Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
29534
Views
6
Helpful
3
Replies

Best VPN debug commands?

Go to solution
Andy White
Level 3
Level 3

‎05-15-2014 02:59 AM

Hello,

I was just wondering what your best VPN debug commands are on a ASA or router regarding phase 1 and 2 and the ACL?

For example I have have a site-to-site up between 2 ASAs and phase 1 and 2 are up, but each site can't ping a PC on each site.  I'm looking at NAT and the ACLs at the moment, but any useful commands woudl be most appreciated.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-15-2014 05:03 AM

The 1st two go-to commands are:

     show crypto isakmp sa

     show crypto ipsec sa

If Phase 1 and Phase 2 aren't up per those respective commands, then go to:

     debug crypto isakmp 7

     debug crypto ipsec 7

You may need to increase the verbosity level (255 is the highest) and, if you have multiple SAs, focus on the one you are interested in with a filter:

     debug crypto condition peer <peer IP>

Once you have Phase 1 and 2 established but are having continued problems with bidirectional traffic flow, look at two things:

1. In the show crypto ipsec sa output, do decaps increase commensurate with the encaps. If not, the distant end may not be getting the return traffic. Confirm with a packet capture and/or trace.

2. Use the packet-tracer command (CLI or GUI) on the ASA to examine how it will treat a given flow. NAT and ACL issues can often be quickly seen using that tool.

View solution in original post

3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-15-2014 05:03 AM

The 1st two go-to commands are:

     show crypto isakmp sa

     show crypto ipsec sa

If Phase 1 and Phase 2 aren't up per those respective commands, then go to:

     debug crypto isakmp 7

     debug crypto ipsec 7

You may need to increase the verbosity level (255 is the highest) and, if you have multiple SAs, focus on the one you are interested in with a filter:

     debug crypto condition peer <peer IP>

Once you have Phase 1 and 2 established but are having continued problems with bidirectional traffic flow, look at two things:

1. In the show crypto ipsec sa output, do decaps increase commensurate with the encaps. If not, the distant end may not be getting the return traffic. Confirm with a packet capture and/or trace.

2. Use the packet-tracer command (CLI or GUI) on the ASA to examine how it will treat a given flow. NAT and ACL issues can often be quickly seen using that tool.

Go to solution
Andy White
Level 3
Level 3
In response to Marvin Rhoads

‎05-16-2014 07:34 AM

Thanks Marvin, I'm glad to say I use a few of these.  I got my head route the packet capture today and put it in wiresark which  was great.  Can these commands be used on a router to that is in VPN mode?

0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Marvin Rhoads

‎03-07-2019 06:50 PM

Running a debug but for a particular IPSEC VPN shouldn't cause much of a degradation and/or impact on performance correct or possibly?
0 Helpful
Customers Also Viewed These Support Documents
Top