Solved: To Check L2L tunnel status

mahesh18 · ‎01-07-2014

Hi Everyone,

I have new setup where 2 different networks

Network 1

Switch and ASA 5505

Network 2

Switch and ASA 5505

Network 1 and 2 are at different locations in same site.

At both of the above networks PC connected to switch gets IP from ASA 5505.

In order to go to internet both of the above networks have L2L tunnel from their ASA 5505 to ASA 5520.

ASA 5505 has default gateway configured as ASA 5520

When i do sh crypto isakmp sa on 5505 it shows peer tunnel IP but state is MM_ACTIVE.

I need to confirm if the tunnel is building up between 5505 and 5520?

From ASA 5505 i can ping the ASA 5520.

Jouni Forss · ‎01-07-2014

Hi,

The output you are looking at is of Phase 1 which states that Main Mode is used and the Phase 1 seems to be fine.

I would try the following commands to determine better the L2L VPN state/situation

show crypto ipsec sa peer

show vpn-sessiondb detail l2l

You can naturally also use ASDM to check the Monitoring section and from there the VPN section. You might have to use a drop down menu in the actual VPN page to select Site to Site VPN / L2L VPN show you can list the L2L VPN connections possibly active on the ASA

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎01-07-2014

Hi Mahesh,

Both output wouldnt show anything if there was any active L2L VPN connections so the VPN listed by the second command is up.

The first output shows the formed IPsec SAs for the L2L VPN connection. I mean the local/remote network pairs. It also lists the packet counters which in your situation seem to indicate traffic is flowing in both directions.

The second output also lists samekind of information but also some additional information that the other command doesnt list.

So seems to me that your VPN is up and working. If there is some problems they are probably related to some other configurations on the ASAs.

Are you using Easy VPN or something because it says that the remote address is 0.0.0.0/0 ? Or does your Crypto ACL have destination as "any"? In other words, have you configure the other ASA to tunnel all traffic through the L2L VPN?

- Jouni

View solution in original post

Jouni Forss · ‎01-07-2014

Hi,

You can use the command

show run crypto map

To list the configurations

Next you will have to find the line

crypto map match address

Then you will have to check that ACLs contents either with

show access-list

show run access-list

- Jouni

View solution in original post

Jouni Forss · ‎01-07-2014

Hi,

The output you are looking at is of Phase 1 which states that Main Mode is used and the Phase 1 seems to be fine.

I would try the following commands to determine better the L2L VPN state/situation

show crypto ipsec sa peer

show vpn-sessiondb detail l2l

You can naturally also use ASDM to check the Monitoring section and from there the VPN section. You might have to use a drop down menu in the actual VPN page to select Site to Site VPN / L2L VPN show you can list the L2L VPN connections possibly active on the ASA

Hope this helps

- Jouni

mahesh18 · ‎01-07-2014

Hi Jouni,

I will use the above commands and will update you.

Regards

Mahesh

mahesh18 · ‎01-07-2014

Hi Jouni,

Here is info below

sh crypto ipsec sa peer 10.31.2.30
peer address: 10.31.2.30
Crypto map tag: COMMC_Traffic_Crypto, seq num: 1, local addr: 10.31.2.19

      access-list XC_Traffic extended permit ip 192.168.2.128 255.255.255.192
any
      local ident (addr/mask/prot/port): (192.168.2.128/255.255.255.192/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer: 10.31.2.30

      #pkts encaps: 1066, #pkts encrypt: 1066, #pkts digest: 1066
      #pkts decaps: 3611, #pkts decrypt: 3611, #pkts verify: 3611
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1066, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.31.2.19/0, remote crypto endpt.: 10.31.2.30/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 06DFBB67
      current inbound spi : 09900545

    inbound esp sas:
      spi: 0x09900545 (160433477)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: COMMC_Traffic_Crypto
         sa timing: remaining key lifetime (kB/sec): (3914702/24743)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x06DFBB67 (115325799)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 12288, crypto-map: COMMC_Traffic_Crypto
         sa timing: remaining key lifetime (kB/sec): (3914930/24743)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

sh vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection   : 10.31.2.30
Index        : 3                      IP Addr      : 10.31.2.30
Protocol     : IKEv1 IPsec
Encryption   : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing      : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx     : 71301                  Bytes Rx     : 305820
Login Time   : 11:59:24 UTC Tue Jan 7 2014
Duration     : 1h:07m:54s
IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
Tunnel ID    : 3.1
UDP Src Port : 500                    UDP Dst Port : 500
IKE Neg Mode : Main                   Auth Mode    : preSharedKeys
Encryption   : AES256                 Hashing      : SHA1
Rekey Int (T): 86400 Seconds          Rekey Left(T): 82325 Seconds
D/H Group    : 2
Filter Name :
IPv6 Filter :

IPsec:
Tunnel ID    : 3.2
Local Addr   : 192.168.2.128/255.255.255.192/0/0
Remote Addr : 0.0.0.0/0.0.0.0/0/0
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds          Rekey Left(T): 24725 Seconds
Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607701 K-Bytes
Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
Bytes Tx     : 71301                  Bytes Rx     : 306744
Pkts Tx      : 1066                   Pkts Rx      : 3654

NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 4086 Seconds
Hold Left (T): 0 Seconds              Posture Token:

What should i look for to confirm L2L state?

Regards

MAhesh

Jouni Forss · ‎01-07-2014

Hi Mahesh,

Both output wouldnt show anything if there was any active L2L VPN connections so the VPN listed by the second command is up.

The first output shows the formed IPsec SAs for the L2L VPN connection. I mean the local/remote network pairs. It also lists the packet counters which in your situation seem to indicate traffic is flowing in both directions.

The second output also lists samekind of information but also some additional information that the other command doesnt list.

So seems to me that your VPN is up and working. If there is some problems they are probably related to some other configurations on the ASAs.

Are you using Easy VPN or something because it says that the remote address is 0.0.0.0/0 ? Or does your Crypto ACL have destination as "any"? In other words, have you configure the other ASA to tunnel all traffic through the L2L VPN?

- Jouni

mahesh18 · ‎01-07-2014

Hi Jouni,

Config i gave us was from 5505.

Other end is 5520.

we are not using easy vpn.

When you say

Or does your Crypto ACL have destination as "any"? In other words, have you configure the other ASA to tunnel all traffic through the L2L VPN?

How can i check this on the 5520 ASA ? any command?

Regards

MAhesh

Jouni Forss · ‎01-07-2014

Hi,

You can use the command

show run crypto map

To list the configurations

Next you will have to find the line

crypto map match address

Then you will have to check that ACLs contents either with

show access-list

show run access-list

- Jouni

mahesh18 · ‎01-07-2014

Hi Jouni,

Will check and update you.

Regards

Mahesh