Friday, September 26, 2014

Cisco ASA: Troubleshooting Remote-Access Client Problems

I think Cisco does a really good job at the CLI.  I really like CLI and anyone who knows me knows I prefer CLI over the GUI anytime.  I guess Im just more comfortable with it.  So when it comes to finding out VPN info that I need when troubleshooting my login (or anyone's login), I use this command below.  See highlighted for quickly troubleshooting a remote-access client who was having some issues.  "show vpn-sessiondb detail ra-ikev1-ipsec filter name name" helps you see both phase I and phase II info that you will need to know.

5512ASA# sh vpn-sessiondb det ra-ikev1-ipsec filter name shane.killen

Session Type: IKEv1 IPsec Detailed

Username     : shane.killen         Index        : 2680
Assigned IP  : 10.10.10.45         Public IP    : 7.14.1.127
Protocol     : IKEv1 IPsecOverNatT
License      : Other VPN
Encryption   : IKEv1: (1)AES128  IPsecOverNatT: (1)AES128
Hashing      : IKEv1: (1)SHA1  IPsecOverNatT: (1)SHA1
Bytes Tx     : 800                    Bytes Rx     : 19561
Pkts Tx      : 8                      Pkts Rx      : 245
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : VPN_ONSU               Tunnel Group : RemoteRA
Login Time   : 13:37:35 UTC Thu Jul 17 2014
Duration     : 0h:05m:13s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKEv1 Tunnels: 1
IPsecOverNatT Tunnels: 1

IKEv1:
  Tunnel ID    : 2680.1
  UDP Src Port : 6871                   UDP Dst Port : 4500
  IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
  Encryption   : AES128                 Hashing      : SHA1
  Rekey Int (T): 86400 Seconds          Rekey Left(T): 86091 Seconds
  D/H Group    : 2
  Filter Name  : VPN_ONSU
  Client OS    : WinNT                  Client OS Ver: 5.0.07.0440

IPsecOverNatT:
  Tunnel ID    : 2680.2
  Local Addr   : 0.0.0.0/0.0.0.0/0/0
  Remote Addr  : 10.10.10.45/255.255.255.255/0/0
  Encryption   : AES128                 Hashing      : SHA1
  Encapsulation: Tunnel
  Rekey Int (T): 28800 Seconds          Rekey Left(T): 28490 Seconds
  Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607981 K-Bytes
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
  Bytes Tx     : 800                    Bytes Rx     : 19561
  Pkts Tx      : 8                      Pkts Rx      : 245

NAC:
  Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
  SQ Int (T)   : 0 Seconds              EoU Age(T)   : 310 Seconds
  Hold Left (T): 0 Seconds              Posture Token:
  Redirect URL :

5512ASA#
Posted by

3 comments:

  1. Brad MooreSeptember 26, 2014 at 11:47 AM

    Nice post, and will come in handy with some of the changes we are doing here at work for our remote users!! I am a huge CLI fan...routers, switches, Linux/UNIX...as much CLI as I can do. However, on the ASA's, I have found that I do most of my work on the ASDM interface...and it bugs me. I need to dig in more on the CLI part of the ASA and get comfortable with it.

    ReplyDelete
  2. ShaneSeptember 26, 2014 at 12:54 PM

    Yeah, I agree. CLI is the way to go for sure. But, if you just need something done quick, nothing wrong with ASDM.

    ReplyDelete
  3. SrinivasanAugust 6, 2018 at 1:15 AM

    Hi Shane,

    Thanks for the excellent article. Sometimes, user is reporting as they're getting dropped frequently. When we issue the above command in CLI, we see they're connected. Any idea, please .

    ReplyDelete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)