ASA Trouble Shooting Commands
TECHIE# show crypto isakmp sa
Active SA:
2
Rekey
SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer:
16.37.14.14
Type :
L2L Role :
initiator
Rekey :
no State :
MM_ACTIVE
2 IKE Peer:
29.12.24.70
Type :
L2L Role :
initiator
Rekey :
no State :
MM_ACTIVE
Techie# show crypto isakmp sa
detail
Active
SA: 2
Rekey
SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 16.37.14.14
Type :
L2L Role :
initiator
Rekey :
no State :
MM_ACTIVE
Encrypt
: des Hash :
MD5
Auth :
preshared Lifetime: 28800
Lifetime
Remaining: 7500
2 IKE Peer:
29.12.24.70
Type :
L2L Role :
initiator
Rekey :
no State :
MM_ACTIVE
Encrypt
: des Hash :
MD5
Auth :
preshared Lifetime: 28800
Lifetime
Remaining: 16339
Techie # show crypto ipsec sa
Interface: outside
Crypto
map tag: vpnmap, seq num: 50, local addr: 11.11.11.12
\
access-list
datacenter permit ip 10.2.1.0 255.255.255.0 192.168.1.0 255.25
5.255.0
local
ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
remote
ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer:
29.12.24.10
#pkts
encaps: 6848039, #pkts encrypt: 6848039, #pkts digest: 6848039
#pkts
decaps: 7450376, #pkts decrypt: 7450376, #pkts verify: 7450376
#pkts
compressed: 0, #pkts decompressed: 0
#pkts
not compressed: 6848039, #pkts comp failed: 0, #pkts decomp failed:
0
#pre-frag
successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs
sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send
errors: 0, #recv errors: 0
local crypto endpt.:
11.11.11.12, remote crypto endpt.: 29.12.24.17
0
path
mtu 1500, ipsec overhead 58, media mtu 1500
current
outbound spi: 3162F87A
inbound
esp sas:
spi:
0xE3B3F018 (3820220440)
transform:
esp-des esp-md5-hmac none
in
use settings ={L2L, Tunnel, }
slot:
0, conn_id: 1, crypto-map: vpnmap
sa
timing: remaining key lifetime (kB/sec): (4229642/18948)
IV
size: 8 bytes
replay
detection support: Y
outbound
esp sas:
spi:
0x3162F87A (828569722)
transform:
esp-des esp-md5-hmac none
in
use settings ={L2L, Tunnel, }
slot:
0, conn_id: 1, crypto-map: vpnmap
sa
timing: remaining key lifetime (kB/sec): (4267592/18948)
IV
size: 8 bytes
replay
detection support: Y
Crypto
map tag: vpnmap, seq num: 51, local addr: 11.11.11.12
access-list
camarillo permit ip 10.2.1.0 255.255.255.0 10.1.1.0 255.255.25
5.0
local
ident (addr/mask/prot/port): (10.2.1.0/255.255.255.0/0/0)
remote
ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer:
68.27.14.13
#pkts
encaps: 11121, #pkts encrypt: 11121, #pkts digest: 11121
#pkts
decaps: 1181, #pkts decrypt: 1181, #pkts verify: 1181
#pkts
compressed: 0, #pkts decompressed: 0
#pkts
not compressed: 11121, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag
successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs
sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send
errors: 0, #recv errors: 0
local
crypto endpt.: 11.11.11.12, remote crypto endpt.: 68.27.14.13
path
mtu 1500, ipsec overhead 58, media mtu 1500
current
outbound spi: 336470A4
inbound
esp sas:
spi:
0x414FD48E (1095750798)
transform:
esp-des esp-md5-hmac none
in
use settings ={L2L, Tunnel, }
slot:
0, conn_id: 4, crypto-map: vpnmap
sa
timing: remaining key lifetime (kB/sec): (4274964/18777)
IV
size: 8 bytes
replay
detection support: Y
outbound
esp sas:
spi:
0x336470A4 (862220452)
transform:
esp-des esp-md5-hmac none
in
use settings ={L2L, Tunnel, }
slot:
0, conn_id: 4, crypto-map: vpnmap
sa
timing: remaining key lifetime (kB/sec): (4274965/18777)
IV
size: 8 bytes
replay
detection support: Y
Techie # show run crypto
isakmp
crypto isakmp identity
address
crypto isakmp enable outside
crypto isakmp policy 10
authentication
pre-share
encryption des
hash md5
group 2
lifetime 28800
crypto isakmp policy 30
authentication
pre-share
encryption 3des
hash sha
group 2
lifetime 86400
Techie # show run crypto
ipsec
crypto ipsec transform-set
vpnset esp-des esp-md5-hmac
crypto ipsec transform-set
ESP-3DES-SHA esp-3des esp-sha-hmac
Techie # Show run crypto map
crypto map vpnmap 1 match
address outside_1_cryptomap
crypto map vpnmap 1 set pfs
crypto map vpnmap 1 set peer
12.16.23.15
crypto map vpnmap 1 set
transform-set vpnset
crypto map vpnmap 50 match
address datacenter
crypto map vpnmap 50 set peer
200.131.224.170
crypto map vpnmap 50 set transform-set
vpnset
crypto map vpnmap 51 match
address camarillo
crypto map vpnmap 51 set peer
67.23.17.13
crypto map vpnmap 51 set
transform-set vpnset
crypto map vpnmap 65535
ipsec-isakmp dynamic outside_dyn_map
crypto map vpnmap interface
outside
Debug commands for VPN tunnels
To debug isakmp: debug crypto isakmp
To debug ipsec: debug crypto ipsec
To manually clear an ISAKMP or IPSEC SA:
Clear crypto ipsec
Clear crypto isakmp
To clear isakmp or ipsec sa based on ip address or crypto map:
To clear IPsec SA counters: Clear crypto ipsec sa counters
To clear IPsec SAs by entry: Clear IPsec SAs entry ip address
To clear IPsec SAs by map: Clear IPsec SAs map cryptomap _name
To clear IPsec SA by peer: Clear IPsec SA peer ip address
To clear ISAKMP SA by ipaddress : clear crypto Isakmp SA ipaddress
To reset all the tunnels
Clear crypto Isakmp sa
To reset only one tunnel reset
clear ipsec sa peer <Address of the other end of the tunnel>
clear ipsec sa peer 202.192.168.12
To debug isakmp: debug crypto isakmp
To debug ipsec: debug crypto ipsec
To manually clear an ISAKMP or IPSEC SA:
Clear crypto ipsec
Clear crypto isakmp
To clear isakmp or ipsec sa based on ip address or crypto map:
To clear IPsec SA counters: Clear crypto ipsec sa counters
To clear IPsec SAs by entry: Clear IPsec SAs entry ip address
To clear IPsec SAs by map: Clear IPsec SAs map cryptomap _name
To clear IPsec SA by peer: Clear IPsec SA peer ip address
To clear ISAKMP SA by ipaddress : clear crypto Isakmp SA ipaddress
To reset all the tunnels
Clear crypto Isakmp sa
To reset only one tunnel reset
clear ipsec sa peer <Address of the other end of the tunnel>
clear ipsec sa peer 202.192.168.12
No comments:
Post a Comment