sho run access-group
to see what interface an access-list is associated with.
sho run object-group
to see what object groups are defined.
ipsec vpn:
Making sure Phase 1 completes
hostname# show crypto isakmp sa
(the bottom of this page explains the output)
++++
debug crypto isakmp 7
debug crypto ipsec sa
++++
sho vpn-sessiondb
==
sho running-config tunnel-group
==
sho crypto isakmp
IPSec explained
http://www.dslreports.com/faq/14243
=====================================================================
create a capture:
access-list captured line 5 extended permit udp host 74.205.233.36 host 216.203.6.11 eq isakmp (hitcnt=0)
access-list captured line 6 extended permit udp host 216.203.6.11 host 74.205.233.36 eq isakmp (hitcnt=43)
Example of the capture access list and how it is applied to an interface:
capture captured access-list captured interface outside packet-length 1522
capture captured access-list captured interface inside packet-length 1522
sho captuere captured
clear capture captured
http://analysisandreview.com/cisco/how-to-configure-a-packet-capture-in-the-cisco-asa/
=====================================================================
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml
http://fengnet.com/book/vpnconf/ch19lev1sec1.html
++++
hostname# show crypto isakmp sa
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 123.123.123.123
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Where 123.123.123.123 is the IP address of the other end of the VPN tunnel MM_ACTIVE indicates that phase 1 has completed.
Type L2L (Lan to Lan) Means its a site to site VPN (RA (Remote Access) means Client to Gateway).
Role "initiator" means this side brought the tunnel up "responder" means the other end brought the tunnel up.
Note MM_ACTIVE means you are using Main Mode and its connected (On a v6 firewall it would say QM_IDLE if it was connected)
AM_ACTIVE means you are using Agressive Mode and its connected
MM_KEY_EXCH means Device Authentication Failed check the pre shared keys match
AG_INIT_EXCH means Device Authentication Failed check the pre shared keys match
MM_NO_STATE main mode has failed check phase 1 matches on both ends.
MM_KEY_EXCH means the shared sectret is wrong or the peer IP address is wrong.
MM_WAIT_MSG2 Main mode you have sent the phase one proposal to the other end and are waiting for the reply.
Possible Causes: There is no connectivity or traffic is getting dropped, or the other end has stalled.
Try: put "isakmp keepalive 20" on both ends (dead peer detection) reboot both ends.
Ensure UDP Ports 500 and 4500 are open from SA to SA
AM_WAIT_MSG2 Aggressive mode you have sent the phase one proposal to the other end and are waiting for the reply.
Possible Causes: There is no connectivity or traffic is getting dropped, or the other end has stalled.
Try: put "isakmp keepalive 20" on both ends (dead peer detection) reboot both ends.
Ensure UDP Ports 500 and 4500 are open from SA to SA
Accept