The diagnose ipsec data-flow command diagnoses IPSec negotiation based on attributes of IPSec data flows, such as the source IP address, destination IP address, source port, or destination port.
diagnose ipsec data-flow ip source-ip { source-ipv4 | source-ipv6 } destination-ip { destination-ipv4 | destination-ipv6 } [ vpn-instance vpn-instance-name ] [ timeout timeout ]
diagnose ipsec data-flow { tcp | udp } source-ip { source-ipv4 | source-ipv6 } destination-ip { destination-ipv4 | destination-ipv6 } [ source-port source-port ] [ destination-port destination-port ] [ vpn-instance vpn-instance-name ] [ timeout timeout ]
| Parameter | Description | Value |
|---|---|---|
ip |
Indicates the IP protocol. |
- |
tcp |
Indicates the TCP protocol. |
- |
udp |
Indicates the UDP protocol. |
- |
source-ip source-ipv4 |
Specifies the source IPv4 address of IPSec packets. |
The value is expressed in dotted decimal notation. |
source-ip source-ipv6 |
Specifies the source IPv6 address of IPSec packets. |
The value is in colon hexadecimal notation. |
destination-ip destination-ipv4 |
Specifies the destination IPv4 address of IPSec packets. |
The value is expressed in dotted decimal notation. |
destination-ip destination-ipv6 |
Specifies the destination IPv6 address of IPSec packets. |
The value is in colon hexadecimal notation. |
source-port source-port |
Specifies the TCP/UDP source port of IPSec packets. |
The value is an integer that ranges from 0 to 65535. |
destination-port destination-port |
Specifies the TCP/UDP destination port of IPSec packets. |
The value is an integer that ranges from 0 to 65535. |
vpn-instance vpn-instance-name |
Specifies the vpn-instance binding with the IPSec SA. |
The value must be an existing vpn-instance name. |
timeout timeout |
Specifies the timeout interval of the diagnosis process. |
It is an integer that ranges from 10 to 120, in seconds. The default value is 30. |
Usage Scenario
The command is used to diagnose faults of an IPSec data flow. For example, on the protected network, if data transmission between two network segments fails but data transmission of other protected network segments is normal, diagnose traffic between the two network segments.
Precautions
This command can only be configured on the initiator.
# Perform an IPSec negotiation diagnosis for the IPSec data flow with the source IP address 10.3.3.2, destination IP address 10.3.3.1, TCP source port 1111, and TCP destination port 2222.
<sysname> diagnose ipsec data-flow tcp source-ip 10.3.3.2 destination-ip 10.3.3.1 source-port 1111 destination-port 2222
IPSec diagnosing.
(1).data flow route:Exist.
(2).Interface Status:Up at the physical layer.Up at the protocol layer.
(3).The IPSec policy is applied to the interface:Applied.
(4).An IPSec sub-policy that matches data flows is configured:Found.
(5).negotiation mode:Supported.
(6).Policy Configuration Item:The configuration is complete.
(7).Negotiation Result in Phase 1:The negotiation Result is successful.
(8).Negotiation Result in Phase 2:The negotiation Result is successful.