Dump Notes

CSR Troubleshooting Companion

IKE2:

csr# show crypto ikev2 sa
csr# debug crypto ikev2

ipsec:

csr# show crypto ipsec sa
csr# debug crypto ipsec

Packet Capture:

csr# show debugging
csr# debug platform condition ipv4 <on-prem VM ip> both
csr# debug platform condition start
csr# debug platform packet-trace packet 1024
csr# show platform packet-trace summary
csr# show platform packet-trace packet <packet number>

Enter this command to clear the trace buffer and reset packet-trace:

csr# clear platform packet-trace statistics

The command to clear both platform conditions and the packet trace configuration is:

csr# clear platform condition all

PAN IPSec

Cisco ASAv VPN Policy Mapping

ASAv at Aviatrix:

crypto isakmp identity address 
!
crypto ikev1 enable management
crypto ikev1 policy 10
  encryption aes-256 
  authentication pre-share
  group 14
  lifetime 28800
  exit
!
tunnel-group 52.168.138.163 type ipsec-l2l
tunnel-group 52.168.138.163 ipsec-attributes
  ikev1 pre-shared-key avtx2019!
  isakmp keepalive threshold 10 retry 3
  exit
!
access-list outside_access extended permit ip host 52.168.138.163 host 13.68.220.32
access-group outside_access in interface management
access-list acl-avx extended permit ip 172.16.51.0 255.255.255.0 10.2.4.0 255.255.255.0
!
crypto ipsec ikev1 transform-set avx-transform-set esp-aes-256
!
crypto map avx_vpn_map 1 match address acl-avx
crypto map avx_vpn_map 1 set pfs group14
crypto map avx_vpn_map 1 set peer 52.168.138.163
crypto map avx_vpn_map 1 set ikev1 transform-set avx-transform-set
crypto map avx_vpn_map 1 set security-association lifetime seconds 3600
crypto map avx_vpn_map 1 set security-association lifetime kilobytes unlimited
crypto map avx_vpn_map interface management
crypto ipsec df-bit clear-df management
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption management

Remote ASAv: 

crypto isakmp identity address 
!
crypto ikev1 enable management
crypto ikev1 policy 10
  encryption aes-256 
  authentication pre-share
  group 14
  lifetime 28800
  exit
!
tunnel-group 13.68.220.32 type ipsec-l2l
tunnel-group 13.68.220.32 ipsec-attributes
  ikev1 pre-shared-key avtx2019!
  isakmp keepalive threshold 10 retry 3
  exit
!
access-list outside_access extended permit ip host 13.68.220.32 host 52.168.138.163
access-group outside_access in interface management
access-list acl-avx extended permit ip 192.168.10.0 255.255.255.0 172.16.51.0 255.255.255.0
!
crypto ipsec ikev1 transform-set avx-transform-set esp-aes-256
crypto map avx_vpn_map 1 match address acl-avx
crypto map avx_vpn_map 1 set pfs group14
crypto map avx_vpn_map 1 set peer 13.68.220.32
crypto map avx_vpn_map 1 set ikev1 transform-set avx-transform-set
crypto map avx_vpn_map 1 set security-association lifetime seconds 3600
crypto map avx_vpn_map 1 set security-association lifetime kilobytes unlimited
crypto map avx_vpn_map interface management
crypto ipsec df-bit clear-df management
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption management

FortiGate GRE

  • refer to FortiGate using its public ip
  • use FortiGate private ip as local-gw
# config system gre-tunnel
    edit "toAVX"
        set interface "port1"
        set local-gw 172.31.0.10
        set remote-gw 54.173.230.152
    next
end
# config system gre-tunnel
    edit "toAVX-HA"
        set interface "port1"
        set local-gw 172.31.0.10
        set remote-gw 52.205.68.53
    next
end

BGP config:

ECMP:

Before:

Enable ecmp:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Usage-of-BGP-multipath-and-description-of-the-BGP/ta-p/195919

After:

References

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-and-verifying-a-GRE-tunnel-between-two/ta-p/192841