Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

New to Cisco ASA VPN 5020

Unanswered Question
Jun 18th, 2012
User Badges:


Im new to Cisco Firewalls. Right now i got the additional responsibility of it. We have Cisco ASA 5020 where we are terminating all the client to site as well as Site to Site VPNs. Please let me know some important commands which will help me to troubleshoot any VPN issue that arise. I can find these commands:

  • Show Crypto ipsec sa
  • Show ipsec sa peer < peer IP>
  • Show isakmp sa
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Mon, 06/18/2012 - 06:02
User Badges:
  • Cisco Employee,

Yes, those 3 commands are a good start in troubleshooting VPN issue.

- show cry isa sa: checking if phase 1 is up or not: status should normally be QM_IDLE, or AM_ACTIVE, or MM_ACTIVE

- show cry ipsec sa: you can check if the encrypts and decrypts are incrementing or not. If it's encrypting and no decrypts, that means traffic is being sent towards the remote sites but no reply, and if it's decrypting but no encrypts, that means traffic is received, but no reply back towards remote end.

Kevin_27C Mon, 06/18/2012 - 06:12
User Badges:

Thanks a lot Jennifer Halim for explaining the commands. It will be very useful for me. Is there any other commnads you can think off. And what does QM_IDLE, AM_ACTIVE, MM_ACTIVE mean?

Jennifer Halim Mon, 06/18/2012 - 06:22
User Badges:
  • Cisco Employee,

QM_IDLE: Quick Mode IDLE --> Phase 1 is UP

AM_ACTIVE: Aggresive Mode ACTIVE --> Phase 1 is UP

MM_ACTIVE: Main Mode ACTIVE --> Phase 1 is UP

The above status will show depending on what version of ASA you are running, but either one of the above is a good sign, and means you don't have to worry about troubleshooting Phase 1, you can concentrate to troubleshoot Phase 2.

Debug command if Phase 1 is not UP: debug cry isa

Debug command if Phase 2 is not UP: debug cry ipsec

Kevin_27C Mon, 06/18/2012 - 21:37
User Badges:

Am i right if i say that running the above mentioned Debug commands will results in Performance issue of the Cisco ASA

Jennifer Halim Tue, 06/19/2012 - 00:31
User Badges:
  • Cisco Employee,

Depending on how many VPN tunnels, but generally it won't cause any performance issue on ASA at all.


This Discussion