(although a bit dated) has pretty clear instructions. However, when he tries to get his phone to connect, it says the remote peer (my ASA) is not responding. He has no clue what his public IP address is so I've been struggling to find a way to troubleshoot from my end to see if his phone is even attemting to connect to my ASA. Since I only have a handful of IPSec tunnels, is there a way to setup a monitor filter in ASDM so that I only see IPSec tunnel traffic? Any other thoughts on how I can at least verify that he's knocking at the door?
Troubleshooting IPSec VPN - Remote peer not responding
This is best done from the CLI.
"show crypto isakmp sa" shows your current or forming VPN tunnels on your ASA. (SAs are Security Associations.) An active working tunnel normally has the state "MM_IDLE". Look for him trying to bring up his tunnel by repeatedly entering that command during his attempts. If you see other states forming and then timing out you likely have a setting mismatch. Those can be debugged by using a couple of commands. Note his public IP from the "show cry isa sa" output and make it a condition for your debug (that will keep you from getting the rather verbose debug output from your other tunnels):
debug cry condition peer
debug crypto isakmp 7
debug crypto ipsec 7
Have him try again and examine the log for error conditions. ("show log")
If you never see partially formed SAs during his attempts, then he is not reaching you with the IPSec packets for some reason. Make sure he can ping your outside interface. How is he leaving his network? if he doesn't have a static public IP it may be a problem establishing a VPN with whatever global NAT pool address his network's boundary firewall or router is giving him.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :