02-22-2012 07:43 AM - edited 09-25-2017 06:42 AM
Episode Information
Episode Name: Episode 26 - Troubleshooting IPSec VPNs
Contributors: David White Jr., Blayne Dreier, Jay Johnston, Magnus Mortensen, Wen Zhang, Jay Young Taylor
Posting Date: March 6, 2012
Description: Special guests Wen Zhang and Jay Young Taylor discuss troubleshooting methodologies for diagnosing and fixing problems with IPSec VPNs.
Listen Now (MP3 30.8 MB; 42:42 mins)
Subscribe to the Podcast in iTunes by clicking the image below:
About the Cisco TAC Security Podcast
The Cisco TAC Security Podcast Series is created by Cisco TAC engineers. Each episode provides an in-depth technical discussion of Cisco product security features, with emphasis on troubleshooting.
Complete episode listing and show information
Useful commands:
Show commands
show crypto isakmp sa
show crypto ipsec sa peer x.x.x.x
show run | section crypto (on IOS)
show run crypto map (on ASA)
show logging
Debug Commands
debug crypto condition peer ipv4 x.x.x.x
debug crypto isakmp (on IOS)
debug crypto isakmp 128 (on ASA)
debug crypto ipsec (on IOS)
debug crypto ipsec 128 (on ASA)
Test Commands
packet-tracer input inside icmp z.z.z.z 8 0 y.y.y.y detail
ping inside y.y.y.y
ping tcp y.y.y.y
Use IPSec NULL Encryption
crypto ipsec transform-set NULLENC esp-null esp-md5-hmac
Packet marking/coloring techniques:
Marking
1. MQC (Modular QoS CLI)
class-map match-all my_flow
match access-group 150
!
policy-map marking
class my_flow
set ip precedence 4
!
interface Ethernet1/0
service-policy input marking
2. PBR (Policy Based Routing)
interface Ethernet1/0
ip policy route-map mark
!
access-list 150 permit ip host 172.16.1.2 host 172.16.254.2
!
route-map mark permit 10
match ip address 150
set ip precedence flash-override
3. Using router generated pings
Router#ping ip
Target IP address: 172.16.254.2
Repeat count [5]: 100
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]: 128
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
<snip>
Monitoring
1. Packet capture (SPAN/RSPAN/ERSPAN, ASA packet capture, IOS Embedded Packet Capture)
2. IP Precedence accounting
interface Ethernet0/0
ip address 192.168.1.2 255.255.255.0
ip accounting precedence input
!
Router#show interface precedence
Ethernet0/0
Input
Precedence 4: 100 packets, 17400 bytes
3. Use ACL counters
Router#sh access-list 144
Extended IP access list 144
10 permit ip any any precedence routine
20 permit ip any any precedence priority
30 permit ip any any precedence immediate
40 permit ip any any precedence flash
50 permit ip any any precedence flash-override (100 matches)
60 permit ip any any precedence critical
70 permit ip any any precedence internet (1 match)
80 permit ip any any precedence network
Useful Documents
Troubleshooting guide and common scenarios
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
Hi Jay
I think there is a problem with the attached audio-file.
It stoppes in between the middle of a sentence at 29:01. Same problem with itunes file.
Hopefully the rest of the potcast dont get lost!
Kind regards and please go on with the great show!
Gernot
Gernot,
Thanks for letting me know; I've contacted the folks that should be able to fix this, and hopefully it will get resolved ASAP. I'll let you know when it is resolved.
Thanks,
Jay
Hello Gernot,
This issue should now be resolved. Please give the download another try and let us know if you continue to experience any trouble.
Thanks,
Blayne
Great job guys. I have been doing IPSEC for years but also learned something new today.
Thanks for sharing your knowledge with us. It would be awsome if you talk about trouble shooting NAT, Web and any connect VPNs, firewall port issues and things like that in futue episodes.
Thanks to all.
I have to try out that thing with marking the packeds, sounds realy cool for troubleshooting.
Best wishes
Gernot
ditto, this show rocked!
question for packet tracer command, what should I enter on the source port? destination port is easy but how will i know which source port the source ip would use?
Regards,
N3t
N3t,
We usually just use a random high number port (similar to how any normal network stack would). Why not 12345
Pretend to be a standard TCP or UDP client; set the port to something in the ephemeral range of 1024-65535 and it should work fine.
that's what I've been doing. just wanna make sure.
By the way, your podcast rocks. Though I just tuned in just a couple of weeks, I'm listening to your podcasts to and from work. I'm just new to IT and Security but I'm learning alot already. Expect alot of questions from me.
Hoping for more episodes, if possible, one per week. that would be great!
Thanks for the feedback! We're about to release an episode on tips and tricks for parsing through syslogs generated by devices. Expect more in the future
looking forward man...i'm also concentrating on IPS right now since I'll have to organize our IPS here in our company.
your episode on troubleshooting IPSec really helped me alot in troubleshooting IPSec with our client peers.
Great job guys!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: