Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
507
Views
3
Helpful
4
Replies

ASA1120: How to inspect if L2L tunnel is reaching out to peer?

Go to solution
jmaxwellUSAF
VIP
VIP

‎10-20-2023 07:00 AM

Hello.

In an ASA1120 I inserted a CLI L2L VPN config, and it seems nothing at all is happening. "#sh crypto isakmp sa" shows nothing. 

QUESTIONS: what are the debug commands, and the logging commands I must insert to inspect if this device is trying to communicate with the remote endpoint?

Do i need to generate interesting traffic to have this tunnel initially reach out to its peer (I doubt it.)?

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-20-2023 07:05 AM

Make sure both the side config matches - Tunnel establish automatically when the connection intiated from know clinets in the tunnel access.

troubleshooting :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

https://community.cisco.com/t5/security-knowledge-base/site-to-site-vpn-troubleshooting-tips/ta-p/3111356

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-20-2023 07:05 AM

Make sure both the side config matches - Tunnel establish automatically when the connection intiated from know clinets in the tunnel access.

troubleshooting :

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

https://community.cisco.com/t5/security-knowledge-base/site-to-site-vpn-troubleshooting-tips/ta-p/3111356

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎10-20-2023 07:07 AM - edited ‎10-20-2023 07:08 AM

@jmaxwellUSAF you can filter on SYSLOG message 713041, which relates to the ASA attempting to initiate a tunnel with a peer.

%ASA-5-713041: IP = 2.2.2.1, IKE Initiator: New Phase 1, Intf INSIDE, IKE Peer 2.2.2.1 local Proxy Address 10.20.0.0, remote Proxy Address 10.10.0.0, Crypto map (CMAP)

You can filter that SYSLOG message to console, buffer or SYSLOG server. Example - https://integratingit.wordpress.com/2023/02/09/asa-logging/

You could also enable debugs just to a specific peer - debug crypto condition peer 1.1.1.1

If it's a crypto map (policy based VPN) then yes you do need to generate interesting traffic to bring the tunnel up.

Go to solution
jmaxwellUSAF
VIP
VIP
In response to Rob Ingram

‎10-20-2023 07:18 AM

What is the simplest way to generate the interesting traffic? ping the remote inside destination interface?

It seems to me that even if i do not generate the interesting traffic, the tunnel should be constantly trying to establish at phase 1.

My reason for believing this is that, when erecting these tunnels, immediately after inputting config, i can see success when inserting various commands such as "#show crypto isakmp sa". I have never needed to generate interesting traffic before in these instances. Please discuss?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to jmaxwellUSAF

‎10-20-2023 07:24 AM - edited ‎10-20-2023 07:26 AM

@jmaxwellUSAF I assume you are actually using a crypto map (policy based VPN)? A policy based VPN always needs interesting traffic to establish (only a routed based VPN does not). I would imagine for the other policy based VPNs there was already traffic attempting to communicate which brought up the tunnels.

Only traffic defined as the source communicating with an IP address defined as the destination in the crypto ACL is referred to as interesting traffic. So ping from an IP address defined as a source to an IP address that is the destination, this should attempt to bring up the tunnel.

Customers Also Viewed These Support Documents