For When You Can't Have The Real Thing
[ start | index | login ]
start > Cisco > ASA > 5505 > Debug Site to Site VPN

Debug Site to Site VPN

Created by dave. Last edited by dave, 89 days ago. Viewed 1,633 times. #3
[diff] [history] [edit] [rdf]
labels
attachments
(2013 March 8)

Useful commands for a v9.x VPN debug

Phase 1:
  • you want to see MM_ACTIVE in the State
ciscoasa# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1

1 IKE Peer: 172.17.1.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

Phase 2:
  • you are looking for non-zero esp sa values as well as non-zero values in the first two pkts lines:
ciscoasa# show crypto ipsec sa peer 172.17.1.1
peer address: 172.17.1.1
    Crypto map tag: outside_map, seq num: 10, local addr: 172.16.1.1

access-list asa-router-vpn extended permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0) current_peer: 172.17.1.1

#pkts encaps: 1005, #pkts encrypt: 1005, #pkts digest: 1005 #pkts decaps: 1014, #pkts decrypt: 1014, #pkts verify: 1014 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 1005, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0

local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.17.1.1/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 8A9FE619 current inbound spi : D8639BD0

inbound esp sas: spi: 0xD8639BD0 (3630406608) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 8192, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (3914900/3519) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x8A9FE619 (2325734937) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 8192, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (3914901/3519) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001

ciscoasa#

Useful commands for VPN debug

Phase 1 status:

sha-firewall01-p# show crypto isakmp sa

Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2

1 IKE Peer: 72.xx.xx.xx Type : L2L Role : initiator Rekey : no State : MM_ACTIVE 2 IKE Peer: 93.xx.xx.xx Type : L2L Role : initiator Rekey : no State : MM_ACTIVE

Phase 2 status:

sha-firewall01-p# show crypto ipsec sa
[[...]]
no comments | post comment

Virtual Dave Megaplex:

Internet Explorer 6 Users >>Click Here

(read this note about local search)

Logged in Users: (0)
… and 19 Guests.


Editing: snipsnap-help, Image Macro

(Et auditum est, et idcirco ego nunc simulare)

Installed 6 years and 193 days ago
Powered By >>SnipSnap Version 1.0b1-uttoxeter

This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt