Troubleshooting commands for Site to Site VPN (IKEV1) - Part 1

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome back first of all i would like to thank you for supporting me in doing the scripture i want you to know that i always try to bring accurate and clear information to you the sole purpose of me creating these videos is to help you understand those concepts that you always wanted to learn at the end of this video if you find it helpful please do like comment and share if you are new to this channel also hit the subscribe button in right bottom corner with that being said let's see what we have got today we're shooting side to side vpn in this session i'm going to show you the commands that you can use to troubleshoot your vpn problems previously i shared the concept of side to side vpn so this session is going to be all about commands so let's start with phase one not coming up what commands do we use you know if phase one is not coming up first thing you do is verify you have to verify if phase one is coming up or not right how do you do that so you can go back to your cli and say show crypto ip1 sa let's say there are no iq1 essays at the moment that means my phase one is down in your real-time environment you may have too many vp internals in there so on this asa i have a vpn setup so let me show it to you show run crypto map since we have come to that let me first show you how do you pull the configuration for your vpn let's see your customer tells you that i have a problem with my vpn on your asa you have too many vpn tunnels configured so how do you find the exact configuration for that particular vpn well in this case on my asc i only have one vpn tunnel configured but the command still works you need to ask the customer at least the ip address of the peer so you need the peer i p at least they can give you that so let's say the customer has given you a peer ip and the peer i p is 1.1.1.2 that's your peer ip right how do you find the configuration related to this so you need to start looking at the crypto map so you say show run crypto map pipe include peer id that tells you that you have a crypto map for this particular peer that is applied at number 10 in my map crypto map now you need complete configuration for this particular crypto map so then you say show run crypto map pipe include the name of the crypto map space and the sequence number so my map 10. this gives you complete configuration for crypto map related to this vpn the crypto acl name is aws vpn set peer peer ip is wonder wonder 1.2 and the transform set is my set if you need to look at more configuration then you can say sure internal group and the tunnel group name will be of course the peer id so wonder 1.2 in the tunnel group you can find what group policy is applied so to check the group policy you can say show run group policy 1.1.1.2 and that shows your group policy configuration in the group policy you can see there is a vpn filter applied vpn filter name is aws underscore vpn scope filter so vpn filter is actually an access list so to see the vpn filter you have to run the command show run access list and the name of the access list so that shows you what is in the filter that's how you can look at the complete configuration for a vpn right if you need to if you need to figure out what are the policies phase one and phase two policy so phase two policy is in your crypto map the page two policy name is a transform set my set how do you look at it you know the transform set name now right so you say show run crypto ipsec pipe include my set so that shows you what is there in your transform set so in your transform set you have the transform set name is my set and you have encryption as aes and hash hashing is sha right that way you can look at the transform set now if you need to look at phase one policies phase one policies uh can be a little confusing because you know you may have multiple phase and policies configured and the phase one policies are not actually binded within anything so any phase one policy may apply to you that matches on the remote side but you can still look at all phase one policies that are configured the command will be show run crypto iq one that tells you you have one phase one policy policy number ten and it has these parameters configured it also shows you if your ip1 is enabled or not these commands will help you to figure out the related configuration for your vpn peer if you just know the peer id address so if you just know the peer i p that my peer i p is 1.1.1.2 then you can start looking at the configuration of the vpn using this command show run crypto map pipe include your priv this will tell you if you have any configuration for this prip in your crypto map or not and it also tells you if you have a configuration that's on you know uh what sequence number is it using helicopter map once you know that you will know the cryptomap name and the sequence number so you can run the same command again sure and crypto map pipe include crypto map name my map sequence number 10 right that i obtained from the previous command and this gives you complete crypto map output for particular appear once you have seen that in the crypto map you will find the crypto acl that tells you the interesting traffic you also find the peer i p and the transform set name then you can look at the tunnel groups your internal group 1.1.1.102 too many times i said one you can look at group policy so group policies can be obtained from the tunnel group in the group policy you may have may or may not have a vpn filter so if you do have you can look at it by using command show run access list and the filter name if you need to figure out what policies are sent what policies are configured for phase two then phase two policies are applied in crypto map from the crypto map you get the name of the transform set and then look at the transform set so the way to look at the transform set is show run crypto ipsec pipe include transform set name in this case it's my set if you need to find which what phase one policies are configured then you can say sure run crypto ip1 and that shows you all the phases and policies configured remember asa sends all phase one policies whatever you have configured on the asa and whatever match is on the remote end that gets selected so you can't really say you know can't really decide on yours on your own which policy will match coming back to how to verify if phase one is up or not to verify phase one status you say show crypto iq one sa they said there are no iq and says that when phase one is completely down but if you know you have some continuous traffic going on and maybe there's a problem with your vpn configuration weapon isn't coming up properly so you might want to run this command multiple times just to see if it's trying to come up and going down trying to come up and going down and you might want to run it quite fast because this might be happening very fast really not happening nothing is happening right so you see my vpn is not trying to come up at all show crypto iq of an sa is the command to check the status of the phase one now i'm going to initiate some traffic and then we check the status once again from this pc i'm going to initiate a ping to a remote and ip address the remote and ip address that i want to ping is this one 10.10.10.20 things are down on this side this router is down i'm not really interested in getting a successful ping all i want is an interesting traffic for my asa to attempt a vpn because both the asus are up okay so here we are i want to bring 10.10.10.20 and make it continuous ping so the thing is going on timing out as expected let me come back here and run the show crypto iq and sc command again so you see it says i'm trying to establish vpn with prip 1.1.1.2 my role is initiator the state is mm weight message four so this gives you an idea what's going on you know this command helps you to see the status of phase one now to understand why it is showing mm weight message four i've already made another video so you can go back to previous videos and check that out why it is showing mm-weight message for and how to troubleshoot this problem but the purpose of this video is to show you the commands to identify the issue how do you figure out what is the problem so you do debugs the debugs must be applied conditional to apply conditional debugs you will say debug crypto condition po and the peer id 1.1.2 once the condition has been applied then you say debug crypto ip1 [Music] and the level of debugging that you would like to do so i usually do 128 that gives me enough information [Music] [Music] and then you to stop the debugs you say undebug all but quick you know if you have to type it too quickly then you say on all and then that stops the debugs let me quickly fix this problem in this one looking at the debugs i have a feeling that appreciate k is missing so it's missing on either end so let's see if the appreciate key has been even configured or not it looks like the pre-shared key is not even configured so i appreciate case configure internal group i go to i check the terminal configuration show run tunnel group and the internal group name is 1.1.1.2 so there is no appreciate key i'm going to go ahead and configure that see tunnel group under one dot and it's in ipsec attributes iq one pre-shade key and there are let me check on the pier as well show run channel group 1.1.1.1.1 there's no cliched game either so channel group 1.1.1.1 ipsec attributes like v1 appreciate key and bam so let's save the configuration check the internal status again show crypto yes you can also say show crypto i secant sa you know it might not accept your command ic camp in the new versions the com if you type it it's gonna take it right so it says mm-active and that was the problem the pre-shared key was missing you can also see you know same output can be also seen with the command show crypto ip1 sa so no difference on the newer versions when you do show crypto i say camp and hit tab you know isa and hit tab it will not automatically complete the command because the command is no longer available but if you just if you just type it this way and hit enter it's going to accept it and show you the output if you if you're comfortable typing this command use that or you can go for show crypto iq and sa the end result is same right this tells me my main mode is active main mode is phase one so phase one is active now let's say when you run the command show crypto isec mbsa or shutter click view nsa you do not see any status here okay another problem um let's say you have two p two two assays right sa1 and asa2 i decide to site vpn there are two pcs connected here right now let's see the species ip address is 192 168 1.10 and this guy is 10.10.10 right so 1.10 is trying to ping 10 or 10 or 10.20 right you have access to sa1 and uh you know you're running command show crypto let's see show crypto i see game sc or you can say so if i say show crypto i secant say or show crypto iq nsa it's showing me no there are no iq and essays you can also say show crypto like p1 s you might have seen that i hesitate to type this i usually i usually use show cryptocurrency msa so there are no essays let's run the command once again quickly fast very fast nothing is there right what do you do next if you don't see any output from this command show crypto ic can best say you know you know your vpn will only come up if there is an interesting traffic you are saying that you are continuously running a ping to this ip 10.10.10.20 and your source ip is 192.168.1.10 so my customer said i'm running a ping from this ip to this ip and it's not working so i came to my asa and checked show crypto second best c i see there are no iq 1 the tunnel is not up so what's going on maybe he's not initiating the traffic or maybe his traffic is not reaching the essay right so i first need to verify the configuration for this vpn so i will ask what's the peer i p he says the peer i p is 1.1.1.2 so i say show run crypto map pipe include 1.2 now i know the crypto map sequence number so i say show run crypto map once again this time i filter with my map sequence number 10 so that i know the crypto access list name i say show run access list and the access list name that shows me the interesting traffic that is supposed to go through this vp internal customer said he is running a ping from 192.168.1.10. i don't see 192.168.1.10 here a 1.0 network is not there but i do see 10.10.10 network here in the destination so the next thing you do is run a packet tracer packet tracer for what customer is saying the customer says he is running a ping from 190 to 168 1.10 so you should first know this ip address is behind which interface so on your asa to check the interfaces you say show ip interface i have inside outside and management so of course i don't think you know i won't give anyone access pain management outside is my internet facing and inside is the only one remaining but you can however still check the routing so it's a show route 192 168 1.10 and this says it's reachable wire inside right so on my inside let's do a packet racer now so bring the access list once again in front of your eyes the packet tracer input inside i wanna do for icmp packet tracer input inside icmp what is the source ip so customer says source ip is 192.16 8 0 is the echo request and destination is 10.10.10.20 i want a detail output so here let me clear this screen first here the phase one it says there is an unnat what this unnat says i'm hitting an at statement so this is the net statement that's getting matched says untranslate 10.10.10.20 to 10.10 or 1020 that means do not translate and then it says access list drop so if you look at this net it says it's it's the real ip is 192 168 1.10 and it's changing that real ip to 172.16.1.10 when the destination is 10 10 20. so your real source is getting nat on the asa and changing to 170 to 16 1.10 so customer is not aware of that right but i think this matches with your crypto acl right in the crypto access list we have 170 to 16 1.0 and this ip address is getting that to 172.68 1.10 that's of course one ip from this range so this traffic you know will of course match this script acl but here from the packet reset command you see that you know it's dropping it because of an access list right so the traffic enters from inside interface and it's getting dropped because of an access list now you need to figure out is there any access list on inside interface so how do you do that you say show run access group this command shows you if you know what access lists are applied on which interfaces so we're interested in inside interface on inside interface i have an access list whose name is inside out so i want to look at what is there in this acl show access list and the acl name so this sex list allows traffic between two hosts 192.168.1.10 that's our real ip to 10.10.10.10 but we are trying to ping 10.10.10.20 and that is not allowed in the acl right so that's another way to you know pack your tracer is your best friend when you're working on the essay so let me quickly fix this problem status once again show crypto second say and the phase one is up so it says state mm active which means main mode is active main mode is your phase one phase one is up that's how you check the tunnel status if there are you know if there are too many vp internals configured on your essay like usually there are hundreds to hundreds of tunnel right then you know if you say simply say show run sorry if you simply say show crypto i second best say it's gonna give you a list of all these channels that are up and it's going to be very difficult to figure out where is your particular weapon down so the way you do it simply the way you do it nicely is show crypto i say it's going to only show you you know the output beginning from where it matches this ip address 1.1.1.2 right that way you can see the status of your terminal if required you may also do a capture on outside interface between public ips if your phase one is not coming up and you're not seeing anything in in the output you're not seeing anything in show crypto ice you can best say but packet resource says uh it's going over the vpn let's run the the same packet tracer once again that we were trying earlier this time packet racer phase nine it's a vpn encrypt allow this is this is the phase type vpn if it says encrypt allow that means your it's you know asa is trying to send the traffic over the vpn while it says vpn encrypt allowed your asa is trying to send the traffic over the vpn then there is a phase 10 that's saying access list result drop and let's see the final result as well so the final action is drop so it's getting dropped due to an access list but if you see the sub type that says filter aaa so this filter aaa is any guesses filter aaa is your vpn filter that's applied so i have a vpn filter applied right if i was not aware then packet tracer output can you know clearly tell me so if you are seeing filter aaa in your packet tracer output that means there is a vpn filter applied vpn filter is applied where it's applied in group policy so i need to look at the group policy show run group policy and group policy name is usually the peer id so i have a group policy and in the group policy yes there is a vpn filter you can filter value is the name is awsb pin filter this is an access list so my traffic is being dropped due to this particular vpn filter so it says show access list the acl name this access list allows traffic between 10.10.10.20 and 19168 when 1.10 that looks correct doesn't it well that's the common mistake people make if you remember this is the real ip first thing vpn filter is always applied in reverse direction to your crypto access list and it must be exactly replica of your crypto access list the reverse replica right that means whatever you have the source ip in the crypto acl that becomes destination here and the destination becomes source of course you then you can limit using protocol you want to allow only tcp udp icmp you can do that we must match the cryptoasl in reverse order so let's look at the crypto access list so this is the crypto access list doesn't match does it match anyway in the reverse order no in the crypto acl nowhere we have 192 168 1.10 because that's the real ip and the traffic that goes over the vpn gets netted to 170 to 16 1.0 network so this vpn filter must have the netted ip so i'm going to correct that and fix the problem so without that let's get rid of this command all right let's look at the vpn filter once again and this time it does seem to have correct information let's run the packet tracer again so i say packet tracer this one and go to the end so final action is allow now right and if you go through the phases once again so you will see phase nine beeping encrypt allowed and then phase 10 is you know it's not it's not compulsory that phase 9 will always be vpn and phase 10 will always be your filter play it may have very simply it depends on lots of things phase 10 uh you see this time filter to play is allowed because we corrected the information in there right and then you look at the final results action is allowed coming from inside going by outside getting encrypted all good so if you're not seeing anything anywhere then of course you can do a capture between the public ips to see even if to see if your ass is even trying to make any connection attempts to the peer right the way you do capture is you just say capture so capture capture name so the name must make some sense so if i'm doing it on outside interface i say cap out capture cap out interface outside match i want to match ip first i want to capture between these two ips 1.1.1 and 1.1.1.2 right so these are the two ips i want to do capture once you apply this capture it's automatically by direction you don't actually do it for 1.1.1.2 going to 1.1.1.1 no almighty automatically captures if i just say show capture that will tell me if you know what capture is applied and is it capturing a new traffic so it's a yes it's capturing 1930 bytes let's run it once again so it's increasing that means it's capturing the traffic if i need to see what is in there so i say show capture cap out the name of the capture and i can actually see the traffic in there so 1.1.1 is sending traffic to wonder under 1.2 the type is ip protocol 50 and then there is something uh 1.1.1 is sending to 0.2 on udp port 500 so you see udp port number is 500 right so this way you can look at these captures as well there are some there may be some other problems that you know your asa might not have enough licenses or maybe all the license that you had for recycle side vpn have been already exhausting so how do you check that so you can say show vpn session db license summary that tell that shows you the status of the licenses so we are interested in this one other vpn we're interested in this one other vpn capacity 250 so this is device capacity the maximum capacity of the hardware that i'm using is it enabled or disabled so you can look at the status and how many are installed so i have 250 this comes by default right limit is there any limit applied none so they might you know there are commands to even apply the limit so there's no limit applied here same way you can look for your any connect licenses if you have to so all the licenses are available here you know sometimes you might if you're configuring vpn for the first time so you have to have the license for encryption which is to enable aes des three days on your essay okay see if you've done everything right and your refin isn't coming up but there might be a reason that you don't have your encryption licenses enabled okay so you can using this command you can look at all the licenses and it also gives you the license usage summary so in my case i'm using one license for side to side vpn all in use one p can use one so maximum there has been only one vpn tunnel how many are currently in use one of course usage is zero percent and one out of 250 is how much so i think these are the only commands that can help you figure out the problems with phase one that's all for now i hope this has been informative to you and i would like to thank you for watching it it is your support your likes comments that keep me motivated for bringing up more stuff like this please let me know if this has helped you if you are new to this channel also hit the subscribe button you
Info
Channel: ASAme2
Views: 4,139
Rating: undefined out of 5
Keywords: Site to site VPN, how to troubleshoot a site to site VPN, commands to troubleshoot Phase 1, commands to troubleshoot site to site vpn, commands to tshoot a vpn., cisco vpn, ipsec vpn, virtual private network, tac level understanding
Id: G6NocPrQ1hI
Channel Id: undefined
Length: 32min 18sec (1938 seconds)
Published: Sun Sep 06 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.