Professional Documents
Culture Documents
Monitoring and Troubleshooting Site
Monitoring and Troubleshooting Site
Monitoring and Troubleshooting Site
VPNs
Cisco ASA comes with many show commands to check the health and status of the IPSec
tunnels. For troubleshooting purposes, Cisco ASA provides a rich set of debug commands
to isolate the IPSec-related issues.
: L2L
Role
: responder
Rekey
: no
State
: MM_ACTIVE
Encrypt : aes-256
Hash
: MD5
Auth
Lifetime: 86400
: preshared
interface: outside
Crypto map tag: IPSec_map, local addr: 209.165.200.225
Max accelerators: 1
Max crypto throughput: 100 Mbps
Max crypto connections: 750
[Global Statistics]
Number of active accelerators: 1
Number of non-operational accelerators: 0
Input packets: 14606
Input bytes: 3364752
Output packets: 3648
Output error packets: 0
Output bytes: 3828341
[Accelerator 0]
Status: OK
Software crypto engine
Slot: 0
Active time: 286241 seconds
Total crypto transforms: 7
[Accelerator 0]
Status: OK
Software crypto engine
Slot: 0
Active time: 286241 seconds
[Accelerator 1]
Status: OK
: ?CNlite-MC-
Boot-Cisco-1.2
SSL/IKE microcode: ?CNlite-MCIPSEC-Admin-3.03
IPSec microcode
IPSECm-MAIN-2.03
Slot: 1
Active time: 286242 seconds
Total crypto transforms: 186516
Total dropped packets: 0
[Input statistics]
Input packets: 14606
Input bytes: 3364752
Input hashed packets: 13060
Input hashed bytes: 1165772
Decrypted packets: 14606
Decrypted bytes: 2655536
[Output statistics]
Output packets: 3648
Output bad packets: 0
Output bytes: 3828341
Output hashed packets: 455
Output hashed bytes: 61880
: ?CNlite-MC-
During the ISAKMP SA negotiations, the security Cisco ASA matches the IP address of the
VPN peer with the tunnel group. If it finds a match, it displays a "Connection landed on
tunnel group" message, as shown in Example 15-34, and continues with the rest of the
negotiations (shown as ...). The Cisco ASA displays a "Phase 1 completed" message when
the ISAKMP SA is successfully negotiated.
Example 15-34. Debugs to Show Phase 1 Negotiations Are Completed
[IKEv1]: IP = 209.165.201.1, Connection landed on
tunnel_group 209.165.201.1
...
[IKEv1]: Group = 209.165.201.1, IP = 209.165.201.1, PHASE 1
COMPLETED
After completing Phase 1 negotiations, the security Cisco ASA maps the remote VPN peer
to a static crypto map sequence number and checks the IPSec Phase 2 proposal sent by the
remote VPN peers. If the received proxy identities and the IPSec Phase 2 proposals match
on the security Cisco ASA, it displays an "IPSec SA proposal transform acceptable"
message, as demonstrated in Example 15-35.
Example 15-35. Debugs to Show Proxy Identities and Phase 2 Proposals Are
Accepted
[IKEv1 DECODE]: ID_IPV4_ADDR_SUBNET ID received-192.168.30.0--255.255.255.0
[IKEv1]: Group = 209.165.201.1, IP = 209.165.201.1, Received
remote IP Proxy Subnet
data in ID Payload:
Address 192.168.30.0, Mask
255.255.255.0, Protocol 0, Port 0
...
[IKEv1]: Group = 209.165.201.1, IP = 209.165.201.1, Security
negotiation complete
for LAN-to-LAN Group (209.165.201.1) Responder, Inbound SPI
= 0xf798f8e5,
Outbound SPI = 0x56029210
The following four scenarios discuss how to troubleshoot the common issues related to
IPSec tunnels. The debug messages are shown if debug crypto isakmp 127 is enabled on
the security Cisco ASA.
ISAKMP Proposal Unacceptable
In this scenario, if the ISAKMP proposals are mismatched between the two VPN devices,
the Cisco ASA Cisco ASA displays an "All SA proposals found unacceptable" message
after processing the first main mode packet, as shown in Example 15-37.
Example 15-37. Debugs to Show Mismatched ISAKMP Policies
[IKEv1 DEBUG]: IP = 209.165.201.1,, processing SA payload
[IKEv1]: IP = 209.165.201.1, IKE DECODE SENDING Message
(msgid=0) with payloads :
HDR + NOTIFY (11) + NONE (0) total length : 96
[IKEv1 DEBUG]: IP = 209.165.201.1, All SA proposals found
unacceptable
Mismatched Preshared keys
If the preshared key is mismatched between the VPN devices, the Cisco ASA Cisco ASA
displays a "Error, had problems decrypting packet, probably due to mismatched pre-shared
key" message after processing the fourth main mode packet. This is shown in Example 1538.
Example 15-38. Debugs to Show Mismatched Preshared Keys
[IKEv1]: Group = 209.165.201.1, IP = 209.165.201.1Received
encrypted Oakley Main
Mask
Mask
...
[IKEv1]: Group = 209.165.201.1, IP = 209.165.201.1, Static
Crypto Map check,
checking map = IPSec_map, seq = 10...
[IKEv1]: Group = 209.165.201.1, IP = 209.165.201.1, Static
Crypto Map check, map =
IPSec_map, seq = 10, ACL does not match proxy IDs
src:192.168.30.0
dst:192.168.20.0