Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4426
Views
10
Helpful
7
Replies

Show crypto ikev1 / isakmp for certain peer

Go to solution
royvdberg
Level 1
Level 1

‎04-18-2018 05:29 AM - edited ‎03-12-2019 05:12 AM

We're having a Cisco ASA5525 with multiple L2L VPN connections to other companies. At this moment I see there are 70 Active Tunnels:

FW-VPN/pri/act# show crypto ikev1 stats
Global IKEv1 Statistics
  Active Tunnels:             70

Sometimes I'd like to troubleshoot a certain VPN connection and I'd like to start with #show crypto ikev1 sa detail

But this command returns all IKEv1 tunnels, and I'd like to see only one tunnel with a certain IPv4 address. Is there a way to do this?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
royvdberg
Level 1
Level 1
In response to GioGonza

‎04-19-2018 01:01 AM

Thank you Gio, that is indeed helpful.

I actually do not maintain the ASA on the other side. I don't even know if it is an ASA. We have VPNs with other companies so I cannot execute any commands on the "other" ASA.

In this case I can only troubleshoot on the "local" ASA.

The debug commands are helpful and with the "condition peer" part we can focus on just the VPN tunnel that's down.

Anyway, I simply wanted to know if I could execute "show crypto ikev1 sa" for a certain IP address, but looking at the answeres here I guess it's a "no".

Thanks for all your input guys.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎04-18-2018 05:42 AM

Hi there,

How about show crypto ipsec sa peer xxxx  ?

 

cheers,

Seb.

0 Helpful

Go to solution
royvdberg
Level 1
Level 1
In response to Seb Rupik

‎04-18-2018 05:53 AM - edited ‎04-18-2018 05:56 AM

I intend to use this command in case of troubleshooting. In case a VPN tunnel is down I want to see the MM_STATE messages of the ikev1 phase.

The command you provided would not give enough information for this troubleshooting. The "show crypto ikev1 sa" shows the MM_STATE which is very helpful.

Little example:

tunnel to 1.1.1.1 is down. When I use the "show crypto ipsec" I get this response:

There are no ipsec sas for peer 1.1.1.1

When I execute "show crypto ikev1 sa" I see this:

76  IKE Peer: 1.1.1.1
    Type    : user            Role    : initiator
    Rekey   : no              State   : MM_WAIT_MSG2

I now know I cannot reach IP 1.1.1.1.

 

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to royvdberg

‎04-18-2018 12:43 PM

Hello @royvdberg

 

You need to check the remote side in this case 1.1.1.1, if you have access to the remote you need to check if the packet is reaching that ASA, that means if the first packet with the policies is reaching the ASA and in order to know what is going on, you need to do a capture on the outside like this: 

 

capture cap interface outside match ip host x.x.x.x host y.y.y.y

 

You need to do this on both ASAs and both outside interfaces, this way you should see if the packet is reaching both devices, also you can see with the debugs: 

 

debug crypto condition peer <IP address>

debug crypto ikev1 250

debug crypto ipsec 250

 

Try this and let me know. 

 

HTH

Gio

Go to solution
Florin Barhala
Level 6
Level 6
In response to GioGonza

‎04-19-2018 12:19 AM

After you enable debug, where can you see the output of the debug logs?
0 Helpful

Go to solution
royvdberg
Level 1
Level 1
In response to Florin Barhala

‎04-19-2018 01:03 AM

It will show up in your console.
0 Helpful

Go to solution
royvdberg
Level 1
Level 1
In response to GioGonza

‎04-19-2018 01:01 AM

Thank you Gio, that is indeed helpful.

I actually do not maintain the ASA on the other side. I don't even know if it is an ASA. We have VPNs with other companies so I cannot execute any commands on the "other" ASA.

In this case I can only troubleshoot on the "local" ASA.

The debug commands are helpful and with the "condition peer" part we can focus on just the VPN tunnel that's down.

Anyway, I simply wanted to know if I could execute "show crypto ikev1 sa" for a certain IP address, but looking at the answeres here I guess it's a "no".

Thanks for all your input guys.

0 Helpful

Go to solution
GioGonza
Level 4
Level 4
In response to royvdberg

‎04-19-2018 06:24 AM

Hello @royvdberg

 

Well, if you don´t have access to the remote side, you can do the following: 

 

... Ask them to initiate the traffic in order to check if the packets are reaching your ASA. 

 

In order to reply your question, Yes, there is no command to verify for an specific IP address when you are troubleshooting with "show crypto ikev1 sa" but there is a workaround for that :) you can try with this syntax at end of the command and you can focus on one VPN tunnel at a time with "show crypto ikev1 sa | beg <Peer IP address>" (You should get only the information for the particular tunnel)

 

By the way, thanks for the Kudos :)

 

HTH

Gio 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents