• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 21501
  • Last Modified:

Check status on Site-to-Site VPN Cisco ASA

I have a Cisco ASA5505 with the base license. It seems there 2 site to site VPN tunnels configured on here, and also remote access VPN. I want to check the status of the site-to-site tunnels and verify they are UP.

I ran sh crypto isakmp sa, can someone explain the output of below is?

IKEv1 SAs:
    Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: xx.xx.xx.xx
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
2   IKE Peer: xx.xx.xx.xx
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE

IKEv2 SAs:

Session-id:32, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
2207430437      xx.xx.xx.x4/500      xx.x.xx.xx2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/356 sec
Child sa: local selector  192.168.100.0/0 - 192.168.100.255/65535
          remote selector 192.168.101.0/0 - 192.168.101.255/65535
          ESP spi in/out: 0x9e8a28da/0x9bdc1f2e
0
Cobra25
Asked:
Cobra25
  • 4
  • 4
  • 3
1 Solution
 
bborovacCommented:
well this output is saying:

- you have 2 IPSEC tunnels up (Active SA: 2; State: MM_ACTIVE)
- one tunnel is site-to-site: Type:L2L - initiator - tunnel is bringed up from this side
- second one is remote user (Cisco VPN Client; Type    : user
- site-to-site parameters are ncr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/356 sec
- all traffic going from 192.168.100.0/24 to 192.168.101.0/24 is encrypted and tunneled to remote peer

kind regards,
branimir borovac
0
 
Cobra25Author Commented:
Branimir,
I should have 2 site to site tunnels and 1 remote user connected. Please advise.
0
 
bborovacCommented:
copied output reports only one site2site and remote user and the second one is not triggered by any traffic...

post the part of a configuration regarding vpn or a whole conf for furter help ..
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Cobra25Author Commented:
Let me rephrase, the bottom section, is this tunnel UP?

IKEv2 SAs:

Session-id:32, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
2207430437      xx.xx.xx.x4/500      xx.x.xx.xx2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/356 sec
Child sa: local selector  192.168.100.0/0 - 192.168.100.255/65535
          remote selector 192.168.101.0/0 - 192.168.101.255/65535
          ESP spi in/out: 0x9e8a28da/0x9bdc1f2e
0
 
bborovacCommented:
hmm ...
it shuld be State: QM_IDLE ...

MM_Active (MM = Main Mode) means that Phase 1 of IPSEC negotiation is still happening and has not been successful as yet.
0
 
Pete LongConsultantCommented:
You know one site to site tunnel is up - so attempt to bring the second one up by trying to send some traffic over that VPN e.g. by pinging a host at the other end)

Then issue a "show cry isa" command

you should then see the phase 1 that's already established and whats happening with the second tunnel. heres how to troubleshoot

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Once Phase 1 is up troubleshoot phase 2

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels


Pete
0
 
Cobra25Author Commented:
Thanks Pete, is there a way to keep the tunnel always open?
0
 
Pete LongConsultantCommented:
Tunnels time out naturally (this is a GOOD thing) they automatically esbalish as soon as thay see 'interesting' (i.e. traffic to be encrypted) traffic :)
0
 
Cobra25Author Commented:
Pete, this for a lab and they send some documents randomly over this tunnel. If the tunnel times out and they send a document, would they have to send the document a few times since the tunnel has to be reestablished?
0
 
Pete LongConsultantCommented:
No - as soon as the firewall at "their" side saw the traffic it should encrypt it and send it.
If it does not then there is a problem - if you find the tunnel can only be established from "Your" side then you have a problem, one way tunnels are usually caused by
1. misconfiguration on the problem ends firewall
2. PFS is enabled on one end and not the other
3. You need to get the firewalls running the same (and the newest OS).

Pete
0
 
bborovacCommented:
do you have access to both sides of vpn ? it would greatly help to debug vpn session connection problems ..
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 4
  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now