Cisco IPsec Troubleshooting

Cisco IOS Software Commands:

show crypto isakmp sa
show crypto ipsec sa
show crypto engine connection active

show crypto session

show crypto session brief

 

Up-Active – IPSec SA is up/active and transferring data. 
Up-IDLE – IPSsc SA is up, but there is not data going over the tunnel 
Up-No-IKE – This occurs when one end of the VPN tunnel terminates the IPSec VPN and the remote end attempts to keep using the original SPI, this can be avoided by issuing crypto isakmp invalid-spi-recovery 
Down-Negotiating – The tunnel is down but still negotiating parameters to complete the tunnel. 
Down – The VPN tunnel is down.

 

Logging:

terminal monitor

debug crypto isakmp
debug crypto ipsec

 

Common Problems:

Inability to Access Subnets Outside the VPN Tunnel: Split Tunneling

This sample router configuration output shows how to enable split tunneling for the VPN connections. The access list 150 command is associated with the group as configured in the crypto isakmp client configuration group hw-client-groupname command. This allows the Cisco VPN Client to use the router in order to access an additional subnet that is not a part of the VPN tunnel. This is done without compromizing the security of the IPsec connection. The tunnel is formed on the 172.168.0.128 network. Traffic flows unencrypted to devices not defined in the access list 150 command, such as the Internet.
!
crypto isakmp client configuration group hw-client-groupname
key hw-client-password
dns 172.168.0.250 172.168.0.251
wins 172.168.0.252 172.168.0.253
domain cisco.com
pool dynpool
acl 150
!
!
access-list 150 permit ip 172.168.0.128 0.0.0.127 any
!

 

Common PIX-to-VPN Client Issues

The topics in this section address common problems that you encounter when you configure PIX to IPsec with the help of VPN Client 3.x. The sample configurations for the PIX are based on version 6.x.
Traffic Does Not Flow After the Tunnel Is Established: Cannot Ping Inside the Network Behind PIX

This is a common problem associated with routing. Ensure that the PIX has a route for networks that are on the inside and not directly connected to the same subnet. Also, the inside network needs to have a route back to the PIX for the addresses in the client address pool.
This output shows an example.

!--- Address of PIX inside interface.

ip address inside 10.1.1.1 255.255.255.240

!--- Route to the networks that are on the inside segment.
!--- The next hop is the router on the inside.

route inside 172.16.0.0 255.255.0.0 10.1.1.2 1


!--- Pool of addresses defined on PIX from which it assigns
!--- addresses to the VPN Client for the IPsec session.

ip local pool mypool 10.1.2.1-10.1.2.254

!--- On the internal router, if the default gateway is not
!--- the PIX inside interface, then the router needs to have route
!--- for 10.1.2.0/24 network with next hop as the PIX inside interface
!--- (as in Cisco IOS routers).

ip route 10.1.2.0 255.255.255.0 10.1.1.1

 

 

S5 Box

Login