Cisco

sho run access-group

to see what interface an access-list is associated with.

sho run object-group

to see what object groups are defined.

ipsec vpn:

Making sure Phase 1 completes

hostname# show crypto isakmp sa

(the bottom of this page explains the output)

++++

debug crypto isakmp 7

debug crypto ipsec sa

++++

sho vpn-sessiondb

==

sho running-config tunnel-group

==

sho crypto isakmp

IPSec explained

http://www.dslreports.com/faq/14243

=====================================================================

create a capture:

access-list captured line 5 extended permit udp host 74.205.233.36 host 216.203.6.11 eq isakmp (hitcnt=0)

access-list captured line 6 extended permit udp host 216.203.6.11 host 74.205.233.36 eq isakmp (hitcnt=43)

Example of the capture access list and how it is applied to an interface:

capture captured access-list captured interface outside packet-length 1522

capture captured access-list captured interface inside packet-length 1522

sho captuere captured

clear capture captured

http://analysisandreview.com/cisco/how-to-configure-a-packet-capture-in-the-cisco-asa/

=====================================================================

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

http://fengnet.com/book/vpnconf/ch19lev1sec1.html

++++

hostname# show crypto isakmp sa

Active SA: 1

    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1   IKE Peer: 123.123.123.123

    Type    : L2L             Role    : initiator

    Rekey   : no              State   : MM_ACTIVE

Where 123.123.123.123 is the IP address of the other end of the VPN tunnel MM_ACTIVE indicates that phase 1 has completed.

Type L2L (Lan to Lan) Means its a site to site VPN (RA (Remote Access) means Client to Gateway).

Role "initiator" means this side brought the tunnel up "responder" means the other end brought the tunnel up.

Note MM_ACTIVE means you are using Main Mode and its connected (On a v6 firewall it would say QM_IDLE if it was connected)

     AM_ACTIVE means you are using Agressive Mode and its connected

     MM_KEY_EXCH means Device Authentication Failed check the pre shared keys match

     AG_INIT_EXCH means Device Authentication Failed check the pre shared keys match

     MM_NO_STATE main mode has failed check phase 1 matches on both ends.

     MM_KEY_EXCH means the shared sectret is wrong or the peer IP address is wrong.

     MM_WAIT_MSG2 Main mode you have sent the phase one proposal to the other end and are waiting for the reply.

                    Possible Causes: There is no connectivity or traffic is getting dropped, or the other end has stalled.

                    Try: put "isakmp keepalive 20" on both ends (dead peer detection) reboot both ends.

                         Ensure UDP Ports 500 and 4500 are open from SA to SA

     AM_WAIT_MSG2 Aggressive mode you have sent the phase one proposal to the other end and are waiting for the reply.

                    Possible Causes: There is no connectivity or traffic is getting dropped, or the other end has stalled.

                    Try: put "isakmp keepalive 20" on both ends (dead peer detection) reboot both ends.

                    Ensure UDP Ports 500 and 4500 are open from SA to SA

Accept