- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2014 02:59 AM
Hello,
I was just wondering what your best VPN debug commands are on a ASA or router regarding phase 1 and 2 and the ACL?
For example I have have a site-to-site up between 2 ASAs and phase 1 and 2 are up, but each site can't ping a PC on each site. I'm looking at NAT and the ACLs at the moment, but any useful commands woudl be most appreciated.
Thanks
Solved! Go to Solution.
- Labels:
-
VPN
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2014 05:03 AM
The 1st two go-to commands are:
show crypto isakmp sa
show crypto ipsec sa
If Phase 1 and Phase 2 aren't up per those respective commands, then go to:
debug crypto isakmp 7
debug crypto ipsec 7
You may need to increase the verbosity level (255 is the highest) and, if you have multiple SAs, focus on the one you are interested in with a filter:
debug crypto condition peer <peer IP>
Once you have Phase 1 and 2 established but are having continued problems with bidirectional traffic flow, look at two things:
1. In the show crypto ipsec sa output, do decaps increase commensurate with the encaps. If not, the distant end may not be getting the return traffic. Confirm with a packet capture and/or trace.
2. Use the packet-tracer command (CLI or GUI) on the ASA to examine how it will treat a given flow. NAT and ACL issues can often be quickly seen using that tool.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-15-2014 05:03 AM
The 1st two go-to commands are:
show crypto isakmp sa
show crypto ipsec sa
If Phase 1 and Phase 2 aren't up per those respective commands, then go to:
debug crypto isakmp 7
debug crypto ipsec 7
You may need to increase the verbosity level (255 is the highest) and, if you have multiple SAs, focus on the one you are interested in with a filter:
debug crypto condition peer <peer IP>
Once you have Phase 1 and 2 established but are having continued problems with bidirectional traffic flow, look at two things:
1. In the show crypto ipsec sa output, do decaps increase commensurate with the encaps. If not, the distant end may not be getting the return traffic. Confirm with a packet capture and/or trace.
2. Use the packet-tracer command (CLI or GUI) on the ASA to examine how it will treat a given flow. NAT and ACL issues can often be quickly seen using that tool.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-16-2014 07:34 AM
Thanks Marvin, I'm glad to say I use a few of these. I got my head route the packet capture today and put it in wiresark which was great. Can these commands be used on a router to that is in VPN mode?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-07-2019 06:50 PM
