These are a some good commands you can use to help troubleshoot new VPN tunnels.
#VPN Phases:
Verify Phase 1:
show crypto isakmp sa detail | be {Peer IP}
Verify Phase 2:
show crypto ipsec sa peer {Peer IP}
#Verify Phase 1 & 2 Parameters:
show vpn-sessiondb detail l2l filter ipaddress {Peer IP}
#Debug IKE/IPsec for v1 and v2:
v1:
debug crypto condition peer 107.180.50.236 debug crypto ikev1 127 debug crypto ipsec 127
v2:
debug crypto condition peer 107.180.50.236 debug crypto ikev2 protocol 127 debug crypto ikev2 platform 127
NOTE:
I’m specifically looking for a peer in the first command. This way you only see debugs for that peer.
#Verify Tunnel is up:
v1:
show crypto ikev1 sa
v2:
show crypto ikev2 sa
#Verify traffic is flowing with the peer IP Address from the above command:
show crypto ipsec sa peer {PEER_IP_ADDRESS}
Look at “pkts encaps“, pkts encrypt“, “pkts decaps“, and “pkts decrypt“.
#Run a Capture or a Trace:
Packet Capture:
There are two ways to help troubleshoot packet drops on an ASA. One is to do a capture and the other is to do a Trace:
Use the Inside interface for a capture:
capture CORDERO interface INSIDE match ip any host 8.8.8.8 capture CORDERO interface INSIDE match ip host 8.8.8.8 any show capture CORDERO
Use the Outside interface:
capture CORDERO interface OUTSIDE match ip any host 8.8.8.8 capture CORDERO interface OUTSIDE match ip host 8.8.8.8 any show capture CORDERO
Flags are some combination of:
S (SYN)
F (FIN)
P (PUSH)
R (RST)
W (ECN CWR)
E (ECN-Echo)
single `.’ (no flags)
There are times where you will need to run a capture on the “Accelerated Security Path“. Below shows what the ASP entails:
The Session Management Path
Performing the ACL checks
Performing route lookups
Building NAT / XLAT Translations
Establishing sessions for the Fast Path
The Fast Path
Performing IP checksums
Performing session lookup
Performing TCP sequence number checks
Using NAT / XLAT translations based on existing Session Management
Performing Layer 3, and Layer 4 header checks
The Control Plane Path
Layer 7 packet inspection
Dynamic port inspection
Running an ASP Capture:
clear cap /all :clear all captures capture asp type asp-drop all circular-buffer :run a capture on ALL asp options sh cap asp | in {ipaddress}.{port}
You can read more about it here:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/show_asp_drop/show_asp_drop.html
Packet Tracer
Run packet tracer to see where packets are getting dropped:
Syntax:
packet-tracer input ifc_name tcp [SRC_HOST] [SRC_PORT] [DST_HOST] [DST_PORT]
For example, below we are looking at RDP traffic.
TPA-FW-A# packet-tracer input INSIDE tcp 172.16.1.5 1024 4.2.2.2 5589 !!! output truncated Phase: 2 Type: ACCESS-LIST Subtype: log Result: DROP <---- ASA Dropped the traffic Config: access-group INSIDE_IN in interface INSIDE access-list INSIDE_IN extended deny ip any4 any4 log <---- This rule denied the traffic Additional Information: Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule <----
Quick view commands:
sh cry ipsec sa peer 52.87.81.84
sh vpn-sessiondb detail l2l filter name 52.87.81.84
#Verify what Policy is being used:
“show service-policy” is a great tool to see which policy is applied to any given flow.
CORDERO-ASA1# show service-policy flow tcp host 192.168.5.100 host 10.100.20.50 eq 80 Global policy: Service-policy: global_policy Class-map: web-class Match: access-list WEB_TRAFFIC_ACL Access rule: permit tcp any any eq www Action: Input flow: inspect http Class-map: class-default Match: any Action:
#Look at the ACTIVE ASA Connections
“show connection” is a great troubleshooting command which displays the ACTIVE ASA connection table. All traffic that passes through the ASA will create a connection.
