Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

New to Cisco ASA VPN 5020

Hi,

Im new to Cisco Firewalls. Right now i got the additional responsibility of it. We have Cisco ASA 5020 where we are terminating all the client to site as well as Site to Site VPNs. Please let me know some important commands which will help me to troubleshoot any VPN issue that arise. I can find these commands:

  • Show Crypto ipsec sa
  • Show ipsec sa peer < peer IP>
  • Show isakmp sa
Everyone's tags (6)
5 REPLIES
Cisco Employee

New to Cisco ASA VPN 5020

Yes, those 3 commands are a good start in troubleshooting VPN issue.

- show cry isa sa: checking if phase 1 is up or not: status should normally be QM_IDLE, or AM_ACTIVE, or MM_ACTIVE

- show cry ipsec sa: you can check if the encrypts and decrypts are incrementing or not. If it's encrypting and no decrypts, that means traffic is being sent towards the remote sites but no reply, and if it's decrypting but no encrypts, that means traffic is received, but no reply back towards remote end.

Community Member

New to Cisco ASA VPN 5020

Thanks a lot Jennifer Halim for explaining the commands. It will be very useful for me. Is there any other commnads you can think off. And what does QM_IDLE, AM_ACTIVE, MM_ACTIVE mean?

Cisco Employee

New to Cisco ASA VPN 5020

QM_IDLE: Quick Mode IDLE --> Phase 1 is UP

AM_ACTIVE: Aggresive Mode ACTIVE --> Phase 1 is UP

MM_ACTIVE: Main Mode ACTIVE --> Phase 1 is UP

The above status will show depending on what version of ASA you are running, but either one of the above is a good sign, and means you don't have to worry about troubleshooting Phase 1, you can concentrate to troubleshoot Phase 2.

Debug command if Phase 1 is not UP: debug cry isa

Debug command if Phase 2 is not UP: debug cry ipsec

Community Member

New to Cisco ASA VPN 5020

Am i right if i say that running the above mentioned Debug commands will results in Performance issue of the Cisco ASA

Cisco Employee

New to Cisco ASA VPN 5020

Depending on how many VPN tunnels, but generally it won't cause any performance issue on ASA at all.

2703
Views
0
Helpful
5
Replies
CreatePlease to create content