Once the tunnel is configured, attempt to pass traffic from a workstation on one side of the connection to a workstation on the other side of the connection. If a ping is successful, the tunnel functions properly. If an attempt to ping is not successful, issue the show crypto isakmp sa and show crypto ipsec sa commands on the PIX to determine the state of the connection.
This is the desired command output:
cisco_endpoint#show crypto isakmp sa
dst src state pending created
172.18.124.157 172.18.124.35 QM_IDLE 0 2
If the show crypto isakmp sa command output shows anything other than a state of QM_IDLE, phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) is not properly negotiated and must be examined.
The show crypto ipsec sa command identifies information about phase 2 of the connection (IPsec). The proper peer and local endpoint for the tunnel must be identified.
If traffic is passed across the tunnel, the counters for both pkts encaps and pkts decaps should increment. If either value does not increment, a determination can usually be made as to which side of the tunnel has a problem.
This is a portion of the show crypto ipsec sa command output:
cisco_endpoint#show crypto ipsec sa
Crypto map tag: rtpmap, local addr. 172.18.124.158
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)