CT Connectors CLI reference
The following is the list of CT Connector-related commands that you can run from the CLI of the Connector. The commands output vital information required to troubleshoot connectivity and operational issues and also manage the agents on the Connectors.
CT Connectors are built for low maintenance. For additional information to troubleshoot issues, collect the logs from the Connectors using the Logcollect utility for Xshield.
config commands
-
Type config -h to see the list of configuration commands.
Some of the config commands available are to custom-set the name, domain name, interfaces, routes, and SSH access for the Connector and the DNS servers and default gateway for the Connector.
Set SSH access
|
CTConnector> config ssh_acl enable
SSH ACL status is enabled.
WARNING : SSH ACL list is empty. Allowing SSH traffic for all IP addresses.
INFO : To allow SSH for specific IP addresses, please add IP addresses using following command:
config ssh_acl add <Comma separated list of IP addresses>
CTConnector> config ssh_acl add 172.31.1.2
IP address 172.31.1.2 is configured in SSH ACL list.
|
show commands
-
Type show -h to see the list of show commands.
| Command |
Description |
| show network_config |
See the network configuration of the Connector - interface mode (dhcp or status), DNS, default gateway servers, network interface details, etc. CTConnector> show network_config Name : ip-10-20-2-17 Interface mode : dhcp Domain name : (none) DNS Server : 8.8.8.8 Default Gateway : 10.20.2.1 Network interface: Name : eth0 IP Addr : 10.20.2.17 MAC Addr : 02:22:a8:8c:56:88 Status : up Rx packets : 1824444 Rx bytes : 296335256 Tx packets : 1913597 Tx bytes : 340337450 Destination Mask Gateway Dev 0.0.0.0 0.0.0.0 10.20.2.1 eth0 10.20.2.0 255.255.255.0 0.0.0.0 eth0 10.30.30.0 255.255.255.0 10.20.2.1 eth0 10.30.56.0 255.255.255.0 10.20.2.1 eth0 10.30.58.0 255.255.255.0 10.20.2.1 eth0 172.31.0.0 255.255.224.0 172.31.224.1 vti1 172.31.20.37 255.255.255.255 10.20.2.1 eth0 172.31.32.0 255.255.224.0 172.31.224.1 vti1 172.31.224.1 255.255.255.255 0.0.0.0 vti1 172.31.224.2 255.255.255.255 0.0.0.0 vti2 |
| show cm_conn_status |
See the Connector's connectivity status (Up or Down) with the Xshield instance and when the last heartbeat was sent. |
| show ipsec_status |
See the status of the IPsec services (Enabled and running or Down) on the Connector. |
| show ipsec_config |
See the IP subnets and domains of the applications accessible from the Connector and the details of the CT Brokers in the Xaccess private network for the instance. CTConnector> show ipsec_config
Connector Ip: 10.20.2.17
ResourcesBehindConnector: [u'172.31.20.37', u'10.30.56.0/24', u'10.30.30.0/24', u'10.30.58.0/24']
DomainsBehindConnector: []
Connector ID: ip-10-20-2-17@3ac8c5cfc893e08f26d1d7e45cf7bc8
CT-Gateway# 10.3.7.232
GlobalID: 1
Gateway Ip: 10.3.7.232
Gateway Public Ip: 54.254.230.123
Ipsec Pool: 172.31.0.0/16
Gateway ID: xaccesstest.xpatokens.com
Region: ap-southeast-1
CT-Gateway# 10.3.7.5
GlobalID: 2
Gateway Ip: 10.3.7.5
Gateway Public Ip: 46.137.225.152
Ipsec Pool: 172.31.0.0/16
Gateway ID: xaccesstest.xpatokens.com
Region: ap-southeast-1
Loaded connection details:
--------------------------
CTSRA-54.254.230.123: , no reauthentication, no rekeying
local: 10.20.2.17
remote: 54.254.230.123
local public key authentication:
id: C=IN, ST=KARNATAKA, L=BANGALORE, O=COLOR TOKENS, CN=ip-10-20-2-17@3ac8c5cfc893e08f26d1d7e45cf7bc8
certs: C=IN, ST=KARNATAKA, L=BANGALORE, O=COLOR TOKENS, CN=ip-10-20-2-17@3ac8c5cfc893e08f26d1d7e45cf7bc8
remote public key authentication:
id: C=IN, ST=KARNATAKA, L=BANGALORE, O=COLOR TOKENS, CN=xaccesstest.xpatokens.com
CTSRA-54.254.230.123-Default: TUNNEL, rekeying every 28800s
local: 0.0.0.0/0
remote: 0.0.0.0/0
CTSRA-46.137.225.152: , no reauthentication, no rekeying
local: 10.20.2.17
