Solved: ASA1120: How to inspect if L2L tunnel is reaching out to peer?

MicJameson1 · ‎10-20-2023

Hello.

In an ASA1120 I inserted a CLI L2L VPN config, and it seems nothing at all is happening. "#sh crypto isakmp sa" shows nothing.

QUESTIONS: what are the debug commands, and the logging commands I must insert to inspect if this device is trying to communicate with the remote endpoint?

Do i need to generate interesting traffic to have this tunnel initially reach out to its peer (I doubt it.)?

Thank you.

balaji.bandi · ‎10-20-2023

Make sure both the side config matches - Tunnel establish automatically when the connection intiated from know clinets in the tunnel access.

troubleshooting :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

https://community.cisco.com/t5/security-knowledge-base/site-to-site-vpn-troubleshooting-tips/ta-p/3111356

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎10-20-2023

Make sure both the side config matches - Tunnel establish automatically when the connection intiated from know clinets in the tunnel access.

troubleshooting :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

https://community.cisco.com/t5/security-knowledge-base/site-to-site-vpn-troubleshooting-tips/ta-p/3111356

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎10-20-2023

@MicJameson1 you can filter on SYSLOG message 713041, which relates to the ASA attempting to initiate a tunnel with a peer.

%ASA-5-713041: IP = 2.2.2.1, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer 2.2.2.1 local Proxy Address 10.20.0.0, remote Proxy Address 10.10.0.0, Crypto map (CMAP)

You can filter that SYSLOG message to console, buffer or SYSLOG server. Example - https://integratingit.wordpress.com/2023/02/09/asa-logging/

You could also enable debugs just to a specific peer - debug crypto condition peer 1.1.1.1

If it's a crypto map (policy based VPN) then yes you do need to generate interesting traffic to bring the tunnel up.

MicJameson1 · ‎10-20-2023

What is the simplest way to generate the interesting traffic? ping the remote inside destination interface?

It seems to me that even if i do not generate the interesting traffic, the tunnel should be constantly trying to establish at phase 1.

My reason for believing this is that, when erecting these tunnels, immediately after inputting config, i can see success when inserting various commands such as "#show crypto isakmp sa". I have never needed to generate interesting traffic before in these instances. Please discuss?

Rob Ingram · ‎10-20-2023

@MicJameson1 I assume you are actually using a crypto map (policy based VPN)? A policy based VPN always needs interesting traffic to establish (only a routed based VPN does not). I would imagine for the other policy based VPNs there was already traffic attempting to communicate which brought up the tunnels.

Only traffic defined as the source communicating with an IP address defined as the destination in the crypto ACL is referred to as interesting traffic. So ping from an IP address defined as a source to an IP address that is the destination, this should attempt to bring up the tunnel.