Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
5
Replies

How to troubleshoot VPN

dan_track
Level 1
Level 1

‎03-03-2010 02:56 AM

Hi,

I've setup a vpn on my asa that I've managed to get working. However, I'm going to break it again for testing purposes. Basically I had a problem when setting it up where packets weren't being sent to the the other end. Look ing at "show logs" didn't show anything to help me to troubleshoot. After talking to the other side I realised that my transform-set acl didn't match their one i.e the subnet masks were wrong. My question is how can I troubleshoot this? What commsn should I be running to see that this is where the problem is? What should I be looking for in the output of these troubleshooting commands?

Thanks

Dan

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎03-03-2010 03:25 AM

Dan

debug crypto isakmp

debug crypto ipsec

the above 2 commands will show you where your VPN tunnel is failing ie.

isakmp covers phase 1 which is your ISAKMP policy settings

ipsec covers phase 2 which is your crypto map settings in terms of access-list and transform-set etc..

Often it helps if you can initiate the tunnel from both ends because the error messages are slightly different depending on whether you are looking at the initiating device or the receiving device.

I suggest you run the above commands after breaking the tunnel and see what output you get. You can change different things in your tunnel settings to see how this affects the debug output.

Jon

0 Helpful

dan_track
Level 1
Level 1
In response to Jon Marshall

‎03-03-2010 03:34 AM

Hi Jon,

Thanks for the info. I'll try that and come back to you. Just a slight note I've got anout 10 VPN's running on my asa. Would the debug command crash the asa? If so, how can I restrict it?

Thanks

Dan

0 Helpful

dan_track
Level 1
Level 1
In response to dan_track

‎03-03-2010 04:14 AM

One other point that came to mind is what is the difference between a debug and a capture on an ASA?

Thanks

Dan

0 Helpful

dan_track
Level 1
Level 1
In response to dan_track

‎03-03-2010 04:38 AM

When I run the debug command I'm not seeing any output at all. Can you point me to what I'm missing?

Thanks

Dan

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to dan_track

‎03-03-2010 05:02 AM

Dan

A packet capture simply captures packets going through the ASA. It is not showing you what the ASA is actually doing.

I have enabled those debugs commands on pix 515E firewalls having at least 50 VPNs configured and there was no issue. The debug commands will only show you output when the tunnel is being established. However i cannot guarantee anything in terms of debugging, all i can say is that i have done it with no ill effects.

Obviously make sure you turn off the debugging when you are finished.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents