Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Troubleshooting IPSec VPN - Remote peer not responding

I've been working with a partner trying to get an Avaya IP VPN phone to connect to our ASA/network.  This article https://devconnect.avaya.com/public/download/interop/vpnphon_asa.pdf

(although a bit dated) has pretty clear instructions.  However, when he tries to get his phone to connect, it says the remote peer (my ASA) is not responding.  He has no clue what his public IP address is so I've been struggling to find a way to troubleshoot from my end to see if his phone is even attemting to connect to my ASA.  Since I only have a handful of IPSec tunnels, is there a way to setup a monitor filter in ASDM so that I only see IPSec tunnel traffic?  Any other thoughts on how I can at least verify that he's knocking at the door?

Thanks!

1 REPLY
Hall of Fame Super Silver

Troubleshooting IPSec VPN - Remote peer not responding

This is best done from the CLI.

"show crypto isakmp sa" shows your current or forming VPN tunnels on your ASA. (SAs are Security Associations.) An active working tunnel normally has the state "MM_IDLE". Look for him trying to bring up his tunnel by repeatedly entering that command during his attempts. If you see other states forming and then timing out you likely have a setting mismatch. Those can be debugged by using a couple of commands. Note his public IP from the "show cry isa sa" output and make it a condition for your debug (that will keep you from getting the rather verbose debug output from your other tunnels):

debug cry condition peer

debug crypto isakmp 7

debug crypto ipsec 7

Have him try again and examine the log for error conditions. ("show log")

If you never see partially formed SAs during his attempts, then he is not reaching you with the IPSec packets for some reason. Make sure he can ping your outside interface. How is he leaving his network? if he doesn't have a static public IP it may be a problem establishing a VPN with whatever global NAT pool address his network's boundary firewall or router is giving him.

1948
Views
0
Helpful
1
Replies
CreatePlease login to create content