For When You Can't Have The Real Thing
[ start | index | login ]
start > Cisco > ASA > 5505 > Debug Site to Site VPN

Debug Site to Site VPN

Created by dave. Last edited by dave, 5 years and 68 days ago. Viewed 5,471 times. #6
[diff] [history] [edit] [rdf]
labels
attachments
(2013 March 8)

Useful commands for a v9.x VPN debug

Phase 1:
  • you want to see MM_ACTIVE in the State
ciscoasa# show crypto isakmp sa

IKEv1 SAs:

Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1

1 IKE Peer: 172.17.1.1 Type : L2L Role : responder Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

Phase 2:
  • you are looking for non-zero esp sa values as well as non-zero values in the first two pkts lines:
ciscoasa# show crypto ipsec sa peer 172.17.1.1
peer address: 172.17.1.1
    Crypto map tag: outside_map, seq num: 10, local addr: 172.16.1.1

access-list asa-router-vpn extended permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0) current_peer: 172.17.1.1

#pkts encaps: 1005, #pkts encrypt: 1005, #pkts digest: 1005 #pkts decaps: 1014, #pkts decrypt: 1014, #pkts verify: 1014 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 1005, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #TFC rcvd: 0, #TFC sent: 0 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0 #send errors: 0, #recv errors: 0

local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.17.1.1/0 path mtu 1500, ipsec overhead 74(44), media mtu 1500 PMTU time remaining (sec): 0, DF policy: copy-df ICMP error validation: disabled, TFC packets: disabled current outbound spi: 8A9FE619 current inbound spi : D8639BD0

inbound esp sas: spi: 0xD8639BD0 (3630406608) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 8192, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (3914900/3519) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0xFFFFFFFF 0xFFFFFFFF outbound esp sas: spi: 0x8A9FE619 (2325734937) transform: esp-aes esp-sha-hmac no compression in use settings ={L2L, Tunnel, IKEv1, } slot: 0, conn_id: 8192, crypto-map: outside_map sa timing: remaining key lifetime (kB/sec): (3914901/3519) IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x00000000 0x00000001

ciscoasa#

Useful commands for VPN debug

Phase 1 status:

sha-firewall01-p# show crypto isakmp sa

Active SA: 2 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 2

1 IKE Peer: 72.xx.xx.xx Type : L2L Role : initiator Rekey : no State : MM_ACTIVE 2 IKE Peer: 93.xx.xx.xx Type : L2L Role : initiator Rekey : no State : MM_ACTIVE

Phase 2 status:

sha-firewall01-p# show crypto ipsec sa
[[...]]

Forcing A Reconnect

Kill phase 2:

clear crytop ipsec sa peer 1.1.1.1

Kill phase 1:

clear crytop isakmp sa peer 1.1.1.1

Debug logging

Logs to console or ssh session. (Don't know about syslog right now.)

Phase 1:

debug crypto isakmp 127

Phase 2:

debug crypto ipsec 127

For both, increasing to 254 will show you the packets, but you shouldn't need that. Note this will be noisy on systems with more than one VPN.

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt