Tips on Troubleshooting VPN's in General

| Comments

Debugs And Show Commands

To gain more info on where the problem might be, try these show commands and debugs.

  • show crypto isakmp sa
  • Showing status of ISAKMP negotiations
  • show crypto ipsec sa [peer]
  • Show status of IPSEC tunnels
  • show log
  • debug crypto isakmp
  • debug crypto ipsec
  • debug crypto condition peer

Knowing where to look for problems

VPN problems are usually very easy to fix once you know where the problem is. Understand that VPN tunnels are a multi-step process. Knowing this you should be able to step through the tunnel being built to find where it got hung up at and stopped working.

  • Tunnel isn’t even trying to start
  • ISAKMP/IPSEC isn’t enabled or applied to an interface. VPN ACL isn’t catching any interesting traffic to fire up the tunnel. Routes/NAT’s are misdirecting traffic out the wrong interface.
  • ISAKMP Phase 1 doesn’t complete all the way.
  • There are lots of reasons why ISAKMP Phase 1 won’t fully establish. Look over some of the common reasons here.
  • Phase 1 establishes but Phase 2 doesn’t fully establish
  • It is possible that the Phase 2 IPSEC attributes don’t match but this usually indicates a malformed Phase 1.
  • Phase 1 and 2 establish but traffic still isn’t getting there
  • Remember, the VPN tunnel is just in charge of getting the secure line open. Networking rules still apply. Check routes/ACL’s/NAT’s etc.

cisco, troubleshooting, vpn