Network Troubleshooting Ticket | IPSEC VPN (Ticket 1) | in English | TSHOOT | CCNP | CCIE|

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi guys this is summer and welcome to all my tech stuff guys in this video we'll we'll see and a troubleshooting netiquette which we need to troubleshoot and here is a diagram on your screen we have two routers up through r1 and dr. r2 and the issue here is that we're not able to ping our PC you too from uc1 and vice versa again the IPSec tunnels they're having some issues so we have to check that also so what we'll do is we first check what exactly is the issue with a PC with the outer one IPSec tunnel so the command to check the phase one tunnel is show crypto voice okay empty and you will see that there is no freeze one tunnel yet formed phase one tunnel is not formed so of course face suit on won't be formed so let's initiate some traffic from pc1 to pc2 and check whether we are able to ping it or not so what I do is I take on PC one and I'll ping 20 dot which is which is PC 2 and you can check but not able to pin it here is the problem so let's check on our one is any tunnel session formed or not yes as you can see here that this is the session is just formed currently active this is the feasible session Faceman session escape break is is getting formed you can see here the destination losses are two and this is the source that is Arvind but you can see we are not able to ping now this is interesting that we are not able to what I do is I keep in continuous thing so that will come to no I mean not at ping but phase one is getting formed let's check if we are seeing some traffic in Phase two Shh this is what the command for Phase two as you like IPSec you can see guys that there is no packets which are getting encrypted or a DQ plate over here what have an issue with this so what we'll do is we also try to initiate some traffic from PC to and check whether we are forming that tunnel or not we have a check on our to first of all any tunnel is formed then of course alternative formed phase one tunnel is formed here is the one which was deleted I configure it so I deleted that so this is the one which is currently active so yes it is active but let's check on Phase two and here she is the output address that thing if the tunnel is formed phase one tunnels forms and phase two tunnel its form and then you of course see some some package which then encrypted and decrypted here but here you can see there's no encryption done or here so what will be an issue how to troubleshoot this issue oh the one way to troubleshoot the issue is to take the configuration and to check for some some some logs or some measures which are coming coming on these routers or not so we just check the locks this is dr. Arvind take some logs whether you're able to see some rocks see some logs here are some some error is coming on r2 here this is the error which is coming that is crypto six I can mood failure processing of quick mode filled with peer at appear at this that is this is larvae so this is something which is this is the error which is coming and it is crypto sex more feeling so to troubleshoot this particular error or to troubleshoot this issue we will check have a look at our configuration part so guys I will always tell that you know whenever you are calm when we are checking for IPSec tunnel those configuration use this command show crypto map and this is the crypto map which is used that is tech map and here also we should same come Shoko sorry show klepto map okay so what I'll do is I'll copy this because I need to check it very well so I'll copy this in a notepad this is how I actually do this stuff so this is for R 2 and let's check for R 1 as well and this is farmer so this is what we currently have with us so guys you can say the crypto map names on how to it is tech map and an r1 it is again Technic but again this crypto map names are local to the routers so this doesn't make any difference pure IP which I've configured on our tools to l dot 0 dot 0 dot 1 and here it is Roger to that is of r1 so let's check whether our one have this IP address amount or distorted or 0.1 so what we'll do is show IP int brief yeah it have a correct PR IP it have a correct peer I think that is the reason why I freeze one is forming but we need to troubleshoot wifey's two is not forming I can I check one verify on all two as well so IP and brief yes it is again a correct IP address she's a 0 what we are using so that is not the concern the thing either we can check here is the access list now here in access list what we do normally is we we are using the successes to define the interesting traffic guys if you have watched my videos and IPSec VPN or you will know that I interesting perfect the traffic which is meant to transfer from the tunnel so let's check what is this exercise 5 configure access list on I too has a 100 and this is the source IP address and this is the destination IP address and I don't know so you can check I have configured and the CM access list that is 100 again this access list beams numbers are local to the router so it won't make any difference but this entries do make more and more difference so here you can see the access is permit and here is the source and you see a destination so when I'm putting this in r1 this source is 10 network and the destination is 20 network and I'm putting an r2 again again see guys I've put the sources they tend network and it destination 20 network but you can check in the diagram of here in the router also this is this source that is the 20 network is the source and destination should be they tended to because because you can secure here is the land network which is there on this router so that is 20 net one so here is a mistake Moo tree which I have found out is in the access list so let's check or let's change the access list let's check the access this first of all what is the access list access list 100 and you can find this entry which is wrong extended 100 and I'll do something you don't know 10 so this entry will go and I'll put another entry but here this putting this entry it should be like permit IP 20 dot 0 dot 0 dot 0 dot 0 dot traffic because subnet marks a slash 24 it's two five five no let us check the access list now show IP access list 100 so so this is the access list now is the traffic's Trail initiated and I guess you can say immediately over here I'm getting this ping response no okay I'm even getting the matches on this access list so here is how we have troubleshooted this I think so yeah we have to have a on it let's check the crypto session let's check the phase one this is the phase one which is getting formed that is good and let's check the feast session also become on to check face to a show crypto IPSec just a and you guys you can see the packets which are encrypted and decrypted here here are the packets which we got the of failure and here the packets which are getting encapsulated d capsulated be encrypted and decrypted this is md5 this is verified so this all these packets which we are currently getting on and we are able to ping it so guys in this pay what what we solve that we use this particular output this two particularly started combine the conditi configuration in part because we saw that the data was are not getting encrypted decrypted because in phase one was coming up Facebook was coming up because all the parameters the initiation parameters for phase one for okay and that is why it was coming up but there was a issue with the with the interesting traffic defined ECL that is why D data was not currently correctly up actually living it so we are not able to see any packets which were decrypting or encrypting on Phase two so there is a in displacement troubleshoot you can do a lot of stuff or s1 I'll come up with more troubleshooting of videos for IPSec VPN so I'll stop you in this video catch you in the next video thank you
Info
Channel: Network Engineer Stuff
Views: 8,932
Rating: 4.9597988 out of 5
Keywords: ipsec vpn, amartechstuff, troubleshooting, troubleshoot ipsec vpn, vpn, ipsec, ipsec vpn phase 2 troubleshooting, common ipsec vpn issue, cisco site to site vpn tunnel, ccnp troubleshooting tickets, ccie troubleshooting tickets
Id: NlhwMtFbTqs
Channel Id: undefined
Length: 10min 31sec (631 seconds)
Published: Wed Jul 03 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.