Debugging tool for NP6-offloaded IPsec VPN tunnels

You can use the following commands to display debugging information for IPsec VPN tunnels offloaded by NP6, NP6Xlite, and NP6Lite processors.

Use the following command to enable offloaded IPsec VPN tunnel debugging.

diagnose vpn tunnel npu-debug enable

You can then use the following command to display information about active offloaded NP7 tunnels after enabling debugging:

diagnose vpn tunnel npu <phase1-name> <phase2-name> {enc-sa | dec-sa | enc-info | dec-info | dec-session}

<phase1-name> IPsec VPN tunnel phase 1 name

<phase2-name> IPsec VPN tunnel phase 2 name or proxy id that you can get from the IP sec tunnel list.

enc-sa encryption SA.

dec-sa decryption SA.

enc-info encryption driver information.

dec-info decryption driver information.

dec-session decryption session.

Once you have found the information you are looking for you should disable offloaded IPsec VPN tunnel debugging to save system resources:

diagnose vpn tunnel npu-debug disable

Example - display some NP processor IPsec VPN information

Enable offloaded IPsec VPN tunnel debugging.

diagnose vpn tunnel npu-debug enable

List the active IPsec VPN tunnels:

diagnose vpn tunnel list

list all ipsec tunnel in vd 3
------------------------------------------------------
name=p1-vdom1 ver=1 serial=1 11.11.11.1:0->11.11.11.2:0 nexthop=0.0.0.0 tun_id=11.11.11.2 tun_id6=::11.11.11.2 status=up dst_mtu=1500 weight=1
bound_if=70 real_if=70 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=4 ilast=143 olast=143 ad=/0
stat: rxp=1498 txp=12814 rxb=246900 txb=15197020
dpd: mode=on-demand on=1 status=ok idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=p2-vdom1 proto=0 sa=1 ref=4 serial=1
  src: 0:0.0.0.0-255.255.255.255:0
  dst: 0:0.0.0.0-255.255.255.255:0
  SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42713/0B replaywin=2048
       seqno=2c00 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42902/43200
  dec: spi=70d68db5 esp=aes key=16 c95b0e37699013f33360ffbdbb21f2ff
       ah=sha1 key=20 14ad4a1fcb942159540d6f5ef81ee1e69b998b51
  enc: spi=5f7f6949 esp=aes key=16 3c95614fa057ff454898bcf6b20e8b94
       ah=sha1 key=20 22d6d6c9d7e95d9adb01f85902efdcd59aaca03b
  dec:pkts/bytes=1/576, enc:pkts/bytes=12/14304
  npu_flag=03 npu_rgwy=11.11.11.2 npu_lgwy=11.11.11.1 npu_selid=0
  dec_npuid=1 enc_npuid=1 dec_engid=-1 enc_engid=-1 dec_saidx=3 enc_saidx=0

Check VPN information in the NP processors, for example information about the encryption SA:

diagnose vpn tunnel npu p1-vdom1 p2-vdom1 enc-sa
ENTRY_0: [err=0]
   0: [02521411,49697f5f,00000000,400e0000]
  16: [ff1a2fe7,02007fff,00002c62,00020000]
  32: [4f61953c,45ff57a0,f6bc9848,948b0eb2]
  48: [c9d6d622,9a5de9d7,59f801db,d5dcef02]
  64: [4c713fa0,330267e5,e01469dd,43844d46]
  80: [5bdfc094,a54558d3,5c95f2de,c0685a5f]
  96: [1bdb7c5d,3fb4a622,00000000,00000000]
 112: [00000000,00000000,00000000,00000000]
 128: [fe0fb6b0,00000000,23e00000,6b3150ff]
 144: [00000000,00000000,010b0b0b,00000000]
 160: [00000000,00000000,020b0b0b,00000000]
 176: [00000000,00000000,00000000,800001ff]
 192: [00000000,00000000,00000000,00000000]
 208: [00000000,00000000,00000000,00000000]
 224: [00000000,00000000,00000000,00000000]
 240: [00000000,00000000,00000000,00000000]
 {
  cmd_vld          (00:00) = 00000001
  cmd_ver          (02:01) = 00000000
  cmd_rsvd         (03:03) = 00000000
  cmd_act          (05:04) = 00000001
  cmd_rpri         (06:06) = 00000000
  cmd_ord          (07:07) = 00000000
  cmd_ftsr         (08:08) = 00000000
  cmd_smr          (09:09) = 00000000
  cmd_dmr          (10:10) = 00000001
  cmd_ushen        (11:11) = 00000000
  cmd_rpl          (12:12) = 00000001
  cmd_tp           (13:13) = 00000000
  cmd_ipv6         (14:14) = 00000000
  cmd_utvs         (15:15) = 00000000
  cmd_tfc          (16:16) = 00000000
  cmd_mlen         (17:17) = 00000001
  cmd_rsvd2        (19:18) = 00000000
  cmd_crypto       (23:20) = 00000005
  cmd_hmac         (27:24) = 00000002
  cmd_ushpid       (31:28) = 00000000
  spi              (63:32) = 5f7f6949
  timestamp        (103:64) = 0000000000000000
  vhid             (111:104) = 00000000
  tc               (115:112) = 0000000e
  tc_rmap          (117:116) = 00000000
  pshift           (121:118) = 00000000
  bshift           (125:122) = 00000000
  stsen            (126:126) = 00000001
  acc              (127:127) = 00000000
  byte_cnt         (175:128) = 00007fffff1a2fe7
  byte_tfclim      (183:176) = 00000000
  byte_tog         (184:184) = 00000000
  byte_msgen       (185:185) = 00000001
  byte_frzen       (186:186) = 00000000
  sn               (223:192) = 00002c62
  esn              (239:224) = 00000000
  tog              (240:240) = 00000000
  sn_msgen         (241:241) = 00000001
  eesn             (242:242) = 00000000
  sn_rsvd0         (246:243) = 00000000
  ctos             (247:247) = 00000000
  tos              (255:248) = 00000000
  key0             (319:256) = 45ff57a04f61953c
  key1             (383:320) = 948b0eb2f6bc9848
  key2             (447:384) = 9a5de9d7c9d6d622
  key3             (511:448) = d5dcef0259f801db
  hm0              (575:512) = 330267e54c713fa0
  hm1              (639:576) = 43844d46e01469dd
  hm2              (703:640) = a54558d35bdfc094
  hm3              (767:704) = c0685a5f5c95f2de
  hm4              (831:768) = 3fb4a6221bdb7c5d
  hm5              (895:832) = 0000000000000000
  hm6              (959:896) = 0000000000000000
  hm7              (1023:960) = 0000000000000000
  tgtp11_8         (1027:1024) = 00000000
  tu               (1028:1028) = 00000001
  s                (1029:1029) = 00000001
  x                (1030:1030) = 00000000
  v                (1031:1031) = 00000001
  tgtp70           (1039:1032) = 000000b6
  tgt_vlan11_8     (1043:1040) = 0000000f
  tgt_cfi          (1044:1044) = 00000000
  tgt_pri          (1047:1045) = 00000000
  tgt_vlan7_0      (1055:1048) = 000000fe
  srcp11_8         (1059:1056) = 00000000
  su               (1060:1060) = 00000000
  x_old            (1061:1061) = 00000000
  r                (1062:1062) = 00000000
  srcp70           (1071:1064) = 00000000
  src_vlan11_8     (1075:1072) = 00000000
  src_cfi          (1076:1076) = 00000000
  src_pri          (1079:1077) = 00000000
  src_vlan7_0      (1087:1080) = 00000000
  vdom_id          (1103:1088) = 00000000
  dmac0            (1111:1104) = 000000e0
  dmac1            (1119:1112) = 00000023
  dmac2            (1127:1120) = 000000ff
  dmac3            (1135:1128) = 00000050
  dmac4            (1143:1136) = 00000031
  dmac5            (1151:1144) = 0000006b
  smac0            (1159:1152) = 00000000
  smac1            (1167:1160) = 00000000
  smac2            (1175:1168) = 00000000
  smac3            (1183:1176) = 00000000
  smac4            (1191:1184) = 00000000
  smac5            (1199:1192) = 00000000
  l2_type          (1215:1200) = 00000000
  src_ip0          (1279:1216) = 00000000010b0b0b
  src_ip1          (1343:1280) = 0000000000000000
  dst_ip0          (1407:1344) = 00000000020b0b0b
  dst_ip1          (1471:1408) = 0000000000000000
  src_port         (1487:1472) = 00000000
  dst_port         (1503:1488) = 00000000
  ttl              (1511:1504) = 000000ff
  cttl             (1512:1512) = 00000001
  fl               (1532:1513) = 00000000
  cfl              (1533:1533) = 00000000
  df               (1534:1534) = 00000000
  cdf              (1535:1535) = 00000001
 }