Troubleshooting IPsec VPN

Ipsec tunnels are only bringed up if there is intresting traffic that needs to be encrypted. Unless there's trafic from source to a needed destination defined in crpyto policy, tunnel will not be in active state. To manualy simulate packet flow, we can use asa "packet-tracert" tool. It is also good for other traffic flow simulations and debugging. 

Syntax is simple: 
packet-tracert input interface_name protocol source_address src_port destination_address dst_port 

Example, simulating traffic from 192.168.1.33 port 8456 to 192.168.2.22 port 80. In Phase11, and Phase12 can be seen that packets from this source to destination addresses gets crypted and goes through the VPN tunnel: 

ASA-A#packet-tracer input inside tcp 192.168.1.33 8456 192.168.2.22 80 Phase: 1 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 2 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found no matching flow, creating a new flow Phase: 3 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 4 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 5 Type: INSPECT Subtype: np-inspect Result: ALLOW Config: Additional Information: Phase: 6 Type: INSPECT Subtype: inspect-pptp Result: ALLOW Config: class-map class-default match any policy-map global-policy class class-default inspect pptp service-policy global-policy global Additional Information: Phase: 7 Type: NAT-EXEMPT Subtype: Result: ALLOW Config: nat-control match ip inside 192.168.1.0 255.255.255.0 outside 192.168.2.0 255.255.255.0 NAT exempt translate_hits = 57843, untranslate_hits = 17148 Additional Information: Phase: 8 Type: NAT Subtype: Result: ALLOW Config: nat (inside) 1 192.168.1.0 255.255.255.0 nat-control match ip inside 192.168.1.0 255.255.255.0 outside any dynamic translation to pool 1 (207.139.133.118 [Interface PAT]) translate_hits = 867276, untranslate_hits = 67836 Additional Information: Phase: 9 Type: NAT Subtype: host-limits Result: ALLOW Config: nat (inside) 1 192.168.1.0 255.255.255.0 nat-control match ip inside 192.168.1.0 255.255.255.0 inside any dynamic translation to pool 1 (No matching global) translate_hits = 0, untranslate_hits = 0 Additional Information: Phase: 10 Type: HOST-LIMIT Subtype: Result: ALLOW Config: Additional Information: Phase: 11 Type: VPN Subtype: encrypt Result: ALLOW Config: Additional Information: Phase: 12 Type: VPN Subtype: ipsec-tunnel-flow Result: ALLOW Config: Additional Information: Phase: 13 Type: IP-OPTIONS Subtype: Result: ALLOW Config: Additional Information: Phase: 14 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 1420869, packet dispatched to next module Result: input-interface: inside input-status: up input-line-status: up output-interface: outside output-status: up output-line-status: up Action: allow

(if for some reason packet flow is blocked or denied, packet-tracert will display the reasons and results) 

 

With the command "show crypto isakmp sa" You can check the state of IPsec VPN tunnels. If the SA is in "MM_ACTIVE" state, it means the tunnel is succesfuly established: 

ASA-A#show crypto isakmp sa Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) Total IKE SA: 1 1 IKE Peer: 20.1.120 Type : L2L Role : responder Rekey : no State : MM_ACTIVE

Possible ASA isakmp states with the breif description:

* MM_WAIT_MSG2 
Initial DH public key sent to responder. Awaiting initial contact reply from other side. If stuck here it usually means the other end is not responding. This could be due to no route to the far end or the far end does not have ISAKMP enabled on the outside or the far end is down. 

* MM_WAIT_MSG3
Both peers have agreed on the ISAKMP policies. Awaiting exchange of keyring information. Hang up’s here may be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches. 

* MM_WAIT_MSG4
In this step the pre-share key hashes are exchanged. They are not compared or checked, only sent. If one side sends a key and does not receive a key back, this is where the tunnel will fail. Also possible that remote side has the wrong Peer IP address. Hang up’s here may also be due to mismatch device vendors, a router with a firewall in the way, or even ASA version mismatches. 

* MM_WAIT_MSG5
This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. Also tunnel may stop here when NAT Traversal was on when it needed to be turned off. 

* MM_WAIT_MSG6
This step is where the devices exchange pre-shared keys. If the pre-shared keys do not match it will stay at this MSG. Also tunnely may stop here when NAT Traversal was on when it needed to be turned off. However, if the state goes to MSG6 then the ISAKMP gets reset that means phase 1 finished but phase 2 failed. Check that IPSEC settings match in phase 2 to get the tunnel to MM_ACTIVE. 

* AM_ACTIVE / MM_ACTIVE
The ISAKMP negotiations are complete. Phase 1 has successfully completed. 

The "show crypto ipsec sa" command verifies that data is being successfuly encrypted and decrypted. The output field #pkts encrypt:1989 and #pkts decrypt:1920 show that we have bi-directionally data encryption: 

ASA-A#show crypto ipsec sa interface: outside Crypto map tag: ASA1VPN, seq num: 10, local addr: 100.100.100.1 access-list LAN1-to-LAN2 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0) current_peer: 200.200.200.1 #pkts encaps: 1989, #pkts encrypt: 1989, #pkts digest: 1989 #pkts decaps: 1920 , #pkts decrypt: 1920 , #pkts verify: 1920 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 1989, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 20.1.1.10, remote crypto endpt.: 20.1.1.20 path mtu 1500, ipsec overhead 58, media mtu 1500 current outbound spi: 3CFDDAE7 inbound esp sas: spi: 0x0647B7A6 (105363366) transform: esp-aes-192 esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2, crypto-map: ASA1VPN sa timing: remaining key lifetime (kB/sec): (4274994/26580) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x3CFDDAE7 (1023269607) transform: esp-aes-192 esp-sha-hmac none in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2, crypto-map: ASA1VPN sa timing: remaining key lifetime (kB/sec): (4274956/26568) IV size: 8 bytes replay detection support: Y

If want to enable detailed loggin for debugging, You can use command "debug crypto isakmp number". Number is 1-255. 1 is default and shows least debuggin messages, 255 shows the most: 

ASA-A#debug crypto isakmp 1 ASA-A#no debug all

(if want to disable all debugging messages, simply enter command "no debug all")