Friday, September 26, 2014

Cisco ASA: Troubleshooting Remote-Access Client Problems

I think Cisco does a really good job at the CLI.  I really like CLI and anyone who knows me knows I prefer CLI over the GUI anytime.  I guess Im just more comfortable with it.  So when it comes to finding out VPN info that I need when troubleshooting my login (or anyone's login), I use this command below.  See highlighted for quickly troubleshooting a remote-access client who was having some issues.  "show vpn-sessiondb detail ra-ikev1-ipsec filter name name" helps you see both phase I and phase II info that you will need to know.

5512ASA# sh vpn-sessiondb det ra-ikev1-ipsec filter name shane.killen

Session Type: IKEv1 IPsec Detailed

Username     : shane.killen         Index        : 2680
Assigned IP  :         Public IP    :
Protocol     : IKEv1 IPsecOverNatT
License      : Other VPN
Encryption   : IKEv1: (1)AES128  IPsecOverNatT: (1)AES128
Hashing      : IKEv1: (1)SHA1  IPsecOverNatT: (1)SHA1
Bytes Tx     : 800                    Bytes Rx     : 19561
Pkts Tx      : 8                      Pkts Rx      : 245
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : VPN_ONSU               Tunnel Group : RemoteRA
Login Time   : 13:37:35 UTC Thu Jul 17 2014
Duration     : 0h:05m:13s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKEv1 Tunnels: 1
IPsecOverNatT Tunnels: 1

  Tunnel ID    : 2680.1
  UDP Src Port : 6871                   UDP Dst Port : 4500
  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
  Encryption   : AES128                 Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 86091 Seconds
  D/H Group    : 2
  Filter Name  : VPN_ONSU
  Client OS    : WinNT                  Client OS Ver:

  Tunnel ID    : 2680.2
  Local Addr   :
  Remote Addr  :
  Encryption   : AES128                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28490 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607981 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
  Bytes Tx     : 800                    Bytes Rx     : 19561
  Pkts Tx      : 8                      Pkts Rx      : 245

  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 310 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :



  1. Nice post, and will come in handy with some of the changes we are doing here at work for our remote users!! I am a huge CLI fan...routers, switches, Linux/ much CLI as I can do. However, on the ASA's, I have found that I do most of my work on the ASDM interface...and it bugs me. I need to dig in more on the CLI part of the ASA and get comfortable with it.

  2. Yeah, I agree. CLI is the way to go for sure. But, if you just need something done quick, nothing wrong with ASDM.

  3. Hi Shane,

    Thanks for the excellent article. Sometimes, user is reporting as they're getting dropped frequently. When we issue the above command in CLI, we see they're connected. Any idea, please .


Your comment will be reviewed for approval. Thank you for submitting your comments.