Troubleshooting IPSec VPNs


Special guests Wen Zhang (Cisco TAC) and returning guest Jay Young Taylor (Cisco TAC) discuss the methodologies and approaches to troubleshooting IPSec VPN problems. The team discusses the best way to use show commands, debug output, and troubleshooting tools to get your VPN tunnels up and passing traffic!

Podcast

Notes

Useful commands:

Show commands

show crypto isakmp sa

show crypto ipsec sa peer x.x.x.x

show run | section crypto (on IOS)

show run crypto map (on ASA)

show logging

Debug Commands

debug crypto condition peer ipv4 x.x.x.x

debug crypto isakmp (on IOS)

debug crypto isakmp 128 (on ASA)

debug crypto ipsec (on IOS)

debug crypto ipsec 128 (on ASA)

Test Commands

packet-tracer input inside icmp z.z.z.z 8 0 y.y.y.y detail

ping inside y.y.y.y

ping tcp y.y.y.y

Use IPSec NULL Encryption

crypto ipsec transform-set NULLENC esp-null esp-md5-hmac

Packet marking/coloring techniques:

Marking

1. MQC (Modular QoS CLI)

class-map match-all my_flow
 match access-group 150
!
policy-map marking
 class my_flow
  set ip precedence 4
!
interface Ethernet1/0
 service-policy input marking

2. PBR (Policy Based Routing)

interface Ethernet1/0
 ip policy route-map mark
!
access-list 150 permit ip host 172.16.1.2 host 172.16.254.2
!
route-map mark permit 10
 match ip address 150
 set ip precedence flash-override

3. Using router generated pings

Router#ping ip
Target IP address: 172.16.254.2
Repeat count [5]: 100
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 
Type of service [0]: 128
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 
<snip>

Monitoring

1. Packet capture (SPAN/RSPAN/ERSPAN, ASA packet capture, IOS Embedded Packet Capture)

2. IP Precedence accounting

interface Ethernet0/0
 ip address 192.168.1.2 255.255.255.0
 ip accounting precedence input
!
Router#show interface precedence 
Ethernet0/0 
  Input
Precedence 4:  100 packets, 17400 bytes

3. Use ACL counters

Router#sh access-list 144
Extended IP access list 144
    10 permit ip any any precedence routine
    20 permit ip any any precedence priority
    30 permit ip any any precedence immediate
    40 permit ip any any precedence flash
    50 permit ip any any precedence flash-override (100 matches)
    60 permit ip any any precedence critical
    70 permit ip any any precedence internet (1 match)
    80 permit ip any any precedence network

IPsec Troubleshooting: Understanding and Using debug Commands

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s