Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to troubleshoot VPN

Hi,

I've setup a vpn on my asa that I've managed to get working. However, I'm going to break it again for testing purposes. Basically I had a problem when setting it up where packets weren't being sent to the the other end. Look ing at "show logs" didn't show anything to help me to troubleshoot. After talking to the other side I realised that my transform-set acl didn't match their one i.e the subnet masks were wrong. My question is how can I troubleshoot this? What commsn should I be running to see that this is where the problem is? What should I be looking for in the output of these troubleshooting commands?

Thanks

Dan

5 REPLIES
Hall of Fame Super Blue

Re: How to troubleshoot VPN

Dan

debug crypto isakmp

debug crypto ipsec

the above 2 commands will show you where your VPN tunnel is failing ie.

isakmp covers phase 1 which is your ISAKMP policy settings

ipsec covers phase 2 which is your crypto map settings in terms of access-list and transform-set etc..

Often it helps if you can initiate the tunnel from both ends because the error messages are slightly different depending on whether you are looking at the initiating device or the receiving device.

I suggest you run the above commands after breaking the tunnel and see what output you get. You can change different things in your tunnel settings to see how this affects the debug output.

Jon

New Member

Re: How to troubleshoot VPN

Hi Jon,

Thanks for the info. I'll try that and come back to you. Just a slight note I've got anout 10 VPN's running on my asa. Would the debug command crash the asa? If so, how can I restrict it?

Thanks

Dan

New Member

Re: How to troubleshoot VPN

One other point that came to mind is what is the difference between a debug and a capture on an ASA?

Thanks

Dan

New Member

Re: How to troubleshoot VPN

When I run the debug command I'm not seeing any output at all. Can you point me to what I'm missing?

Thanks

Dan

Hall of Fame Super Blue

Re: How to troubleshoot VPN

Dan

A packet capture simply captures packets going through the ASA. It is not showing you what the ASA is actually doing.

I have enabled those debugs commands on pix 515E firewalls having at least 50 VPNs configured and there was no issue. The debug commands will only show you output when the tunnel is being established. However i cannot guarantee anything in terms of debugging, all i can say is that i have done it with no ill effects.

Obviously make sure you turn off the debugging when you are finished.

Jon

384
Views
0
Helpful
5
Replies
CreatePlease to create content