Find a Cisco Partner
Become a Cisco Partner
This record describes common debug commands used to troubleshoot IPsec issues on each the choices Cisco IOS? Software and PIX/ASA. This document assumes you’ve got configured IPsec. Refer to Common IPsec Error Messages and Common IPsec Issues for extra details.
Refer to Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions for information on the most common answers to IPsec VPN troubles. It contains a checklist of commonplace processes which you may try earlier than you begin to troubleshoot a connection and phone Cisco Technical Support.
There are no specific requirements for this file.
The information on this report is based totally on those software program and hardware versions:
56i—Indicates unmarried Data Encryption Standard (DES) characteristic (on Cisco IOS Software Release 11.2 and later).
k2—Indicates triple DES feature (on Cisco IOS Software Release 12.zero and later). Triple DES is available on the choices Cisco 2600 collection and later.
PIX—V5.0 and later, which requires a single or triple DES license key if you want to prompt.
The facts in this report became comprised of the devices in a specific lab surroundings. All of the devices used in this document started out with a cleared (default) configuration. If your network is stay, make sure which you recognize the ability effect of any command.
Refer to Cisco Technical Tips Conventions for extra facts on report conventions.
Cisco IOS Software Debugs
The subjects in this section describe the choices Cisco IOS Software debug instructions. Refer to Common IPsec Error Messages and Common IPsec Issues for extra details.
This command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) constructed among peers.
This command indicates IPsec SAs built among peers. The encrypted tunnel is constructed between 184.108.40.206 and 220.127.116.11 for site visitors that goes between networks 20.1.1.zero and 10.1.1.0. You can see the 2 Encapsulating Security Payload (ESP) SAs constructed inbound and outbound. Authentication Header (AH) isn’t used due to the fact that there are not any AH SAs.
This output indicates an instance of the display crypto ipsec sa command.
This command indicates every section 2 SA constructed and the quantity of visitors despatched. Since section 2 (security institutions) SAs are unidirectional, each SA shows site visitors in best one path (encryptions are outbound, decryptions are inbound).
This output shows an example of the debug crypto isakmp command.
This command suggests the source and vacation spot of IPsec tunnel endpoints. Src_proxy and dest_proxy are the choices purchaser subnets. Two “sa created” messages seem with one in each route. (Four messages appear if you perform ESP and AH.)
This output shows an instance of the debug crypto ipsec command.
Sample Error Messages
These sample errors messages had been generated from the debug instructions listed right here:
This output shows an instance of the “Replay Check Failed” blunders:
This errors is a result of reordering in transmission medium (specially if parallel paths exist), or unequal paths of packet processing internal Cisco IOS for big versus small packets plus beneath load. Change the choices rework-set to mirror this. The respond check is best seen whilst remodel-set esp-md5-hmac is enabled. In order to surpress this mistake message, disable esp-md5-hmac and do encryption most effective. Refer to Cisco worm ID CSCdp19680 (registered customers simplest) .
For facts about how to configure IPsec Anti-Replay Window, seek advice from How to Configure IPsec Anti-Replay Window: Expanding and Disabling.
The IPsec L2L VPN tunnel does no longer arise on the PIX firewall or ASA, and the QM FSM mistakes message appears.
One possible motive is the proxy identities, consisting of exciting traffic, get right of entry to control listing (ACL) or crypto ACL, do now not suit on both the choices ends. Check the choices configuration on both the choices gadgets, and ensure that the choices crypto ACLs match.
Another possible purpose is mismatching of the choices remodel set parameters. Make certain that at each ends, VPN gateways use the same transform set with the exact equal parameters.
This output shows an example of the error message:
This blunders message is attributed to this type of not unusual issues:
The crypto map map-call neighborhood-cope with interface-identity command reasons the router to use an wrong deal with as the identity because it forces the choices router to use a specified cope with.
Crypto map is carried out to the wrong interface or is not applied at all. Check the choices configuration on the way to make sure that crypto map is carried out to the best interface.
This debug mistakes appears if the choices pre-shared keys on the choices peers do not suit. In order to restoration this issue, take a look at the choices pre-shared keys on both facets.
This is an instance of the choices Main Mode mistakes message. The failure of principal mode shows that the segment 1 policy does not healthy on both sides.
A show crypto isakmp sa command shows the ISAKMP SA to be in MM_NO_STATE. This additionally approach that predominant mode has failed.
Verify that the segment 1 coverage is on both peers, and make certain that all the attributes match.
This command shows debug information approximately IPsec connections and suggests the choices first set of attributes which might be denied due to incompatibilities on each ends. The 2d try to in shape (to try 3DES rather than DES and the choices Secure Hash Algorithm [SHA]) is appropriate, and the ISAKMP SA is constructed. This debug is also from a dial-up client that accepts an IP address (10.32.8.1) out of a nearby pool. Once the choices ISAKMP SA is constructed, the IPsec attributes are negotiated and are determined proper. The PIX then units up the choices IPsec SAs as seen here.
This output suggests an example of the choices debug crypto isakmp command.
This command displays debug information about IPsec connections.
Common Router-to-VPN Client Issues
This pattern router configuration output indicates how to allow break up tunneling for the VPN connections. The access list 150 command is related to the choices group as configured in the crypto isakmp client configuration organization hw-purchaser-groupname command. This allows the Cisco VPN Client to use the router on the way to get admission to an extra subnet that isn’t always part of the VPN tunnel. This is achieved with out compromizing the safety of the IPsec connection. The tunnel is fashioned on the 18.104.22.168 network. Traffic flows unencrypted to gadgets now not defined inside the access list a hundred and fifty command, consisting of the Internet.
Common PIX-to-VPN Client Issues
The subjects on this segment deal with commonplace troubles that you stumble upon when you configure PIX to IPsec with the choices help of VPN Client three.x. The pattern configurations for the choices PIX are based on version 6.x.
This is a common trouble related to routing. Ensure that the PIX has a path for networks which are on the choices inside and no longer directly connected to the choices identical subnet. Also, the choices inner community desires to have a route returned to the PIX for the addresses within the purchaser deal with pool.
This output suggests an example.
The maximum common motive for this problem is that, with the choices IPsec tunnel from the VPN Client to PIX, all the site visitors is sent via the tunnel to the choices PIX firewall. The PIX functionality does not allow site visitors to be despatched again to the interface wherein it become obtained. Therefore the site visitors destined to the Internet does now not work. In order to restoration this hassle, use the split tunneling command. The idea in the back of this fix is that most effective one sends unique traffic through the tunnel and the relaxation of the choices visitors is going directly to the Internet, now not via the choices tunnel.
Note: The vpngroup vpn3000 split-tunnel 90 command allows the choices break up tunneling with access-list range ninety. The get right of entry to-list 90 command defines which site visitors flows thru the choices tunnel, the choices rest of which is denied at the cease of the get admission to list. The get admission to list desires to be the equal for denying Network Address Translation (NAT) on PIX.
Sometimes after the choices tunnel is hooked up, you is probably able to ping the machines on the choices community in the back of the PIX firewall, however you’re unable to use positive packages like Microsoft Outlook. A common trouble is the most transfer unit (MTU) length of the packets. The IPsec header can be up to 50 to 60 bytes, that’s added to the authentic packet. If the size of the packet becomes extra than 1500 (the default for the Internet), then the choices gadgets want to fragment it. After it provides the IPsec header, the dimensions is still below 1496, which is the maximum for IPsec.
The display interface command suggests the MTU of that specific interface on the routers which can be available or on the routers in your personal premises. In order to decide the MTU of the entire course from supply to destination, the datagrams of diverse sizes are despatched with the Don’t Fragment (DF) bit set so that, if the choices datagram sent is extra than the choices MTU, this error message is despatched lower back to the source:
This output suggests an example of the way to discover the MTU of the path among the choices hosts with IP addresses 10.1.1.2 and 172.sixteen.1.56.
Note: The VPN client comes with an MTU modify utility that lets in the choices user to alter MTU for the Cisco VPN Client. In the case of PPP over Ethernet (PPPoE) consumer customers, alter MTU for the PPPoE adapter.
Note: Complete those steps a good way to alter the choices MTU application for the VPN Client.
Choose Start > Programs > Cisco System VPN Client > Set MTU.
Select Local Area Connection, after which click the choices 1400 radio button.
Repeat step 1, and choose Dial-up Networking.
Click the 576 radio button, and then click on OK.
Use the sysopt connection permit-ipsec command in IPsec configurations on the PIX with the intention to allow IPsec traffic to skip through the PIX Firewall without a test of conduit or access-listing command statements. By default, any inbound session have to be explicitly authorized by means of a conduit or get right of entry to-listing command assertion. With IPsec covered traffic, the choices secondary get right of entry to list test may be redundant. In order to permit IPsec authenticated/cipher inbound periods to usually be accredited, use the choices sysopt connection allow-ipsec command.
Verify Access Control Lists (ACLs)
There are access lists used in a normal IPsec VPN configuration. One get entry to list is used to exempt traffic that is destined for the choices VPN tunnel from the NAT procedure. The other get admission to list defines what site visitors to encrypt. This includes a crypto ACL in a LAN-to-LAN setup or a break up-tunneling ACL in a faraway get right of entry to configuration. When those ACLs are incorrectly configured or lacking, site visitors would possibly float simplest in one path throughout the choices VPN tunnel, or it may not be sent across the choices tunnel in any respect.
Be positive which you have configured all of the get admission to lists important to complete your IPsec VPN configuration and that those get right of entry to lists outline the perfect site visitors. This listing includes objects to test when you suspect that an ACL is the choices cause of issues together with your IPsec VPN.
Make sure that your NAT exemption and crypto ACLs specify the perfect traffic.
If you’ve got a couple of VPN tunnels and multiple crypto ACLs, make sure that those ACLs do now not overlap.
Do not use ACLs twice. Even if your NAT exemption ACL and crypto ACL specify the identical visitors, use one-of-a-kind get right of entry to lists.
Make sure that your tool is configured to use the NAT exemption ACL. That is, use the choices path-map command on the choices router; use the choices nat (zero) command on the PIX or ASA. A NAT exemption ACL is required for both LAN-to-LAN and remote access configurations.
In order to learn extra about how to confirm the ACL statements, talk over with the choices Verify that ACLs are Correct phase in Most Common L2L and Remote Access IPsec VPN Troubleshooting Solutions.