New to Cisco ASA VPN 5020

Kevin_27C · ‎06-18-2012

Hi,

Im new to Cisco Firewalls. Right now i got the additional responsibility of it. We have Cisco ASA 5020 where we are terminating all the client to site as well as Site to Site VPNs. Please let me know some important commands which will help me to troubleshoot any VPN issue that arise. I can find these commands:

Show Crypto ipsec sa
Show ipsec sa peer < peer IP>
Show isakmp sa

Jennifer Halim · ‎06-18-2012

Yes, those 3 commands are a good start in troubleshooting VPN issue.

- show cry isa sa: checking if phase 1 is up or not: status should normally be QM_IDLE, or AM_ACTIVE, or MM_ACTIVE

- show cry ipsec sa: you can check if the encrypts and decrypts are incrementing or not. If it's encrypting and no decrypts, that means traffic is being sent towards the remote sites but no reply, and if it's decrypting but no encrypts, that means traffic is received, but no reply back towards remote end.

Kevin_27C · ‎06-18-2012

Thanks a lot Jennifer Halim for explaining the commands. It will be very useful for me. Is there any other commnads you can think off. And what does QM_IDLE, AM_ACTIVE, MM_ACTIVE mean?

Jennifer Halim · ‎06-18-2012

QM_IDLE: Quick Mode IDLE --> Phase 1 is UP

AM_ACTIVE: Aggresive Mode ACTIVE --> Phase 1 is UP

MM_ACTIVE: Main Mode ACTIVE --> Phase 1 is UP

The above status will show depending on what version of ASA you are running, but either one of the above is a good sign, and means you don't have to worry about troubleshooting Phase 1, you can concentrate to troubleshoot Phase 2.

Debug command if Phase 1 is not UP: debug cry isa

Debug command if Phase 2 is not UP: debug cry ipsec

Kevin_27C · ‎06-18-2012

Am i right if i say that running the above mentioned Debug commands will results in Performance issue of the Cisco ASA

Jennifer Halim · ‎06-19-2012

Depending on how many VPN tunnels, but generally it won't cause any performance issue on ASA at all.