ASA 5505 Site to Site Connection

I have a site-to-site vpn connection between to buildings.  The one site has been experiencing some network connectivity issues and I want eliminate the possibility of the vpn connection.  what are some helpful commands for viewing the stats of a site-to-site vpn tunnel?  I'm looking for a command that would show me dropped packets and the overall health of the persistent connection.  Thanks
phcc75Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MikeKaneCommented:
Try "SHOW CRYPTO IPSEC SA"      Does that give you the info you are looking for?
0
jaagdiCommented:
ASDM is the best utility to do this. What version of IOS/ASDM are you running? 8.0 and its relative ASDM version provide great insight into the firewall and its connections. You can also get historical monitoring if you keep the ASDM connection on and increase the timeout on the ASDM connection.

To zero in on dropped packets you can also look "show crypto ipsec stats" OR as MikeKane mentioned "show crypto ipsec sa" except I would add detail to that, so it would be "show crypto ipsec sa detail".

Also, once you identify a log for dropped packet you can go to ASDM log viewer utility and filter only those logs to see if changes you are making on the firewall are resulting in reduced or no dropped packets, besides looking at the stats.

Hope this helps,

0
phcc75Author Commented:
I'm still experiencing the same problem.  Any other commands?
0
MikeKaneCommented:
Dropped VPN connections can be due to a lot of factors both within and outside of your control.  

Some items to check on both sides of the VPN tunnel... the rekey times must match, if they do not then rekeys happen at different times and vpn tunnels mail fail and have to rebuild.    Check the Kilobyte count on both sides.   a 0 means infinite.  Again, both sides should match.  After that, check your ISP's connection for resets and the like.   Your ISP router/modem should give you some basic stats about uptime etc...
0
phcc75Author Commented:
I finally found the problem.  I needed to enable keep alives on both ends of the connection.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.