Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1255
Views
0
Helpful
2
Replies

To check Flaps on VTI IPSec tunnels in peer

Go to solution
AkshayaArunan1346
Level 1
Level 1

‎08-10-2019 05:59 AM - edited ‎02-21-2020 09:43 PM

How to check the flapping issue on VTI Ipsec tunnels in one of my peer in FMC or CLI. If we can check in FMC do let me know.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
swj
Cisco Employee
Cisco Employee

‎08-10-2019 10:22 AM

Hi, 

 

VTI tunnel are not supported on FTD. If you mean how to verify status on FMC & FTD. 

 

FMC has Dash board.  However this shows only for Anyconnect according to the below document. There is no GUI for IPSEC AFAIK. 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_vpn_monitoring.pdf

 

 

image.png

FTD 

====

You need to login LINA. 

 

> system support diagnostic-cli  

Once mode is changed!  you are in LINA,  it's same as ASA Terminal. You can use below commands to View 

show crypto ikev1 sa (for Ikev2 change it to Ikev2 instead of Ikev1)

show crypto ipsec sa peer x.x.x.x details 

 

For Troubleshoot the issue.

debug crypto condition peer x.x.x.x (If you have multiple VPN, its preferred to use condition to avoid debugs of other peers )

debug crypto ikev1 127

debug crypto ipsec 127 

 

Hope this helps. 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎08-10-2019 06:44 AM

Hi,
VTI's are not supported on Firepower Firewalls, I assume you mean VPN instead of VTI?

What issue are you encountering?

You can use the command "show crypto ipsec sa" on the CLI of the FTD.
Also trying turning on debugs for ipsec and upload the output

HTH
0 Helpful

Go to solution
swj
Cisco Employee
Cisco Employee

‎08-10-2019 10:22 AM

Hi, 

 

VTI tunnel are not supported on FTD. If you mean how to verify status on FMC & FTD. 

 

FMC has Dash board.  However this shows only for Anyconnect according to the below document. There is no GUI for IPSEC AFAIK. 

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/firepower_threat_defense_vpn_monitoring.pdf

 

 

image.png

FTD 

====

You need to login LINA. 

 

> system support diagnostic-cli  

Once mode is changed!  you are in LINA,  it's same as ASA Terminal. You can use below commands to View 

show crypto ikev1 sa (for Ikev2 change it to Ikev2 instead of Ikev1)

show crypto ipsec sa peer x.x.x.x details 

 

For Troubleshoot the issue.

debug crypto condition peer x.x.x.x (If you have multiple VPN, its preferred to use condition to avoid debugs of other peers )

debug crypto ikev1 127

debug crypto ipsec 127 

 

Hope this helps. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents