Im new to Cisco Firewalls. Right now i got the additional responsibility of it. We have Cisco ASA 5020 where we are terminating all the client to site as well as Site to Site VPNs. Please let me know some important commands which will help me to troubleshoot any VPN issue that arise. I can find these commands:
Yes, those 3 commands are a good start in troubleshooting VPN issue.
- show cry isa sa: checking if phase 1 is up or not: status should normally be QM_IDLE, or AM_ACTIVE, or MM_ACTIVE
- show cry ipsec sa: you can check if the encrypts and decrypts are incrementing or not. If it's encrypting and no decrypts, that means traffic is being sent towards the remote sites but no reply, and if it's decrypting but no encrypts, that means traffic is received, but no reply back towards remote end.
AM_ACTIVE: Aggresive Mode ACTIVE --> Phase 1 is UP
MM_ACTIVE: Main Mode ACTIVE --> Phase 1 is UP
The above status will show depending on what version of ASA you are running, but either one of the above is a good sign, and means you don't have to worry about troubleshooting Phase 1, you can concentrate to troubleshoot Phase 2.
Debug command if Phase 1 is not UP: debug cry isa
Debug command if Phase 2 is not UP: debug cry ipsec
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...