Basic Cisco ASA Troubleshooting

These are a some good commands you can use to help troubleshoot new VPN tunnels.

#VPN Phases:
Verify Phase 1:

show crypto isakmp sa detail | be {Peer IP}

Verify Phase 2:

show crypto ipsec sa peer {Peer IP}

#Verify Phase 1 & 2 Parameters:

show vpn-sessiondb detail l2l filter ipaddress {Peer IP}

#Debug IKE/IPsec for v1 and v2:
v1:

debug crypto condition peer 107.180.50.236
debug crypto ikev1 127
debug crypto ipsec 127

v2:

debug crypto condition peer 107.180.50.236
debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

NOTE:
I’m specifically looking for a peer in the first command. This way you only see debugs for that peer.

#Verify Tunnel is up:
v1:

show crypto ikev1 sa

v2:

show crypto ikev2 sa

#Verify traffic is flowing with the peer IP Address from the above command:

show crypto ipsec sa peer {PEER_IP_ADDRESS}

Look at “pkts encaps“, pkts encrypt“, “pkts decaps“, and “pkts decrypt“.

#Run a Capture or a Trace:
Packet Capture:
There are two ways to help troubleshoot packet drops on an ASA. One is to do a capture and the other is to do a Trace:

Use the Inside interface for a capture:

capture CORDERO interface INSIDE match ip any host 8.8.8.8
capture CORDERO interface INSIDE match ip host 8.8.8.8 any 
show capture CORDERO

Use the Outside interface:

capture CORDERO interface OUTSIDE match ip any host 8.8.8.8
capture CORDERO interface OUTSIDE match ip host 8.8.8.8 any 
show capture CORDERO

Flags are some combination of:
S (SYN)
F (FIN)
P (PUSH)
R (RST)
W (ECN CWR)
E (ECN-Echo)
single `.’ (no flags)

There are times where you will need to run a capture on the “Accelerated Security Path“. Below shows what the ASP entails:

The Session Management Path
Performing the ACL checks
Performing route lookups
Building NAT / XLAT Translations
Establishing sessions for the Fast Path

The Fast Path
Performing IP checksums
Performing session lookup
Performing TCP sequence number checks
Using NAT / XLAT translations based on existing Session Management
Performing Layer 3, and Layer 4 header checks

The Control Plane Path
Layer 7 packet inspection
Dynamic port inspection

Running an ASP Capture:

clear cap /all   :clear all captures
capture asp type asp-drop all circular-buffer :run a capture on ALL asp options
sh cap asp | in {ipaddress}.{port}

You can read more about it here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/show_asp_drop/show_asp_drop.html

Packet Tracer
Run packet tracer to see where packets are getting dropped:

Syntax:
packet-tracer input ifc_name tcp [SRC_HOST] [SRC_PORT] [DST_HOST] [DST_PORT]

For example, below we are looking at RDP traffic.

TPA-FW-A# packet-tracer input INSIDE tcp 172.16.1.5 1024 4.2.2.2 5589

!!! output truncated
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: DROP                                            <---- ASA Dropped the traffic
Config:
access-group INSIDE_IN in interface INSIDE
access-list INSIDE_IN extended deny ip any4 any4 log    <---- This rule denied the traffic
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule   <----

Quick view commands:
sh cry ipsec sa peer 52.87.81.84
sh vpn-sessiondb detail l2l filter name 52.87.81.84

#Verify what Policy is being used:
show service-policy” is a great tool to see which policy is applied to any given flow.

CORDERO-ASA1# show service-policy flow tcp host 192.168.5.100 host 10.100.20.50 eq 80

Global policy:
 Service-policy: global_policy
   Class-map: web-class
    Match: access-list WEB_TRAFFIC_ACL
     Access rule: permit tcp any any eq www
    Action:
      Input flow: inspect http
   Class-map: class-default
   Match: any
   Action:

#Look at the ACTIVE ASA Connections
show connection” is a great troubleshooting command which displays the ACTIVE ASA connection table. All traffic that passes through the ASA will create a connection.

Quick Reference:
UIO = Outbound Connection
UIOB = Inbound Connection


Flags:
A – awaiting inside ACK to SYN,
a – awaiting outside ACK to SYN,
B – initial SYN from outside,
b – TCP state-bypass or nailed,
C – CTIQBE media,
D – DNS, d – dump,
E – outside back connection,
F – outside FIN,
f – inside FIN,
G – group,
g – MGCP,
H – H.323,
h – H.225.0,
I – inbound data,
i – incomplete,
J – GTP,
j – GTP data,
K – GTP t3-response
k – Skinny media,
M – SMTP data,
m – SIP media,
n – GUP
O – outbound data,
P – inside back connection,
p – Phone-proxy TFTP connection,
q – SQL*Net data,
R – outside acknowledged FIN,
R – UDP SUNRPC,
r – inside acknowledged FIN,
S – awaiting inside SYN,
s – awaiting outside SYN,
T – SIP,
t – SIP transient,
U – up,
V – VPN orphan,
W – WAAS,
X – inspected by service module

Examples:
INBOUND CONNECTION:

TCP Outside:172.30.200.24/50323 inside:172.16.200.1/6061,
    flags UIOB, idle 27s, uptime 1D5h, timeout 1h0m, bytes 20155

U = the connection UP
I = there’s INBOUND data
O = there’s OUTBOUND data
B = initiated from the outside

OUTBOUND CONNECTION:

TCP outside:10.255.6.22/1433 inside:172.16.200.10/51033,
    flags UIO, idle 24s, uptime 5m25s, timeout 1h0m, bytes 1982

U = the connection UP
I = there’s INBOUND data
O = there’s OUTBOUND data

INCOMPLETE:

TCP Outside:172.30.200.24/57630 inside:10.65.10.100/0,
    flags Ti, idle 5m49s, uptime 5m49s, timeout -, bytes 0

T = this is SIP traffic
i = incomplete

#Look at the order of your NATs

NAT’s on the ASA are based on First Match (top to bottom)

Order of operation:
Manual NAT Policies > Auto NAT Polices > Manual NAT [after auto] Policies

For Auto NAT Polices, below is the order:
1. Static NAT – Longest Prefix > Shortest Prefix
2. Dynamic NAT – Longest Prefix > Shortest Prefix

 show run nat
 show nat

#Look at order of ikev1 crypto’s since the ASA will go in order:
sh run crypto ikev1

crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 28800

sh run crypto ikev2

crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400

#Verify the Lifetimes
From above command you will see the lifetime configs. But you should look to see what the tunnel is using by using the “detail” option.

show isakmp sa detail
show crypto ikev1 sa detail

1   IKE Peer: 139.177.229.3
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 
    Encrypt : aes-256         Hash    : SHA       
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 1873
2   IKE Peer: 72.32.69.25
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE 
    Encrypt : aes-256         Hash    : SHA       
    Auth    : preshared       Lifetime: 28800
    Lifetime Remaining: 11931

#Default values to keep in mind. When using the CLI, remember to add “all” to the commands:
*The idle-timeout is 30 minutes
sh run all group-policy

group-policy DfltGrpPolicy attributes
 vpn-idle-timeout 30
 vpn-idle-timeout alert-interval 1
 vpn-session-timeout none
 vpn-session-timeout alert-interval 1

sh run all | inc ipsec security-association

crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

sh run all tunnel-group

isakmp keepalive threshold 10 retry 2

To disable above’s DPD, you have to do a disable on the specific tunnel group:

tunnel-group  ipsec-attributes
isakmp keepalive disable
More Stories
Wireless Security Preference Summary (Highest to Lowest)