Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best VPN debug commands?

Hello,

I was just wondering what your best VPN debug commands are on a ASA or router regarding phase 1 and 2 and the ACL?

For example I have have a site-to-site up between 2 ASAs and phase 1 and 2 are up, but each site can't ping a PC on each site.  I'm looking at NAT and the ACLs at the moment, but any useful commands woudl be most appreciated.

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

The 1st two go-to commands

The 1st two go-to commands are:

     show crypto isakmp sa

     show crypto ipsec sa

If Phase 1 and Phase 2 aren't up per those respective commands, then go to:

     debug crypto isakmp 7

     debug crypto ipsec 7

You may need to increase the verbosity level (255 is the highest) and, if you have multiple SAs, focus on the one you are interested in with a filter:

     debug crypto condition peer <peer IP>

Once you have Phase 1 and 2 established but are having continued problems with bidirectional traffic flow, look at two things:

1. In the show crypto ipsec sa output, do decaps increase commensurate with the encaps. If not, the distant end may not be getting the return traffic. Confirm with a packet capture and/or trace.

2. Use the packet-tracer command (CLI or GUI) on the ASA to examine how it will treat a given flow. NAT and ACL issues can often be quickly seen using that tool.

2 REPLIES
Hall of Fame Super Silver

The 1st two go-to commands

The 1st two go-to commands are:

     show crypto isakmp sa

     show crypto ipsec sa

If Phase 1 and Phase 2 aren't up per those respective commands, then go to:

     debug crypto isakmp 7

     debug crypto ipsec 7

You may need to increase the verbosity level (255 is the highest) and, if you have multiple SAs, focus on the one you are interested in with a filter:

     debug crypto condition peer <peer IP>

Once you have Phase 1 and 2 established but are having continued problems with bidirectional traffic flow, look at two things:

1. In the show crypto ipsec sa output, do decaps increase commensurate with the encaps. If not, the distant end may not be getting the return traffic. Confirm with a packet capture and/or trace.

2. Use the packet-tracer command (CLI or GUI) on the ASA to examine how it will treat a given flow. NAT and ACL issues can often be quickly seen using that tool.

New Member

Thanks Marvin, I'm glad to

Thanks Marvin, I'm glad to say I use a few of these.  I got my head route the packet capture today and put it in wiresark which  was great.  Can these commands be used on a router to that is in VPN mode?

342
Views
0
Helpful
2
Replies
CreatePlease login to create content