1. Clear VPN Configuration: 

clear configure crypto map VPN_AAAA

2. Debug and show commands:

Enable logging:

ciscoasa#terminal monitor
ciscoasa(config)# logging buffer-size 1048576
ciscoasa(config)# logging buffered 7
ciscoasa(config)# logging monitor 7
ciscoasa(config)# debug crypto condition peer 10.10.10.10
ciscoasaa(config)#
ciscoasa(config)# debug crypto ipsec 127

The debug icmp trace command is used to capture the ICMP traffic of the user.

ciscoasa#debug icmp trace

ciscoasa#

!--- Output is suppressed.

ICMP echo request from 192.168.1.50 to 192.168.1.1 ID=512 seq=5120 len=32
ICMP echo reply from 192.168.1.1 to 192.168.1.50 ID=512 seq=5120 len=32

!--- The user IP address is 192.168.1.50.

The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed on the console.

In order to disable debug icmp trace, use one of these commands:

no debug icmp trace

undebug icmp trace

undebug all, Undebug all, or un all

Each of these three options helps the administrator to determine the source IP address. In this example, the source IP address of the user is 192.168.1.50. The administrator is ready to learn more about application X and determine the cause of the problem.

To see ISAKMP configuration use show run crypto isakmp
To see IPSec configuration  use show run crypto ipsec
To see crypto map configuration use show run crypto map
To see IPsec operational data use show crypto ipsec sa
To see ISAKMP operational data use show crypto isakmp sa

To debug isakmp use debug crypto isakmp
To debug ipsec use debug crypto ipsec

To manually tear down an ISAKMP or IPSEC SA:
clear crypto ipsec
clear crypto isakmp

To clear IPsec SA counters use Clear crypto ipsec sa counters
To clear IPsec SAs by entry use Clear IPsec SAs entry ipaddress
To clear IPsec SAs by map use Clear IPsec SAs map cryptomap_name
To clear IPsec SA by peer use Clear IPsec SA peer ipaddress
To clear ISAKMP SA by ipaddress use Clear crypto Isakmp SA ipaddress

3. Recover Pre-Shared Key in Pix/ASA: 

more system:running-config

4. Use a capture to confirm IPSec packets hit the firewall:

The administrator needs to create an access-list that defines what traffic the ASA needs to capture. After the access-list is defined, the capture command incorporates the access-list and applies it to an interface.

ciscoasa(config)#access-list inside_test permit icmp any host 192.168.1.1
ciscoasa(config)#capture inside_interface access-list inside_test interface inside
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.

ciscoasa#show capture inside_interface
   1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: icmp: echo request

!— The user IP address is 192.168.1.50.

Note: In order to download the capture file to a system such as ethereal, you can do it as this output shows.

!— Open an Internet Explorer and browse with this https link format:

https://[<pix_ip>/<asa_ip>]/capture/<capture name>/pcap
Refer to ASA/PIX: Packet Capturing using CLI and ASDM Configuration Example in order to know more about Packet Capturing in ASA.

Turn off the packet capture and remove the ACL:

ASA(config)#no capture inside_interface
ASA(config)#clear configure access-list inside_test

You can clear the capture log by using this command:
ASA#clear capture inside_interface

You can also use the pipe functionality when viewing the capture output:
ASA#show capture inside_interface | inc 192.168.1.1

To confirm that the IPSEC packets are reaching the firewall, a capture can be created for all UDP 500 traffic.
First create an access-list for the traffic you would like to capture.
Access-list capture1 permit udp any any eq 500

Next create a capture.
Capture cap1 access-list capture1 interface outside

Next display the results of the capture.
Show capture cap1 detail
1: 13:04:06.284897 192.168.1.50 > 192.168.1.1: UDP:500

Or view capture on web
https://capture/pcap/cap1

5. Syslog

Make sure logging is enabled. The logging level needs to be set to debug. Logging can be sent to various locations. This example uses the ASA log buffer. You might need an external logging server in production environments.

ciscoasa(config)#logging enable
ciscoasa(config)#logging buffered debugging
The user pings the inside interface of the ASA (ping 192.168.1.1). This output is displayed.

ciscoasa#show logging

!— Output is suppressed.

%ASA-6-302020: Built ICMP connection for faddr 192.168.1.50/512
gaddr 192.168.1.1/0 laddr 192.168.1.1/0
%ASA-6-302021: Teardown ICMP connection for faddr 192.168.1.50/512
gaddr 192.168.1.1/0 laddr 192.168.1.1/0

!— The user IP address is 192.168.1.50.

6. ‘ping -f’ command troubleshooting MTU size over IPSEC VPN

The -f flag from a Windows command prompt prevents an ICMP packet from being fragmented. This, combined with the -l flag allows you to set the size of the ICMP packet being sent.

So, assuming a standard ethernet MTU of 1500, and accounting for an 8-byte ICMP header, and 20-byte IP header, I should be able to send an ICMP packet sized to 1472 bytes, but 1473 should be too large:

C:Usersnetcanuck>ping 172.16.32.1 -f -l 1472

Pinging 172.16.32.1 with 1472 bytes of data:
Reply from 172.16.32.1: bytes=1472 time=3ms TTL=251
Reply from 172.16.32.1: bytes=1472 time=4ms TTL=251
Reply from 172.16.32.1: bytes=1472 time=4ms TTL=251
Reply from 172.16.32.1: bytes=1472 time=3ms TTL=251

C:Usersnetcanuck>ping 172.16.32.1 -f -l 1473

Pinging 172.16.32.1 with 1473 bytes of data:
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

7. Other ASA troubleshooting Commands

Please refer to this post.

By Jon

Leave a Reply