cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
132
Views
0
Helpful
2
Replies

To check Flaps on VTI IPSec tunnels in peer

How to check the flapping issue on VTI Ipsec tunnels in one of my peer in FMC or CLI. If we can check in FMC do let me know.

2 REPLIES 2
Highlighted
VIP Advocate RJI VIP Advocate
VIP Advocate

Re: To check Flaps on VTI IPSec tunnels in peer

Hi,
VTI's are not supported on Firepower Firewalls, I assume you mean VPN instead of VTI?

What issue are you encountering?

You can use the command "show crypto ipsec sa" on the CLI of the FTD.
Also trying turning on debugs for ipsec and upload the output

HTH
swj Cisco Employee
Cisco Employee

Re: To check Flaps on VTI IPSec tunnels in peer

Hi, 

 

VTI tunnel are not supported on FTD. If you mean how to verify status on FMC & FTD. 

 

FMC has Dash board.  However this shows only for Anyconnect according to the below document. There is no GUI for IPSEC AFAIK. 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_vpn_monitoring.pdf

 

 

image.png

FTD 

====

You need to login LINA. 

 

> system support diagnostic-cli  

Once mode is changed!  you are in LINA,  it's same as ASA Terminal. You can use below commands to View 

show crypto ikev1 sa (for Ikev2 change it to Ikev2 instead of Ikev1)

show crypto ipsec sa peer x.x.x.x details 

 

For Troubleshoot the issue.

debug crypto condition peer x.x.x.x (If you have multiple VPN, its preferred to use condition to avoid debugs of other peers )

debug crypto ikev1 127

debug crypto ipsec 127 

 

Hope this helps.