IBM Support

Understand and Use Debug Commands to Troubleshoot IPsec

This guide covers common debug commands for troubleshooting IPsec issues on Cisco IOS, PIX, and ASA devices.

Prerequisites

Before using this guide, ensure that IPsec is properly configured. For details, refer to IPSec Negotiation/IKE Protocols.

Software and Hardware Requirements

This guide is based on the following:

  • Cisco IOS Software
    • IPsec feature set
    • 56i (single DES encryption, Cisco IOS 11.2+)
    • k2 (Triple DES, Cisco IOS 12.0+, available on Cisco 2600 series and later)
  • PIX/ASA (Version 5.0+, requires DES or 3DES license key)

Debug Commands for Cisco IOS

1.how crypto isakmp sa- displays active ISAKMP Security Associations (SAs):

dst       src        state      conn-id   slot
10.1.0.2  10.1.0.1   QM_IDLE      1        0
2.show crypto ipsec sa - shows IPsec SAs and tunnel information:

local  ident: 10.1.0.0/24
remote ident: 10.1.1.0/24
current_peer: 10.1.0.2
3. show crypto engine connection active - lists active Phase 2 SAs and traffic statistics.
4. debug crypto isakmp - tracks ISAKMP negotiations and errors:

Processing SA payload...
Checking ISAKMP transform...
Auth pre-share, encryption DES, hash SHA...
SA has been authenticated
5. debug crypto ipsec- displays IPsec tunnel information, including encryption, authentication, and traffic flow.

Common IPsec Error Messages & Solutions

1. Replay Check Failed

Cause: Packet reordering or unequal paths.
Solution:

  • Disable ESP-MD5-HMAC and use encryption only.

2. QM FSM Error

Cause: Phase 2 fails due to mismatched proxy identities or ACLs.
Solution:

  • Ensure ACLs match on both ends.

3. Invalid Local Address

Cause: Router uses the wrong address for the crypto map.
Solution:

  • Check the crypto map local-address command.
  • Ensure the correct interface has the crypto map applied.

4. Peer Not Found / No Proposal Chosen

Cause: IPsec proposal does not match the peer’s configuration.
Solution:

  • Ensure proposals are in the correct order.
  • Use show crypto isakmp sa to check the negotiation state.

5. IPsec Packet Has Invalid SPI

Cause: Mismatched Security Associations (SAs) between peers.
Solution:

  • Re-establish the tunnel or clear SAs using:

clear crypto sa
6. Packet Encryption/Decryption Error (Status 4615)

Possible Causes:

  • Fragmentation issues
  • Stale cache entries

Solutions:

  • Adjust MTU size:

ip tcp adjust-mss 1300
  • Disable fast switching:

no ip route-cache

Troubleshooting VPN Client Issues

1. VPN Tunnel Up but No Traffic Flowing

Possible Cause: Routing issue.
Solution:

  • Ensure proper routes exist on the inside network and back to the PIX/ASA.
  • Example PIX configuration:

ip local pool mypool 10.1.2.1-10.1.2.254
route inside 172.16.0.0 255.255.0.0 10.1.1.2 1
2. VPN Tunnel Up but Internet Access Blocked

Cause: By default, all traffic is sent through the VPN.
Solution:

  • Use split tunneling:

vpngroup vpn3000 split-tunnel 90
access-list 90 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
3. Application Issues After VPN Establishment

Cause: MTU size might be too large.
Solution:

  • Use ping with DF bit set to determine the correct MTU.
  • Adjust MTU for VPN Client:
    • Cisco VPN Client > Set MTU
    • Select Local Area Connection > Set to 1400

Key Configurations for IPsec

1. NAT Exemption for IPsec Traffic

Ensure NAT does not interfere with VPN traffic:


nat (inside) 0 access-list nat-exempt
access-list nat-exempt permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.255.255.0
2. Allow IPsec Traffic on PIX/ASA

Bypass ACL checks for encrypted traffic:


sysopt connection permit-ipsec
3. Check Access Control Lists (ACLs)

  • Ensure NAT exemption and crypto ACLs are correct.
  • Avoid overlapping ACLs.
  • Do not use the same ACL for NAT exemption and encryption.

[{"Type":"MASTER","Line of Business":{"code":"LOB66","label":"Technology Lifecycle Services"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSWG8KZ","label":"MVS Network - CISCO"},"ARM Category":[{"code":"a8m0z000000XapMAAS","label":"IBM Support Services for Multivendor Network and Security-\u003ECisco"}],"Platform":[{"code":"PF025","label":"Platform Independent"}]}]

Document Information

More support for:
MVS Network - CISCO

Component:
IBM Support Services for Multivendor Network and Security->Cisco

Document number:
7184778

Modified date:
04 March 2025

UID

ibm17184778

Manage My Notification Subscriptions

Page Feedback