08-11-2012 09:39 AM - edited 02-21-2020 06:15 PM
I've been working with a partner trying to get an Avaya IP VPN phone to connect to our ASA/network. This article https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf
(although a bit dated) has pretty clear instructions. However, when he tries to get his phone to connect, it says the remote peer (my ASA) is not responding. He has no clue what his public IP address is so I've been struggling to find a way to troubleshoot from my end to see if his phone is even attemting to connect to my ASA. Since I only have a handful of IPSec tunnels, is there a way to setup a monitor filter in ASDM so that I only see IPSec tunnel traffic? Any other thoughts on how I can at least verify that he's knocking at the door?
Thanks!
08-11-2012 12:16 PM
This is best done from the CLI.
"show crypto isakmp sa" shows your current or forming VPN tunnels on your ASA. (SAs are Security Associations.) An active working tunnel normally has the state "MM_IDLE". Look for him trying to bring up his tunnel by repeatedly entering that command during his attempts. If you see other states forming and then timing out you likely have a setting mismatch. Those can be debugged by using a couple of commands. Note his public IP from the "show cry isa sa" output and make it a condition for your debug (that will keep you from getting the rather verbose debug output from your other tunnels):
debug cry condition peer
debug crypto isakmp 7
debug crypto ipsec 7
Have him try again and examine the log for error conditions. ("show log")
If you never see partially formed SAs during his attempts, then he is not reaching you with the IPSec packets for some reason. Make sure he can ping your outside interface. How is he leaving his network? if he doesn't have a static public IP it may be a problem establishing a VPN with whatever global NAT pool address his network's boundary firewall or router is giving him.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide