Debugs And Show Commands
To gain more info on where the problem might be, try these show commands and debugs.
- show crypto isakmp sa Showing status of ISAKMP negotiations
- show crypto ipsec sa [peer 220.127.116.11] Show status of IPSEC tunnels
- show log
- debug crypto isakmp
- debug crypto ipsec
- debug crypto condition peer 18.104.22.168
Knowing where to look for problems
VPN problems are usually very easy to fix once you know where the problem is. Understand that VPN tunnels are a multi-step process. Knowing this you should be able to step through the tunnel being built to find where it got hung up at and stopped working.
- Tunnel isn’t even trying to start ISAKMP/IPSEC isn’t enabled or applied to an interface. VPN ACL isn’t catching any interesting traffic to fire up the tunnel. Routes/NAT’s are misdirecting traffic out the wrong interface.
- ISAKMP Phase 1 doesn’t complete all the way. There are lots of reasons why ISAKMP Phase 1 won’t fully establish. Look over some of the common reasons here.
- Phase 1 establishes but Phase 2 doesn’t fully establish It is possible that the Phase 2 IPSEC attributes don’t match but this usually indicates a malformed Phase 1.
- Phase 1 and 2 establish but traffic still isn’t getting there Remember, the VPN tunnel is just in charge of getting the secure line open. Networking rules still apply. Check routes/ACL’s/NAT’s etc.