Troubleshooting IPSec VPNs

Special guests Wen Zhang (Cisco TAC) and returning guest Jay Young Taylor (Cisco TAC) discuss the methodologies and approaches to troubleshooting IPSec VPN problems. The team discusses the best way to use show commands, debug output, and troubleshooting tools to get your VPN tunnels up and passing traffic!



Useful commands:

Show commands

show crypto isakmp sa

show crypto ipsec sa peer x.x.x.x

show run | section crypto (on IOS)

show run crypto map (on ASA)

show logging

Debug Commands

debug crypto condition peer ipv4 x.x.x.x

debug crypto isakmp (on IOS)

debug crypto isakmp 128 (on ASA)

debug crypto ipsec (on IOS)

debug crypto ipsec 128 (on ASA)

Test Commands

packet-tracer input inside icmp z.z.z.z 8 0 y.y.y.y detail

ping inside y.y.y.y

ping tcp y.y.y.y

Use IPSec NULL Encryption

crypto ipsec transform-set NULLENC esp-null esp-md5-hmac

Packet marking/coloring techniques:


1. MQC (Modular QoS CLI)

class-map match-all my_flow
 match access-group 150
policy-map marking
 class my_flow
  set ip precedence 4
interface Ethernet1/0
 service-policy input marking

2. PBR (Policy Based Routing)

interface Ethernet1/0
 ip policy route-map mark
access-list 150 permit ip host host
route-map mark permit 10
 match ip address 150
 set ip precedence flash-override

3. Using router generated pings

Router#ping ip
Target IP address:
Repeat count [5]: 100
Datagram size [100]: 
Timeout in seconds [2]: 
Extended commands [n]: y
Source address or interface: 
Type of service [0]: 128
Set DF bit in IP header? [no]: 
Validate reply data? [no]: 
Data pattern [0xABCD]: 


1. Packet capture (SPAN/RSPAN/ERSPAN, ASA packet capture, IOS Embedded Packet Capture)

2. IP Precedence accounting

interface Ethernet0/0
 ip address
 ip accounting precedence input
Router#show interface precedence 
Precedence 4:  100 packets, 17400 bytes

3. Use ACL counters

Router#sh access-list 144
Extended IP access list 144
    10 permit ip any any precedence routine
    20 permit ip any any precedence priority
    30 permit ip any any precedence immediate
    40 permit ip any any precedence flash
    50 permit ip any any precedence flash-override (100 matches)
    60 permit ip any any precedence critical
    70 permit ip any any precedence internet (1 match)
    80 permit ip any any precedence network

IPsec Troubleshooting: Understanding and Using debug Commands

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s