Skip to main content

Debug Site to Site VPN

(2013 March 8)

Useful commands for a v9.x VPN debug

Phase 1:

  • you want to see MM_ACTIVE in the State
    ciscoasa# show crypto isakmp sa

    IKEv1 SAs:

       Active SA: 1
        Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 1

    1   IKE Peer: 172.17.1.1
        Type    : L2L             Role    : responder
        Rekey   : no              State   : MM_ACTIVE

    There are no IKEv2 SAs

Phase 2:

  • you are looking for non-zero esp sa values as well as non-zero values in the first two pkts lines:


    ciscoasa# show crypto ipsec sa peer 172.17.1.1
    peer address: 172.17.1.1
        Crypto map tag: outside_map, seq num: 10, local addr: 172.16.1.1

          access-list asa-router-vpn extended permit ip 10.10.10.0 255.255.255.0
           10.20.10.0 255.255.255.0
          local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
          remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)
          current_peer: 172.17.1.1


          #pkts encaps: 1005, #pkts encrypt: 1005, #pkts digest: 1005
          #pkts decaps: 1014, #pkts decrypt: 1014, #pkts verify: 1014
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 1005, #pkts comp failed: 0, #pkts decomp failed: 0
          #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
          #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
          #TFC rcvd: 0, #TFC sent: 0
          #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
          #send errors: 0, #recv errors: 0

          local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.17.1.1/0
          path mtu 1500, ipsec overhead 74(44), media mtu 1500
          PMTU time remaining (sec): 0, DF policy: copy-df
          ICMP error validation: disabled, TFC packets: disabled
          current outbound spi: 8A9FE619
          current inbound spi : D8639BD0

        inbound esp sas:
          spi: 0xD8639BD0 (3630406608)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 8192, crypto-map: outside_map
             sa timing: remaining key lifetime (kB/sec): (3914900/3519)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0xFFFFFFFF 0xFFFFFFFF
        outbound esp sas:
          spi: 0x8A9FE619 (2325734937)
             transform: esp-aes esp-sha-hmac no compression
             in use settings ={L2L, Tunnel, IKEv1, }
             slot: 0, conn_id: 8192, crypto-map: outside_map
             sa timing: remaining key lifetime (kB/sec): (3914901/3519)
             IV size: 16 bytes
             replay detection support: Y
             Anti replay bitmap:
              0x00000000 0x00000001

    ciscoasa#

Useful commands for VPN debug

Phase 1 status:

sha-firewall01-p# show crypto isakmp sa

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 72.xx.xx.xx
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: 93.xx.xx.xx
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

Phase 2 status:

sha-firewall01-p# show crypto ipsec sa
[[...]]

Forcing A Reconnect

Kill phase 2:

clear crytop ipsec sa peer 1.1.1.1

Kill phase 1:

clear crytop isakmp sa peer 1.1.1.1

Debug logging

Logs to console or ssh session. (Don't know about syslog right now.)

Phase 1:

debug crypto isakmp 127

Phase 2:

debug crypto ipsec 127

For both, increasing to 254 will show you the packets, but you shouldn't need that. Note this will be noisy on systems with more than one VPN.