Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
5943
Views
15
Helpful
8
Comments

Tool to diagnose VPN configuration problems

Jay Young
Cisco Employee
Cisco Employee

on ‎10-21-2015 08:06 AM

Hello folks,

 

IPsec tunnels between two devices have many configuration options and settings that need to be aligned for the tunnels to come up correctly.  In fact we see hundreds of cases per month for configuration assistance requests for VPN tunnels.  In an effort to make things easier for our customers I wanted to introduce you to a tool that has been developed by myself and a few other Cisco TAC security engineers.

 

IPsec Lan-to-Lan Configuration Checker

(http://www.cisco.com/c/en/us/support/web/redirects/l2l-checker.html)

 

The tool checks the configuration of two devices (IOS or ASA), examines for the presence of a crypto map based tunnel between them.  If discovered it will do an analysis of the most common configuration mistakes and best practices.  This tool's goal is to help you identify any configuration reasons why your tunnel is not establishing or traffic is correctly passing over it.

 

Currently there it only support static crypto map Lan-to-Lan tunnels between IOS, IOS-XE and ASA devices.

 

If there is a specific feature you would like to see or if you run into problems with the tool please let use know at tool_l2l_checker_feedback@cisco.com

 

The tool was recently updated, here is an example of the output generated:

Here is an example of the older version:

 

Labels:
Comments
afroissart
Level 1
Level 1
‎10-21-2015 08:55 AM

amazing tool
thanks !!!

Rahul Govindan
VIP Alumni
VIP Alumni
‎12-23-2015 01:27 PM

Hey Jay,

Link directs to a "Page not found" section . Any updated links?

Jay Young
Cisco Employee
Cisco Employee
‎12-24-2015 06:15 AM

Thanks for the heads up.  I am having the IT group look into it.  Once we get it working again it will still be at the same link.

-Jay

helios999
Level 1
Level 1
‎03-10-2016 03:20 AM

Do we need a service contract to access this tool?

Jay Young
Cisco Employee
Cisco Employee
‎03-10-2016 07:23 AM

Helios999,

You shouldn't need one at this time, this may change however.  You will need a CCO account though.

-Jay

Jay Young
Cisco Employee
Cisco Employee
‎03-10-2016 08:38 AM

Helios999,

I just double checked.  It is required to have an active contract.

-Jay

al1k-star
Community Member
‎10-02-2016 11:50 AM

I have an active contract on ASA, but i can't use that tool.

What i've missing?

acarola
Cisco Employee
Cisco Employee
‎10-04-2016 08:09 AM
If your company is a Cisco customer or Cisco Partner please visit the following link to associate your profile to your company.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents