Troubleshooting commands for Site to Site VPN (IKEV1) - Part 2

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello and welcome back first of all i would like to thank you for supporting me in doing this scripture i want you to know that i always try to bring accurate and clear information to you the sole purpose of me creating these videos is to help you understand those concepts that you always wanted to learn at the end of this video if you find it helpful please do like comment and share if you are new to this channel also hit the subscribe button in right bottom corner with that being said let's see what we have got today [Music] this session is going to be about commands to troubleshoot phase two i'm going to use this setup they have two asas they have a vpn tunnel between them and these are the devices that are going to talk to each other so currently my vpn has been set up in such a way that if i try to initiate traffic right now it is going to come up just fine since we want to have some problems i want to show you in real time what may or may not happen to see that i have to create some problems and then i'll show you how you can use commands to figure out the problem and then eventually fix it let's first check if my vpn can really come up if i initiate some traffic so what traffic do i need to initiate i'm going to ping from this pc whose ip address is 192 168 1.10 to 10.10.10.20 and this pc is down so ping will really not work but at least it will you know it should bring the channel up as this pc is up this router is up asa one is up asa 2 is up so the vpn is between these two assets so at least sweep internal should come up i know this router is down so it's purposefully down and so are these other pcs so let's go back and initiate some traffic from this pc whose ip address is 192.168.1.10. this one send it ping to 10.10.10.20 i'm going to make it a continuous ping so the ping will not work we know that timeout go to asc 1 check ps1 status show crypt twice again let's say this one is up that's why it says mm active main mode active now i need to check phase two we have already done another video on phase one so in this video i'm going to focus on phase two so how do you check if your phase 2 is up or not show crypto ipsec sa and it shows if if there is any output like this if you have any packet in cap recap that means your phase 2 is out if you have too many tunnels on your asa then this command is not really useful you'll have to tweak the command a little so you'll say show crypto ipsec as safe here and the peer id 1.1.1.2 and then it is going to show you the output just specific to your particular vpn pair it shows you which crypto map is being hit which crypto map is triggering this vpn so crypto map name is my map it's at sequence number 10. your local address is 1.1.1.1 the crypto access list is aws vpn current peer ip is 1.1.1.2 packaging caps packet d caps 45 in caps 0 d cap right then you have these spi values here so inbound spi outbound spi these are also important if you don't see them here your phase 2 is improper so right now this command is just to check if your phase 2 is up or not in phase 2 there can be two problems 1 phase 2 isn't coming up and 2 phase 2 is up but the traffic isn't working so if your phase 2 is up and traffic is not working then that's also com that also comes under phase 2 problem so your main command for phase 2 is show crypto ipsec sa peer and the peer id that is going to be your main command to troubleshoot most of the phase 2 problems [Music] let me quickly create a scenario where phase two doesn't come up then which commands do we use so i'm going to pause the recording for the moment while i'm creating that scenario and the language all right so i have made some changes in the configuration and phase 2 shouldn't come up now let's see what's going on so we don't know if phase 2 is coming up or phase 1 is coming up or not or what the problem is all we need to do is troubleshoot right so customer says that my ping is not working and you have access to both the asus so here's running a ping i don't know from where to where so let's figure out first the main things let's say this is a live environment you have too many vp internals in there right so it's not going to be very easy to find your tunnel what what can be easy is you can ask the customer the source ip and the destination ip right from which ip address is he running the ping and which ip address he trying to reach so let's get that information here on the screen 192.168.1.10 and the destination is 10.10.10.20. what did i tell you in my last video first you have to start checking with phase one status so i say show crypto i second best say it says there are no iq and essays shortcut twice you can pass say i'm going very fast so you see when i'm going very fast i might just see it sometimes so let's skip it for a few seconds and try it again so it was once when i saw that mm active but now i don't see it so when you don't see it next thing you do is run a packet tracer so figure out the routing show route 192.168.1.10 so this is on inside right it's learning the route from inside then i want sure route 10.10.10.20 network not in table that means it's taking the default route so let's check the default route i say sure out default route is pointing to outside so now i know the routing packet tracer input inside what type of traffic am i running icmp watch the source ip 192.168.1.10 this is i same packer request so it's going to be h0 and then destination is 10.10.10.20 i want detail so it says access list allow then there is a net which is coming into the picture what the snat is doing it says change 190 to 168 1.10 into 170 to 116 1.10 so that it's changing our real ip to another ip 170 to 16 1.10 when it is going to a destination specific destination is 10 or 10 or 10 or 20 and do not change the destination so that's what it means okay so now we know that our real ip is not going to be there when it reaches to the destination it is going to be netted to 170 to 16 1.10 and i'm interested in seeing vpn phase so it's a vpn encrypt drop very nice and the final reason is acl drop so this is a very generic reason you don't have to rely on it that there is an access list that's really dropping it what do you do next you take debugs so you don't simply do the debugs for everything you have to be very uh you have to do conditional debug so how you do how do you do conditional debugs like i explained in my last video that you do debug crypto condition here and the pr ip pure ip is 1.1.1.2 and then you do your normal debug so debug crypto i secant 128 i want to do so this is my phase one debugs and uh it's coming very fast and that should be enough for me to figure out what's going on so i'll just scroll a little up and go through the debugs where it is saying session is being turned down reason user requested right let's move a little bit up i remember seeing made more active that means phase one did come up we should see that in debugs as well so yes here it is it says phase one completed so when your phase two is going down you know when there is a mismatch in phase two or for some reason phase 2 is going down then you may see that it when you do shortcut pricing and by say it will not show you mm active because the phase one is coming up and going down very fast right but you can see that in the debug that phase one completes so if the debugs are saying that phase one completed that means there is nothing wrong with the phase one now your focus should be on phase two so you see received non-routine notify message no proposal chosen 14. this usually indicates a phase two mismatch it can be anything in phase two most likely this indicates a mismatch and crypto acl or encryption algorithms or hashing so phase two parameters basically another indication of a mismatch is clearly says here removing peer from correlator table failed no math that means again something doesn't match in phase two you have to apply conditional debugs once you have conditional debugs if you need to turn off the debugs you will just say unall quickly that turns off the debugs you can also type undebug all they both do the same thing so now we know there is a mismatch in phase two how do we figure out what's the mismatch so to do that we need access to both the essays so let me get into the se2 i'm gonna put them together you know what for your convention i'll just rename this sa1 ac2 and this guy is pc1 typey addresses 192.168.1.10 i believe from this pc i have continuous things going on they're timing out i'm paying 10.10 or 10.20 so you know that all right still if you do show cryptocurrency can best say to check phase one it doesn't show anything at some times if you're very lucky you might see something in here what should be your next step once you have seen the debugs and figured out it's a phase two problem you compare phase to configuration how do you compare the config if you have access to both the devices both the firewalls then it's a good thing or otherwise you know it's it's gonna be a time taking process that you send your config to them or ask them for their config and then you compare it so let's keep it simple that we have access to both the devices both the essays and i know the pr ip so i'll say show run crypto map pipe include and type in your pure iv because you will have too many vpns on your asa so this is the best way to figure out the complete configuration for your particular vpn pier so it says this pure is in crypto map my map at sequence number 10 so this time i'm gonna say show show run crypto map hype include my map sequence number 10 because i figured that out from here and now it's going to show me all the commands related to my map 10. that tells me what is the crypto acl aws underscore vpn what's the peer i p and what's the transform set so these are your phase two parameters descriptor access list and transform set so first thing that you're gonna match or compare is this both of them so i'll start comparing the crypto access list so i'll say show access list and aws underscore vpn let's go to the access list on asc2 so here show run crypto map pipe include 1.1.1.1 show run crypto map hype include my map 10 and show access list raj underscore vpn so these access list must be mirror image of each other so this one says from 10.10.10 to 170 to 16 1.0 let me just highlight this and then we can compare it so from 10.10 so this one should be 210.10 that looks okay slash 24. you must also match the subnet mask then it is 170 to 16 1.0 slash 24 172 16 1.0 24. so this one looks okay go for the next one 19168 2.0 going to 10 10 20. 0 and this one is 20.0 going to 2.0 crypto acls look okay next thing i'm gonna check is the transform set transform set name is set to here but how do i know what parameters are in there so to check that you will say show run crypto ipsec pipe include your transform set name set to so that shows you what parameters are configured for transform set so it says aes and md5 let's check here transform set name is my set show run crypto ipsec pipe include my set this one has a yes shaw wait a second did i see md5 here yes so there is a mismatch in the transform set so this one is using md5 this one using shaft so let's correct it i want to use sha i don't want to use md5 so let's fix this guy here so the way you change transform set is copy paste esp show hmac and that should do it to make sure that the config is correct now check it again sure encrypt to ipsec pipe include name of the transform set so this one has aes and shaw go to asb1 and this also has a esn shop now they are a match so the vp internal should come up now let's check the ping a ping is still not working because the next router after asa 2 is shut down and the actual destination that we're trying to ping is also down so don't expect ping to work well i'm not let's check the vpn status now so first i would like to check phase one show crypt twice again by say phase one is up because it says mm active you know in your phase one you have defined your lifetime right so that lifetime is for phase one to re-key after these many minutes phase one will re-key so it will not renegotiate just re-key the keys will be generated again and where can you see that timer so that timer can be seen with the command show vpn hyphen session db detail l2l and you have to say filter and you can say ip address peer id so this is here so here you see the details it says re-key interval 86 400 seconds so this is the phase one lifetime that we set and it says ricky left 86 to 49 seconds so it started from 86 400 seconds and now i think approx 200 seconds have passed so this is the time left to re-key phase one will re-key after these many seconds you can also see the duration how long this vpn has been up when did this vp internal start so start here this time then you see by t bytes tx and bytes rx so how many you know bytes have been sent how many bytes have been received so we haven't received anything we're just we're just sending and that makes sense because the router on the other end is down so there are no replies back so but it looks like we are sending right then this one shows you your phase one status so for phase one uh you're sending on udp port 500 source port 500 destination port 500 authentication mode is appreciate key and encryption this is main mode right in negotiation main mode encryption aes 128 hashing show a failman group negotiated to filter name there is a vpn filter applied aws vpn underscore filter and then this is your phase two so for phase two you have a crypto access list so this is the crypto access for which the traffic has been seen so the traffic has been seen for for from 170 to 16 1.0 going to 10 10 10.0 encryption this is phase 2 encryption face to hashing phase 2 encapsulation mode so this is tunnel mode then you have re-key interval so phase 2 is supposed to be re-key after 28-800 seconds re-key left so this is time to re-key left and this is a re-key interval for kilobyte for data once this much data has been transferred then the phase two will re-key idle time all 30 minutes if there is no data transferred in phase 2 for 30 minutes then phase 2 is going to go down bytes rx so we have not received anything by tx we are only sending the traffic 76 packets we have sent we have not received a single one that's how you can check we have verified that the phase one is up shortcut twice you can best say phase one is up mm active now we're gonna look for phase two so to check to check phase two you have to say show crypto ipsec sa but remember in real time environment you will have too many vp internals and running this command will show you the output for all the vpns you don't want to see that you want to see the output just for a specific vpn tunnel right so to do that you have to say shortcut type is like say peer and the peer id 1.1.1.2 then it's going to show you the output for just for a single period it says crypto map tag crypto map name is my map sequence number 10 if someone gives you this output let's say your customer has shared you this output so looking at this output you can clearly tell what's the problem at least you can figure out where the problem is let's say they've given you this output from this one i see crypto map name i can find what sequence number i can find what's my local ip ip address what is the crypto access list name which crypto access list we are seeing the traffic so it says packets incap 67 packets decap zero wait a second so this packet in cap or in package encrypts we are encrypting packets so we have encrypted to 67 packets but there are no decryptions that means only we are sending we are not getting any reply back that's what it means makes it very simple because this we are sending if we are not getting any packet we are not getting any encrypted packets to decrypt then how do you expect the traffic to work the outbound spi is the one that we're using while encrypting the traffic and inbound spi is the one that we're using to decrypt the traffic so our outbound spi will be the inbound spi on the remote end they have to be same ai that we're using to encrypt the traffic must be same as the other end is using to decrypt the traffic so outbound spi on our end should be same as the inbound sphere on the other end so we'll check that out we are on asa one right now the outbound sp ends with nine seven we're gonna look at asc2 now and the inbound spi should be nine seven show crypto ipsec say pr your ip101.1 enter look at the spis now here current inbound spi 3e55aa97 3e55aa97 so the outbound spi here must be same as inbound spi here that's how the asa figures out that for which entry in the crypto acl i have to decrypt this traffic too for each entry in the crypto access list you will have different inbound and outbound spi but the inbound spi on one end must match the outbound spi on the other end right another thing that must match is the number of in caps here on one side must match the number of d caps on the other side and vice versa so i'm just going to run the command once again number of in caps here is seven i'm going to go to as32 and run the command once again number of d caps here are 400 so what did i say number of in caps on one end must match the number of d caps on the other end so you see because i ran this command two seconds later so meanwhile it also received three pack but if i go and stop the ping now there should be no other traffic so packets in cap four one five on asa one if i go to sa2 now and see packets d cap so four one five this must match if you see asa one has packet in caps four one five and asa ii has package d cap four one four that means one packet has been dropped and dropped where it's probably dropped by isp because this is encrypted traffic we're talking about these packets tell you how many encrypted packets you have received and that you have decrypted and same way this number of endcaps must match here so if that's not matching there's a problem with the isp or somewhere in the path one more shortcut that you can use here so this shortcut is for the the command that i just shown you important part that we want to look at is usually this one so you usually want to see what crypto access list has been negotiated for which acl you know from which entry in the crypto acl we are sending the traffic so this is one thing that i would like to see that will give me a fair idea for which i'm observing the traffic then i want to see number of in-caps and d-caps so i can run this command in this way i say pipe include ident pipe pkts and you will see just that output isn't that cool and skip everything else and just show what that matters to you so it shows me local identity remote identity packets and gaps packet decap and that's all i need to see that for this particular access list when the traffic is going from 170 to 16 1.0 to 10.10.10.0 how many packets are getting in cap and decap or are there any in caps or decap because i only initiated the traffic that matches this particular entry in the crypto acl that's why i'm saying here so if you see my crypto access list actually had two entries but here you're only seeing one which is from 172 to 16 1.0 so this one one 1.0 going to 10.10.10.0 this one you in fact you must match the subnet mask as well right so it's slash 24 here slash 24 here and same goes here you also see there are head counts 796. and on this one there are no hit counts that means there has been no traffic for this particular entry in the crypto seo and that's why for this essay have not come up so these are security associations bounded with the entry in the crypto is here so the sc for second one has not come up because there has been no traffic so whenever there will be a new traffic then only these essays will come up so you will see this kind of entries for the second crypto sl entry as well i plan to bring more videos on this particular topic there is a very specific problem in phase two that i'm going to discuss in my next video so that's going to be very detailed and it will give you better idea about what these spi values are and where do you look at them how do you look at them how they are useful when you're doing troubleshooting so do subscribe to my channel that's all for now i hope this has been informative to you and i would like to thank you for watching it it is your support your likes comments that keep me motivated for bringing up more stuff like this please let me know if this has helped you if you are new to this channel also hit the subscribe button you
Info
Channel: ASAme2
Views: 1,618
Rating: undefined out of 5
Keywords: How to troubleshoot phase 2, how to fix phase 2 vpn problems, troubleshoot phase 2, troubleshoot phase 2 vpn, troubleshoot site to site vpn, site to site vpn, understanding site to site vpn
Id: ow_mQRehhG8
Channel Id: undefined
Length: 27min 10sec (1630 seconds)
Published: Wed Sep 30 2020
Related Videos
Troubleshooting commands for Site to Site VPN (IKEV1) - Part 1
ASAme2
4.1K
Troubleshooting Packet Flows (Episode 26) Learning Happy Hour
Palo Alto Networks LIVEcommunity
25K
S3E2 Quick Mode messages || Phase 2 message exchange
ASAme2
540
AWS Site To Site VPN - New video with improved steps (Part 1)
AWS Training Center
60K
Cisco Anyconnect - Overview of Client Profile or XML Profile
ASAme2
4.8K
Google Hangout: Cisco IOS-XR and Command Line
Cisco Community
17K
Understanding & Configuring Cisco AnyConnect
ASAme2
15K
How to read DART (#Cisco #Anyconnect)? || unable to bind to [127.0.0.1]:62523
ASAme2
2.3K
S2E2_IPSEC VPN - MM_WAIT_MSG3 - How to troubleshoot? (IPSEC VPN)
ASAme2
1.2K
IPSec tunnel is up but no traffic and how to troubleshoot.
FortiShare Now
2.2K
PING Command - Troubleshooting
PowerCert Animated Videos
513K
IT: Support/Helpdesk (Troubleshooting Cisco Vpn In Depth Level1)
Kevtech IT Support
18K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.