Quick Reference:
UIO = Outbound Connection
UIOB = Inbound Connection
Flags:
A – awaiting inside ACK to SYN,
a – awaiting outside ACK to SYN,
B – initial SYN from outside,
b – TCP state-bypass or nailed,
C – CTIQBE media,
D – DNS, d – dump,
E – outside back connection,
F – outside FIN,
f – inside FIN,
G – group,
g – MGCP,
H – H.323,
h – H.225.0,
I – inbound data,
i – incomplete,
J – GTP,
j – GTP data,
K – GTP t3-response
k – Skinny media,
M – SMTP data,
m – SIP media,
n – GUP
O – outbound data,
P – inside back connection,
p – Phone-proxy TFTP connection,
q – SQL*Net data,
R – outside acknowledged FIN,
R – UDP SUNRPC,
r – inside acknowledged FIN,
S – awaiting inside SYN,
s – awaiting outside SYN,
T – SIP,
t – SIP transient,
U – up,
V – VPN orphan,
W – WAAS,
X – inspected by service module
Examples:
INBOUND CONNECTION:
TCP Outside:172.30.200.24/50323 inside:172.16.200.1/6061, flags UIOB, idle 27s, uptime 1D5h, timeout 1h0m, bytes 20155
U = the connection UP
I = there’s INBOUND data
O = there’s OUTBOUND data
B = initiated from the outside
OUTBOUND CONNECTION:
TCP outside:10.255.6.22/1433 inside:172.16.200.10/51033, flags UIO, idle 24s, uptime 5m25s, timeout 1h0m, bytes 1982
U = the connection UP
I = there’s INBOUND data
O = there’s OUTBOUND data
INCOMPLETE:
TCP Outside:172.30.200.24/57630 inside:10.65.10.100/0, flags Ti, idle 5m49s, uptime 5m49s, timeout -, bytes 0
T = this is SIP traffic
i = incomplete
#Look at the order of your NATs
NAT’s on the ASA are based on First Match (top to bottom)
Order of operation:
Manual NAT Policies > Auto NAT Polices > Manual NAT [after auto] Policies
For Auto NAT Polices, below is the order:
1. Static NAT – Longest Prefix > Shortest Prefix
2. Dynamic NAT – Longest Prefix > Shortest Prefix
show run nat
show nat
#Look at order of ikev1 crypto’s since the ASA will go in order:
sh run crypto ikev1
crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 crypto ikev1 policy 20 authentication pre-share encryption aes-256 hash sha group 2 lifetime 28800
sh run crypto ikev2
crypto ikev2 policy 1 encryption aes-256 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 10 encryption aes-192 integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 20 encryption aes integrity sha group 5 2 prf sha lifetime seconds 86400 crypto ikev2 policy 30 encryption 3des integrity sha group 5 2 prf sha lifetime seconds 86400
#Verify the Lifetimes
From above command you will see the lifetime configs. But you should look to see what the tunnel is using by using the “detail” option.
show isakmp sa detail show crypto ikev1 sa detail 1 IKE Peer: 139.177.229.3 Type : L2L Role : initiator Rekey : no State : MM_ACTIVE Encrypt : aes-256 Hash : SHA Auth : preshared Lifetime: 28800 Lifetime Remaining: 1873 2 IKE Peer: 72.32.69.25 Type : L2L Role : responder Rekey : no State : MM_ACTIVE Encrypt : aes-256 Hash : SHA Auth : preshared Lifetime: 28800 Lifetime Remaining: 11931
#Default values to keep in mind. When using the CLI, remember to add “all” to the commands:
*The idle-timeout is 30 minutes
sh run all group-policy
group-policy DfltGrpPolicy attributes vpn-idle-timeout 30 vpn-idle-timeout alert-interval 1 vpn-session-timeout none vpn-session-timeout alert-interval 1
sh run all | inc ipsec security-association
crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000
sh run all tunnel-group
isakmp keepalive threshold 10 retry 2
To disable above’s DPD, you have to do a disable on the specific tunnel group:
tunnel-group ipsec-attributes isakmp keepalive disable