Cisco ASA IPsec VPN Troubleshooting Command

In this post, we are providing insight on Cisco ASA Firewall command which would help to troubleshoot IPsec vpn issue and how to gather relevant details about IPsec tunnel.

This document describes common Cisco ASA commands used to troubleshoot IPsec issue. This document assumes you have configured IPsec tunnel on ASA.

Refer to Most Common IPsec L2L and Remote Access IPsec VPN Troubleshooting Solutions for information on the most common solutions to IPsec VPN problems.

We are mentioning the steps are listed below and can help streamline the troubleshooting process for you.

Top 10 Cisco ASA Commands for IPsec VPN

1. show vpn-sessiondb detail l2l
2. show vpn-sessiondb anyconnect
3. show crypto isakmp sa
4. show crypto isakmp sa
5. show run crypto ikev2
6. more system:running-config
7. show run crypto map
8. show Version
9. show vpn-sessiondb license-summary
10. show crypto ipsec stats

Command – show vpn-sessiondb detail l2l

The following is sample output from the “show vpn-sessiondb detail l2l” command, showing detailed information about LAN-to-LAN sessions:

The command “show vpn-sessiondb detail l2l” provide details of vpn tunnel up time, Receiving and transfer Data

Cisco-ASA# sh vpn-sessiondb l2l

Session Type: LAN-to-LAN

Connection : 212.25.140.19
Index : 17527 IP Addr : 212.25.140.19
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)3DES IPsec: (1)3DES
Hashing : IKEv1: (1)MD5 IPsec: (1)MD5
Bytes Tx : 2201591 Bytes Rx : 1301173
Login Time : 14:56:19 UTC Sun Aug 19 2018
Duration : 9d 16h:50m:23s

Connection : 15.4.13.45
Index : 26419 IP Addr : 15.4.13.45
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (2)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (2)SHA1
Bytes Tx : 278782570 Bytes Rx : 936866483
Login Time : 09:56:13 UTC Mon Aug 27 2018
Duration : 1d 21h:50m:29s

Command – Show vpn-sessiondb anyconnect

This command “Show vpn-sessiondb anyconnect” command you can find both the username and the index number (established by the order of the client images) in the output of the “show vpn-sessiondb anyconnect” command. The following examples shows the username William and index number 2031.

Cisco-ASA# sh vpn-sessiondb anyconnect

Session Type: AnyConnect

Username : William Index : 2031
Assigned IP : 172.18.207.31 Public IP : 142.14.97.25
Protocol : AnyConnect-Parent SSL-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384
Bytes Tx : 76647505 Bytes Rx : 86068863
Group Policy : 3Party Tunnel Group : 3Partys
Login Time : 06:40:49 UTC Fri Aug 3 2018
Duration : 26d 1h:06m:42s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ac13c119007ef0005b63f8f1
Security Grp : none

Command – show crypto isakmp sa

This command “show crypto isakmp sa” Command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between peers.

AM_ACTIVE / MM_ACTIVE The ISAKMP negotiations are complete. Phase 1 has successfully completed.

Cisco-ASA# sh crypto isakmp sa

IKEv1 SAs:

Active SA: 20
 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 20

1 IKE Peer: 212.25.140.19
 Type : L2L Role : initiator
 Rekey : no State : MM_ACTIVE
2 IKE Peer: 14.39.131.74
 Type : L2L Role : initiator
 Rekey : no State : MM_ACTIVE
3 IKE Peer: 85.14.7.227
 Type : L2L Role : initiator
 Rekey : no State : MM_ACTIVE

Command – show crypto IPsec sa

This command “show crypto IPsec sa” shows IPsec SAs built between peers. An encrypted tunnel is built between 68.187.2.212 and 212.25.140.19.

This command show the output such as the #pkts encaps/encrypt/decap/decrypt, these numbers tell us how many packets have actually traversed the IPsec tunnel and also verifies we are receiving traffic back from the remote end of the VPN tunnel. This will also tell us the local and remote SPI, transform-set, DH group, & the tunnel mode for IPsec SA.

Cisco-ASA# sh crypto ipsec sa peer 212.25.140.19
peer address: 212.25.140.19
 Crypto map tag: VPN-L2L-Network, seq num: 140, local addr: 68.187.2.212

access-list lehnkering extended permit ip 172.26.224.0 255.255.224.0 host 172.28.239.235
 local ident (addr/mask/prot/port): (172.26.224.0/255.255.254.0/0/0)
 remote ident (addr/mask/prot/port): (172.28.239.235/255.255.255.255/0/0)
 current_peer: 212.25.140.19

 #pkts encaps: 8515, #pkts encrypt: 8515, #pkts digest: 8515
 #pkts decaps: 8145, #pkts decrypt: 8145, #pkts verify: 8145
 #pkts compressed: 0, #pkts decompressed: 0
 #pkts not compressed: 8515, #pkts comp failed: 0, #pkts decomp failed: 0
 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
 #TFC rcvd: 0, #TFC sent: 0
 #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
 #send errors: 0, #recv errors: 0

Command – show run crypto ikev2

The following command “show run crypto ikev2” showing detailed information about IKE Policy. Even if we don’t configure certain parameters at initial configuration, Cisco ASA sets its default settings for dh group2, prf (sha) and SA lifetime (86400 seconds). Let’s look at the ASA configuration using show run crypto ikev2 command.

Cisco-ASA# sh run crypto ikev2
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 24
 prf sha
 lifetime seconds 86400

crypto ikev2 policy 2
 encryption aes-256
 integrity sha256
 group 14
 prf sha256
 <--- More --->

Command – more system:running-config

more system:running-config command use If you want to see your config as it is in memory, without encrypting and stuff like that you can use this command. Also want to see the pre-shared-key of vpn tunnel. In General show running-config command hide encrypted keys and parameters.

Cisco-ASA# more system:running-config | b tunnel-group 212.25.140.19
tunnel-group 212.25.140.19 type ipsec-l2l
tunnel-group 212.25.140.19 ipsec-attributes
 ikev1 pre-shared-key cisco1234@

Below commands is a filters to see the specific peer tunnel-gorup of vpn tunnel.

Cisco-ASA# sh run | g 212.25.140.19
crypto map VPN-L2L-Network 140 set peer 212.25.140.19
tunnel-group 212.25.140.19 type ipsec-l2l
tunnel-group 212.25.140.19 ipsec-attributes

Cisco-ASA# sh run tunnel-group | in 212.25.140.19
tunnel-group 212.25.140.19 type ipsec-l2l
tunnel-group 212.25.140.19 ipsec-attributes
Cisco-ASA#

Command – show run crypto map

This command “show run crypto map” is e use to see the crypto map list of existing Ipsec vpn tunnel.

Cisco-ASA# sh run crypto map
crypto map VPN-L2L-Network 1 match address ITWorx_domain
crypto map VPN-L2L-Network 1 set pfs
crypto map VPN-L2L-Network 1 set peer 212.25.140.19
crypto map VPN-L2L-Network 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map VPN-L2L-Network 2 match address outside_cryptomap
crypto map VPN-L2L-Network 2 set peer 21.146.142.47
crypto map VPN-L2L-Network 2 set ikev1 transform-set L2L
crypto map VPN-L2L-Network 3 match address outside_3_cryptomap
crypto map VPN-L2L-Network 3 set peer 12.41.40.96
crypto map VPN-L2L-Network 3 set ikev1 transform-set ESP-AES-128-SHA
<--- More --->

Below command is a filter command use to see specify crypto map for specify tunnel peer.

Cisco-ASA# sh run | g _140_
crypto map VPN-L2L-Network 140 match address lehnkering
crypto map VPN-L2L-Network 140 set peer 212.25.140.19
crypto map VPN-L2L-Network 140 set ikev1 transform-set L2L
crypto map VPN-L2L-Network 140 set security-association lifetime seconds 28800
crypto map VPN-L2L-Network 140 set security-association lifetime kilobytes 4608000
crypto map VPN-L2L-Network 140 set reverse-route

Command – Show Version

Show Version command show the Device Uptime, software version, license details, Filename, hardware details etc.

Cisco-ASA# sh version

Cisco Adaptive Security Appliance Software Version 9.6(4)8
Device Manager Version 6.6(1)

Compiled on Wed 11-Apr-18 19:59 PDT by builders
System image file is "disk0:/asa964-8-smp-k8.bin"
Config file at boot was "startup-config"

Cisco-ASA up 27 days 14 hours
failover cluster up 48 days 9 hours

Hardware: ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
 ASA: 4222 MB RAM, 1 CPU (1 core)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1)
 Boot microcode : CNPx-MC-BOOT-2.00
 SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005
 IPSec microcode : CNPx-MC-IPSEC-MAIN-0026
 Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0 : address is 18e7.282e.8976, irq 11
 1: Ext: GigabitEthernet0/0 : address is 18e7.282e.897b, irq 5
 2: Ext: GigabitEthernet0/1 : address is 18e7.282e.8977, irq 5
 3: Ext: GigabitEthernet0/2 : address is 18e7.282e.897c, irq 10
 4: Ext: GigabitEthernet0/3 : address is 18e7.282e.8978, irq 10
 5: Ext: GigabitEthernet0/4 : address is 18e7.282e.897d, irq 5
 6: Ext: GigabitEthernet0/5 : address is 18e7.282e.8979, irq 5
 7: Ext: GigabitEthernet0/6 : address is 18e7.282e.897e, irq 10
 8: Ext: GigabitEthernet0/7 : address is 18e7.282e.897a, irq 10
 9: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0
12: Ext: Management0/0 : address is 18e7.282e.8976, irq 0
13: Int: Internal-Data0/3 : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 2 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Disabled perpetual
Cluster : Enabled perpetual
Cluster Members : 2 perpetual

This platform has an ASA5525 VPN Premium license.

Failover cluster licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 200 perpetual
Inside Hosts : Unlimited perpetual
Failover : Active/Active perpetual
Encryption-DES : Enabled perpetual
Encryption-3DES-AES : Enabled perpetual
Security Contexts : 4 perpetual
Carrier : Disabled perpetual
AnyConnect Premium Peers : 750 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 750 perpetual
Total VPN Peers : 750 perpetual
AnyConnect for Mobile : Enabled perpetual
AnyConnect for Cisco VPN Phone : Enabled perpetual
Advanced Endpoint Assessment : Enabled perpetual
Shared License : Disabled perpetual
Total TLS Proxy Sessions : 4 perpetual
Botnet Traffic Filter : Disabled perpetual
IPS Module : Enabled perpetual
Cluster : Enabled perpetual

This platform has an ASA5525 VPN Premium license.

The Running Activation Key feature: 1500 AnyConnect Premium sessions exceed the limit on the platform, reduced to 750 AnyConnect Premium sessions.

Serial Number: FCH18037CE9
Running Permanent Activation Key: 0x2629c75b 0x641833d3 0x6461494c 0xb74c6824 0x42210ca9
Configuration register is 0x1

Image type : Release
Key version : A

Configuration last modified by acs-b100780 at 08:23:34.501 UTC Fri Aug 17 2018
Cisco-ASA#

Command – show vpn-sessiondb license-summary

This command “show vpn-sessiondb license-summary” is use to see license details on ASA Firewall

Cisco-ASA# sh vpn-sessiondb license-summary
---------------------------------------------------------------------------
VPN Licenses and Configured Limits Summary
---------------------------------------------------------------------------
 Status : Capacity : Installed : Limit
 -----------------------------------------
AnyConnect Premium : ENABLED : 750 : 750 : NONE
AnyConnect Essentials : DISABLED : 750 : 0 : NONE
Other VPN (Available by Default) : ENABLED : 750 : 750 : NONE
Shared License Server : DISABLED
Shared License Participant : DISABLED
AnyConnect for Mobile : ENABLED(Requires Premium or Essentials)
Advanced Endpoint Assessment : ENABLED(Requires Premium)
AnyConnect for Cisco VPN Phone : ENABLED
VPN-3DES-AES : ENABLED
VPN-DES : ENABLED
---------------------------------------------------------------------------

---------------------------------------------------------------------------
VPN Licenses Usage Summary
---------------------------------------------------------------------------
 Local : Shared : All : Peak : Eff. :
 In Use : In Use : In Use : In Use : Limit : Usage
 ----------------------------------------------------
AnyConnect Premium : 349 : 0 : 349 : 436 : 750 : 47%
 AnyConnect Client : : 349 : 436 : 47%
 AnyConnect Mobile : : 0 : 0 : 0%
 Clientless VPN : : 0 : 1 : 0%
 Generic IKEv2 Client : : 0 : 0 : 0%
Other VPN : : 20 : 24 : 750 : 3%
 Cisco VPN Client : : 2 : 5 : 0%
 L2TP Clients
 Site-to-Site VPN : : 18 : 20 : 2%
---------------------------------------------------------------------------

Cisco-ASA#

Command – show crypto ipsec stats

This command “show crypto ipsec stats” is use to Data Statistics of IPsec tunnels.

Cisco-ASA# sh crypto ipsec stats

IPsec Global Statistics
-----------------------
Active tunnels: 80
Previous tunnels: 60155
Inbound
 Bytes: 3373037789849
 Decompressed bytes: 3373037789849
 Packets: 6441766044
 Dropped packets: 2080
 Replay failures: 89
 Authentications: 6441764494
 Authentication failures: 0
 Decryptions: 6441764494
 Decryption failures: 0
 TFC Packets: 0
 Decapsulated fragments needing reassembly: 98
 Valid ICMP Errors rcvd: 0
 Invalid ICMP Errors rcvd: 0
Outbound
 Bytes: 9845673930421
 Uncompressed bytes: 9845673930421
 Packets: 9069355454
 Dropped packets: 5
 Authentications: 9069361813
 Authentication failures: 0
 Encryptions: 9069361813
 Encryption failures: 0
 TFC Packets: 0
 Fragmentation successes: 6336
 Pre-fragmentation successses: 6336
 Post-fragmentation successes: 0
 Fragmentation failures: 0
 Pre-fragmentation failures: 0
 Post-fragmentation failures: 0
 Fragments created: 12697
 PMTUs sent: 0
 PMTUs rcvd: 872
Protocol failures: 0
Missing SA failures: 533
System capacity failures: 0
Inbound SA delete requests: 82307
Outbound SA delete requests: 0
Inbound SA destroy calls: 82306
Outbound SA destroy calls: 81452

Cisco-ASA#