Solved: Debug Crypto ISAKMP

GRANT3779 · ‎04-30-2013

Hi,

I've been tryin to setup a VPN and when I ran this command earlier I was getting plenty of output and all looked ok.

I could also see dest, src, state etc.. when I ran crypto isakmp sa.

Suddenly I have nothing now, even when I debug above. The crypto isakmp sa command is now blank also, see below.

crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

Does this suggest the issue is with the remote end? Would I still get debug output using debug crypto isakmp if the remote end was down?

Just puzzled as to why everythig has gone "quiet"

Thanks

Nikhil Thakur · ‎04-30-2013

Hi,

There could be several reasons for the same:

-->The interesting traffic either from remote end or local end has been stopped for some reason.

-->As the ASA was showing up some debugs earlier, it's unlikely that the packet is not reaching the ASA now which in turn will hit the crypto ACL (interesting traffic) hence triggering the crypto tunnels and the debugs.

-->There could have been configuration changes at the remote end ASA because of which the tunnel is not being triggered.

The best way to troubleshoot this problem is to trace the VPN traffic or the packet meant for VPN tunnel from it's source till it's destination.

I would recommend the following:

Take captures on the ASA from where the traffic is being initiated and see if it's the crypto ACL. Check the ACL hit counts for the same.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Enable 'debug crypto isakmp 127' & see if the tunnel is being triggered and the debugs are being generated.
If not, then run the packet tracer and see if the VPN traffic passes all the checks and is allowed through the VPN.
If the traffic is allowed under VPN Phase in packet tracer, and you still can't see the traffic being passed through the VPN then there might a possibilty that it's going through a different tunnel and hitting an overlapping crypto ACL (if any) on the same source ASA.
If the packet is not seen hitting the firewall in the above captures, then the packet is definitely not reaching the ASA and you will have to verify the internal routing.
You could also check the syslogs on the local ASA for any drops because of any firewall feature for the VPN destined traffic.

To answer your query, if the remote end was down you would not see the debugs unless the host is initiating traffic for VPN from the local end. If the VPN traffic was initiated from behind the remote ASA, and it's down then you would not see any debugs on the local ASA.

Let me know once you've narrowed it down more so that we can move forward and I will be in a better position to provide my next action plan on this.

Hope this was informative.

Regards,

Nick

P.S. Please mark this post as resolved if the above information has helped you in identifying the issue or atleast moving you forward in troubleshooting the issue so that other user are benifited too

View solution in original post

Nikhil Thakur · ‎04-30-2013

Hi,

There could be several reasons for the same:

-->The interesting traffic either from remote end or local end has been stopped for some reason.

-->As the ASA was showing up some debugs earlier, it's unlikely that the packet is not reaching the ASA now which in turn will hit the crypto ACL (interesting traffic) hence triggering the crypto tunnels and the debugs.

-->There could have been configuration changes at the remote end ASA because of which the tunnel is not being triggered.

The best way to troubleshoot this problem is to trace the VPN traffic or the packet meant for VPN tunnel from it's source till it's destination.

I would recommend the following:

Take captures on the ASA from where the traffic is being initiated and see if it's the crypto ACL. Check the ACL hit counts for the same.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080a9edd6.shtml

Enable 'debug crypto isakmp 127' & see if the tunnel is being triggered and the debugs are being generated.
If not, then run the packet tracer and see if the VPN traffic passes all the checks and is allowed through the VPN.
If the traffic is allowed under VPN Phase in packet tracer, and you still can't see the traffic being passed through the VPN then there might a possibilty that it's going through a different tunnel and hitting an overlapping crypto ACL (if any) on the same source ASA.
If the packet is not seen hitting the firewall in the above captures, then the packet is definitely not reaching the ASA and you will have to verify the internal routing.
You could also check the syslogs on the local ASA for any drops because of any firewall feature for the VPN destined traffic.

To answer your query, if the remote end was down you would not see the debugs unless the host is initiating traffic for VPN from the local end. If the VPN traffic was initiated from behind the remote ASA, and it's down then you would not see any debugs on the local ASA.

Let me know once you've narrowed it down more so that we can move forward and I will be in a better position to provide my next action plan on this.

Hope this was informative.

Regards,

Nick

P.S. Please mark this post as resolved if the above information has helped you in identifying the issue or atleast moving you forward in troubleshooting the issue so that other user are benifited too

Nikhil Thakur · ‎05-06-2013

Hey,

Please mark this post as 'Answered' if your initial query has been answered.

I would be glad to answer your further queries, if any.

Also, rate the post if helpful.

Thanks!

Regards,

Nick