Troubleshooting VPN pass-thru

tsrader · ‎04-28-2006

PIX 525s between main network and another company. We permit VPN from their network thru ours to allow access to servers, email, etc. VPN has stopped working.

How do i debug VPN traffic from their network (172.16.10.50) to ours (10.1.35.75) to see whether the VPN traffic is even coming thru the PIX firewall?

jmia · ‎04-28-2006

Troubleshooting Commands

Note: The clear commands must be performed in configuration mode.

clear crypto ipsec sa – Resets the IPSec associations after failed attempts to negotiate a VPN tunnel.

clear crypto isakmp sa – Resets the ISAKMP security associations after failed attempts to negotiate a VPN tunnel.

debug crypto ipsec – Shows if a client is negotiating the IPSec portion of the VPN connection.

debug crypto isakmp – Shows if the peers are negotiating the ISAKMP portion of the VPN connection.

All the above can be found here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094761.shtml

What's the output for: sho isakmp sa

And do you see encap / decap counts when you issues:

sho ipsec sa

One more thing, do you actually have L3 connectivity between the two peers? Can you ping from your PIX to your peers outside IP address (remove any icmp deny statements from both peers before issuing ping).

Hope this helps and please rate post if it does.

Jay

tsrader · ‎04-28-2006

thanks for the quick response. the VPN device is NOT my PIX firewall. the PIX is only permitting TX to pass thru it on to the VPN device.

I can ping from my PIX to their side w/ no problem.

i guess a similar command that i've used in the past is debug icmp trace......but for this i'm trying to see the connection going back and forth.