Showing results for 
Search instead for 
Did you mean: 

TAC Security Podcast Episode #26 - Troubleshooting IPSec VPNs



Episode Information


Episode Name: Episode 26 - Troubleshooting IPSec VPNs

Contributors:  David White Jr., Blayne Dreier, Jay Johnston, Magnus Mortensen, Wen Zhang, Jay Young Taylor

Posting Date: March 6, 2012

Description: Special guests Wen Zhang and Jay Young Taylor discuss troubleshooting methodologies for diagnosing and fixing problems with IPSec VPNs.


Listen Now    (MP3 30.8 MB; 42:42 mins)


Subscribe to the Podcast in iTunes by clicking the image below:



About the Cisco TAC Security Podcast


The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each episode provides an in-depth technical discussion of Cisco product   security features, with emphasis on troubleshooting.


Complete episode listing and show information



Show Notes


Useful commands:


Show commands


show crypto isakmp sa

show crypto ipsec sa peer x.x.x.x

show run | section crypto (on IOS)

show run crypto map (on ASA)

show logging


Debug Commands


debug crypto condition peer ipv4 x.x.x.x

debug crypto isakmp (on IOS)

debug crypto isakmp 128 (on ASA)

debug crypto ipsec (on IOS)

debug crypto ipsec 128 (on ASA)


Test Commands


packet-tracer input inside icmp z.z.z.z 8 0 y.y.y.y detail

ping inside y.y.y.y

ping tcp y.y.y.y


Use IPSec NULL Encryption


crypto ipsec transform-set NULLENC esp-null esp-md5-hmac


Packet marking/coloring techniques:




1. MQC (Modular QoS CLI)



class-map match-all my_flow

match access-group 150


policy-map marking

class my_flow

  set ip precedence 4


interface Ethernet1/0

service-policy input marking



2. PBR (Policy Based Routing)


interface Ethernet1/0

ip policy route-map mark


access-list 150 permit ip host host


route-map mark permit 10

match ip address 150

set ip precedence flash-override


3. Using router generated pings


Router#ping ip

Target IP address:

Repeat count [5]: 100

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface:

Type of service [0]: 128

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:






1. Packet capture (SPAN/RSPAN/ERSPAN, ASA packet capture, IOS Embedded Packet Capture)


2. IP Precedence accounting


interface Ethernet0/0

ip address

ip accounting precedence input


Router#show interface precedence



Precedence 4:  100 packets, 17400 bytes

3. Use ACL counters


Router#sh access-list 144

Extended IP access list 144

    10 permit ip any any precedence routine

    20 permit ip any any precedence priority

    30 permit ip any any precedence immediate

    40 permit ip any any precedence flash

    50 permit ip any any precedence flash-override (100 matches)

    60 permit ip any any precedence critical

    70 permit ip any any precedence internet (1 match)

    80 permit ip any any precedence network


Topologies Referenced in the Show

Useful Documents


Troubleshooting guide and common scenarios


Hi Jay

I think there is a problem with the attached audio-file.

It stoppes in between the middle of a sentence at 29:01. Same problem with itunes file.

Hopefully the rest of the potcast dont get lost!

Kind regards and please go on with the great show!


Jay Johnston
Cisco Employee


     Thanks for letting me know; I've contacted the folks that should be able to fix this, and hopefully it will get resolved ASAP. I'll let you know when it is resolved.



Christopher Dreier

Hello Gernot,

This issue should now be resolved. Please give the download another try and let us know if you continue to experience any trouble.




Great job guys. I have been doing IPSEC for years  but also learned something new today.

Thanks for  sharing  your knowledge with us. It would be awsome if you talk about  trouble shooting NAT, Web  and any connect VPNs, firewall port issues and things like that in futue episodes.


Thanks to all.

I have to try out that thing with marking the packeds, sounds realy cool for troubleshooting.

Best wishes



ditto, this show rocked!


question for packet tracer command, what should I enter on the source port? destination port is easy but how will i know which source port the source ip would use?



Magnus Mortensen
Cisco Employee


    We usually just use a random high number port (similar to how any normal network stack would). Why not 12345

Jay Johnston
Cisco Employee

Pretend to be a standard TCP or UDP client; set the port to something in the ephemeral range of 1024-65535 and it should work fine.


that's what I've been doing. just wanna make sure.

By the way, your podcast rocks. Though I just tuned in just a couple of weeks, I'm listening to your podcasts to and from work. I'm just new to IT and Security but I'm learning alot already. Expect alot of questions from me.

Hoping for more episodes, if possible, one per week. that would be great!

Jay Johnston
Cisco Employee

Thanks for the feedback! We're about to release an episode on tips and tricks for parsing through syslogs generated by devices. Expect more in the future


looking forward man...i'm also concentrating on IPS right now since I'll have to organize our IPS here in our company.

your episode on troubleshooting IPSec really helped me alot in troubleshooting IPSec with our client peers.

Great job guys!

Content for Community-Ad