![cisco asa anyconnect vpn show commands cisco asa anyconnect vpn show commands](https://www.cisco.com/c/dam/en/us/support/docs/security/anyconnect-secure-mobility-client/115735-acssl-ip-config-06.gif)
: Group = ciscovpn, IP = 209.165.201.10, computing NAT Discovery hash
![cisco asa anyconnect vpn show commands cisco asa anyconnect vpn show commands](https://byteofsecurity.com/content/images/2020/02/CleanShot-2020-02-11-at-18.25.56-1.png)
: Group = ciscovpn, IP = 209.165.201.10, processing NAT-Discovery debug Output to Show NAT-T Discovery Process This end is NOT behind a NAT device message, as shown in Example 16-55.Įxample 16-55. If NAT-T is not negotiated or a NAT/PAT device is not detected, they display the Remote end is NOT behind a NAT device. If the proposal is acceptable, the VPN devices try to discover if they are NAT-T capable and if there is an address-translation device between them. # 10 acceptable Matches global IKE entry # 1, : Group = ciscovpn, IP = 209.165.201.10, IKE SA Proposal # 1, Transform
![cisco asa anyconnect vpn show commands cisco asa anyconnect vpn show commands](https://networkwizkidcouk.files.wordpress.com/2019/05/11.png)
: IP = 209.165.201.10, Connection landed on tunnel_group ciscovpn debug Output to Show ISAKMP Proposal Is Acceptable If the proposal is acceptable, the Cisco ASA displays a message indicating that the IKE SA proposal is acceptable, as shown in Example 16-54.Įxample 16-54. The security appliance shows the tunnel group, ciscovpn in this case, that the VPN client is trying to connect to. To enforce learning, the following debugs have been enabled:Īs mentioned in Chapter 1, "Introduction to Network Security," the tunnel negotiations begin by exchanging the ISAKMP proposals. Refer to Figure 16-13 and look at the tunnel negotiation between the Cisco ASA and the VPN client. However, in most cases, setting this to 127 gives enough information to determine the root cause of an issue. You can increase the severity level up to 255 to get detailed logs. debug crypto isakmp īy default, the debug level is set to 1.The following are the two most important debugs to look at: If the IPSec tunnel is not working for some reason, make sure that you have the proper debug turned on. Output of show crypto protocol statistics ikev1 CommandĬhicago# show crypto protocol statistics ikev1Ĭhicago# show crypto protocol statistics ipsec As shown in Example 16-53, you can view this information by using the show crypto protocol statistics ikev1 and show crypto protocol statistics ipsec command.Įxample 16-53. Information such as the number of total requests, the number of total SAs created, and the number of failed requests is useful to determine the failure rate for IKE and IPSec SAs in the security appliance. Number of non-operational accelerators: 0Ĭisco ASA can display global IKE and IPSec counter information, which is helpful in isolating VPN connection problems. show crypto accelerator statistics Command OutputĬhicago# show crypto accelerator statistics In Example 16-52, the important output from this command is shown, which displays the counter information, such as the number of packets going through the encryption card.Įxample 16-52. You can check the status of a hardware encryption card with the show crypto accelerator statistics command. #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts decaps: 10, #pkts decrypt: 10, #pkts verify: 10 #pkts encaps: 10, #pkts encrypt: 10, #pkts digest: 10 Output of show crypto ipsec sa CommandĬrypto map tag: outside_dyn_map, local addr: 209.165.200.225 This command displays the negotiated proxy identities along with the actual number of packets encrypted and decrypted by the IPSec engine.Įxample 16-51. You can also check the status of the IPSec SA by using the show crypto ipsec sa command, as shown in Example 16-51. Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey) show crypto isakmp sa detail Command Output If the ISAKMP negotiations are successful, you should see the state as AM_ACTIVE.Įxample 16-50. Type show crypto isakmp sa detail, as demonstrated in Example 16-50. If you want to see if the IPSec tunnels are working and passing traffic, you can start by looking at the status of Phase 1 SA. Monitoring Cisco Remote Access IPSec VPNs For troubleshooting purposes, there is a rich set of debug commands to isolate the IPSec-related issues. Cisco ASA comes with many show commands to check the health and status of the IPSec tunnels.