06-18-2012 04:15 AM
Hi,
Im new to Cisco Firewalls. Right now i got the additional responsibility of it. We have Cisco ASA 5020 where we are terminating all the client to site as well as Site to Site VPNs. Please let me know some important commands which will help me to troubleshoot any VPN issue that arise. I can find these commands:
06-18-2012 06:02 AM
Yes, those 3 commands are a good start in troubleshooting VPN issue.
- show cry isa sa: checking if phase 1 is up or not: status should normally be QM_IDLE, or AM_ACTIVE, or MM_ACTIVE
- show cry ipsec sa: you can check if the encrypts and decrypts are incrementing or not. If it's encrypting and no decrypts, that means traffic is being sent towards the remote sites but no reply, and if it's decrypting but no encrypts, that means traffic is received, but no reply back towards remote end.
06-18-2012 06:12 AM
Thanks a lot Jennifer Halim for explaining the commands. It will be very useful for me. Is there any other commnads you can think off. And what does QM_IDLE, AM_ACTIVE, MM_ACTIVE mean?
06-18-2012 06:22 AM
QM_IDLE: Quick Mode IDLE --> Phase 1 is UP
AM_ACTIVE: Aggresive Mode ACTIVE --> Phase 1 is UP
MM_ACTIVE: Main Mode ACTIVE --> Phase 1 is UP
The above status will show depending on what version of ASA you are running, but either one of the above is a good sign, and means you don't have to worry about troubleshooting Phase 1, you can concentrate to troubleshoot Phase 2.
Debug command if Phase 1 is not UP: debug cry isa
Debug command if Phase 2 is not UP: debug cry ipsec
06-18-2012 09:37 PM
Am i right if i say that running the above mentioned Debug commands will results in Performance issue of the Cisco ASA
06-19-2012 12:31 AM
Depending on how many VPN tunnels, but generally it won't cause any performance issue on ASA at all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide