General encryption troubleshooting – Brocade Fabric OS Encryption Administrator’s Guide Supporting NetApp Lifetime Key Manager (LKM) and KeySecure Storage Secure Key Manager (SSKM) Environments (Supporting Fabric OS v7.2.0) User Manual

236

Fabric OS Encryption Administrator’s Guide (LKM/SSKM)

53-1002925-01

General encryption troubleshooting

6

Encrypt existing data: enabled

Rekey: disabled

Key ID: not available

Operation Succeeded

General encryption troubleshooting

Table 9

lists the commands you can use to check the health of your encryption setup.

Table 10

provides additional information for failures you might encounter while configuring switches using
the CLI.

TABLE 9

General troubleshooting tips using the CLI

Command

Activity

supportsave

Check whole system configuration.
Run RAS logs.
Run RAS traces.
Run Security Processor (SP) logs (mainly kpd.log).

configshow

Check whole system persistent configuration database dump.
Check for SPM-, CVLM-, and CNM-related persistent database entries.

cfgshow

Check for redirection zones starting with “red_xxx” in defined database for
virtual and physical devices.

nsshow

Check for crypto virtual target and crypto virtual initiator entries for VT/VI

switch:SecurityAdmin> cryptocfg --show
-groupcfg

Check key vault connection status.
Check encryption group/cluster status.
Note: CONVERGED status means the cluster is formed successfully.

switch:SecurityAdmin> cryptocfg --show
-groupmember -all

1

Check encryption group/cluster member status.
Note: DISCOVERED state means the member is currently part of a cluster.

2

Check encryption engine/SP and KEK status.
Note: SP state ONLINE means encryption engine is enabled for
encryption with valid KEK (Link Key or Master Key).

TABLE 10

General errors and conditions

Problem

Resolution

When the connectivity to an LKM/SSKM key vault is lost, a
RAS log message is not generated.

Issue any of the cryptocfg commands that attempt a key vault communication
(such as the cryptocfg --show -groupcfg command).

Connection to a key vault returns a “Not Responding”
message.

Determine if the default port has been changed on the key vault.

LUN state for some LUNS remains in "initialize" state on the
passive path.

This is expected behavior. The LUNs exposed through Passive paths of the
target array will be in either Initialize or LUN Discovery Complete state so long
as the paths remain in passive condition. When the passive path becomes
active, the LUN changes to Encryption Enabled. Use the --show -LUN
command with the -stat option to check the LUN state.