Use the debug ip packet privileged EXEC command to display general IP debugging information and IP security option (IPSO) security transactions. The no form of this command disables debugging output.
debug ip packet [access-list-number]
Syntax Description
access-list-number (Optional) IP access list number that you can specify.
If the datagram is not permitted by that access list, the related debugging
output is suppressed.
Usage Guidelines
If a communication session is closing when it should not be, an end-to-end connection problem can be the cause. The debug ip packet command is useful for analyzing the messages traveling between the local and remote hosts.
IP debugging information includes packets received, generated, and forwarded. Fast-switched packets do not generate messages.
IPSO security transactions include messages that describe the cause of failure each time a datagram fails a security test in the system. This information is also sent to the sending host when the router configuration allows it.
| Caution Because the debug ip packet command generates a significant amount of output, use it only when traffic on the IP network is low, so other activity on the system is not adversely affected. |
Examples
The following is sample output from the debug ip packet command:
Router# debug ip packet IP: s=172.16.13.44 (Fddi0), d=10.125.254.1 (Serial2), g=172.16.16.2, forward IP: s=172.16.1.57 (Ethernet4), d=10.36.125.2 (Serial2), g=172.16.16.2, forward IP: s=172.16.1.6 (Ethernet4), d=255.255.255.255, rcvd 2 IP: s=172.16.1.55 (Ethernet4), d=172.16.2.42 (Fddi0), g=172.16.13.6, forward IP: s=172.16.89.33 (Ethernet2), d=10.130.2.156 (Serial2), g=172.16.16.2, forward IP: s=172.16.1.27 (Ethernet4), d=172.16.43.126 (Fddi1), g=172.16.23.5, forward IP: s=172.16.1.27 (Ethernet4), d=172.16.43.126 (Fddi0), g=172.16.13.6, forward IP: s=172.16.20.32 (Ethernet2), d=255.255.255.255, rcvd 2 IP: s=172.16.1.57 (Ethernet4), d=10.36.125.2 (Serial2), g=172.16.16.2, access denied
The output shows two types of messages that the debug ip packet command can produce; the first line of output describes an IP packet that the router forwards, and the third line of output describes a packet that is destined for the router. In the third line of output, "rcvd 2" indicates that the router decided to receive the packet.
The table below describes the fields shown in the first line.
The calculation on whether to send a security error message can be somewhat confusing. It depends upon both the security label in the datagram and the label of the incoming interface. First, the label contained in the datagram is examined for anything obviously wrong. If nothing is wrong, assume it to be correct. If there is something wrong, the datagram is treated as unclassified genser. Then the label is compared with the interface range, and the appropriate action is taken as the table below describes.
The security code can only generate a few types of ICMP error messages. The only possible error messages and their meanings follow:
| Note The message "ICMP Parameter problem, code 2" identifies a specific error that occurs in the processing of a datagram. This message indicates that the router received a datagram containing a maximum length IP header but no security option. After being processed and routed to another interface, it is discovered that the outgoing interface is marked with "add a security label." Since the IP header is already full, the system cannot add a label and must drop the datagram and return an error message. |
When an IP packet is rejected due to an IP security failure, an audit message is sent via DNSIX NAT. Also, any debug ip packet output is appended to include a description of the reason for rejection. This description can be any of the following: