The permit rules are required for IPsec to operate correctly. |
IPsec policy configuration check |
Checks if the IPsec policy configuration is complete. · In data flow or interface mode, the following settings are checked: ¡ ACL used to identify the traffic to be protected. ¡ Security parameters for IPsec SA negotiation. ¡ Local and remote IP addresses of the IPsec tunnel. ¡ SA parameters. · In IP address mode, the following settings are checked: ¡ Security parameters for IPsec SA negotiation. ¡ SA parameters. |
IKE negotiation result |
If the IKE negotiation is operating correctly, this item displays IKE negotiation succeeded or IKE SA already exists. Any other information indicates that the IKE negotiation is faulty. Follow the instructions to find the cause. For example, verify that the local end and peer end have correct and matching IKE profiles. |
IPsec negotiation result |
If the IPsec negotiation is operating correctly, this item displays IPsec negotiation succeeded or IPsec tunnel already exists. Any other information indicates that the IPsec negotiation is faulty. Follow the instructions to find the cause. For example, verify that the local end and peer end have correct and matching IPsec policy settings. |
Restrictions and guidelines
· In data flow mode, specify the source and destination IP addresses of the data flow before IPsec encapsulation in the Source IP address and Destination IP address fields.
· In data flow and interface modes, IPsec diagnosis works only if the device can find an IPsec policy to initiate an IPsec connection. IPsec policies configured by using IPsec policy templates cannot initiate IPsec connections, so they are ignored during IPsec diagnosis in data flow or interface mode.
· An IPsec diagnosis in data flow or interface mode can last up to 20 minutes. After the timer expires, the diagnosis stops and the completed diagnosis items are displayed.
· An IPsec diagnosis in IP address mode starts when it detects an IPsec connection initiated by the peer and stops when it finishes diagnosis for the IPsec connection.
· Only one IPsec diagnosis can run at the same time.
· IPsec diagnosis is available only on the IPv4 network.
· The device supports IPsec policy-based IPsec diagnosis but does not support IPsec profile-based IPsec diagnosis.
· The VRF is the VPN instance of the interface where the IPsec policy is applied.