Once the tunnel is configured, attempt to pass traffic from a workstation on one side of the connection to a workstation on the other side of the connection. If you are able to ping, the tunnel is functioning properly. If you are not able to ping, determine the state of the connection by issuing the show crypto isakmp sa and show crypto ipsec sa commands on the PIX Firewall.
If the show crypto isakmp sa command output shows anything other than QM_IDLE in the state, then phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) has not been properly negotiated and should be examined.
The results should resemble this example:
cisco_endpoint#show crypto isakmp sa
dst src state pending created
172.18.124.157 172.18.124.35 QM_IDLE 0 2
The show crypto ipsec sa command identifies information about phase 2 of the connection (IPsec).
The proper peer and local endpoint for the tunnel should be identified. Furthermore, if traffic has been passed across the tunnel, the counters for both pkts encaps and pkts decaps should be incrementing. If either value is not incrementing, a determination can usually be made as to which side of the tunnel is having difficulty.