remote: 46.137.225.152
local public key authentication:
id: C=IN, ST=KARNATAKA, L=BANGALORE, O=COLOR TOKENS, CN=ip-10-20-2-17@3ac8c5cfc893e08f26d1d7e45cf7bc8
certs: C=IN, ST=KARNATAKA, L=BANGALORE, O=COLOR TOKENS, CN=ip-10-20-2-17@3ac8c5cfc893e08f26d1d7e45cf7bc8
remote public key authentication:
id: C=IN, ST=KARNATAKA, L=BANGALORE, O=COLOR TOKENS, CN=xaccesstest.xpatokens.com
CTSRA-46.137.225.152-Default: TUNNEL, rekeying every 28800s
local: 0.0.0.0/0
remote: 0.0.0.0/0
|
| show ipsec_connections |
See the details of the IPsec tunnels established with the CT Brokers for the instance. Connection details: +----------------+-------------+-------------+-------------+-------------------------------------------------------------------------------+ | Source IP | Tunnel IP | Duration | State | Name | +----------------+-------------+-------------+-------------+-------------------------------------------------------------------------------+ | 54.254.230.123 | 172.31.0.2 | 67 minutes | ESTABLISHED | C=IN, ST=KARNATAKA, L=BANGALORE, O=COLOR TOKENS, CN=xaccesstest.xpatokens.com | | 46.137.225.152 | 172.31.32.3 | 665 minutes | ESTABLISHED | C=IN, ST=KARNATAKA, L=BANGALORE, O=COLOR TOKENS, CN=xaccesstest.xpatokens.com | +----------------+-------------+-------------+-------------+-------------------------------------------------------------------------------+ |
| show ipsec_tunnel_info tunnel IP address |
See the details of a specific IPsec tunnel. |
| show ipsec_stats |
See the details of IKE communication on the Connector - IKE_SA, IKE_SA_INIT, IKE_AUTH, and so on. CTConnector> show ipsec_stats Initiated IKE_SA rekeyings : 13 Responded IKE_SA rekeyings : 0 Completed CHILD_SA rekeyings : 114 Messages with invalid types, length or an out-of-range value : 0 Messages with invalid IKE SPI : 0 Received IKE_SA_INIT requests : 0 Received IKE_SA_INIT responses : 19 Sent IKE_SA_INIT requests : 64 Sent IKE_SA_INIT responses : 0 Received IKE_AUTH requests : 0 Received IKE_AUTH responses : 7 Sent IKE_AUTH requests : 7 Sent IKE_AUTH responses : 0 Received CREATE_CHILD_SA requests : 58 Received CREATE_CHILD_SA responses : 76 Sent CREATE_CHILD_SA requests : 76 Sent CREATE_CHILD_SA responses : 58 Received INFORMATIONAL requests : 159 Received INFORMATIONAL responses : 69 Sent INFORMATIONAL requests : 69 Sent INFORMATIONAL responses : 159<br> |
| show version |
See the version of the Connector. |
| show sys_cpu_usage |
See the Connector's CPU usage statistics. |
| show sys_mem_usage |
See the Connector's memory usage statistics. |
| show sys_nw_stat |
See the Connector's network statistics. |
| show sys_io_block_info |
See the statistics of input and output activities on the Connector. |
| show nic_details interface name |
See the details of a specific network interface on the Connector. |
| show kernel_net_stats |
See the Connector's kernel statistics. |
| show ssh_acl |
See the status of the SSH service (Enabled or Disabled) on the Connector. CTConnector> show ssh_acl SSH ACL Status: Enabled. Following IP addresses are configured in SSH ACL list: 172.31.1.2<br> |
agent-related commands
-
Type agent -h to view the agent-related commands.
| Command |
Description |
| agent status |
See the status of the agent or the status of the agent upgrade on the Connector. |
| agent stop |
Stop the agent services on the Connector. |
| agent start | Start the agent services on the Connector. |
| agent log |
See the agent log updates in real-time. |
| agent version |
See the current version of the agent on the Connector. |
| agent download |
Download the latest version of the agent to /etc/opt/colortokens/ct-bridge/packages on the Connector. |
| agent install |
Upgrade the agent on the Connector. |
CLI execution log
All commands run from a Connector are listed in a log file ctbridge_cli.log is located at /var/opt/colortokens/ctbridge/log.