Cisco Cisco ASA for Nexus 1000V Series Switch Guide De Dépannage
ASA IPsec and IKE Debugs (IKEv1 Aggressive
Mode) Troubleshooting Tech Note
Mode) Troubleshooting Tech Note
Document ID: 113595
Contributed by Atri Basu and Marcin Latosiewicz, Cisco TAC
Engineers.
Jun 25, 2013
Engineers.
Jun 25, 2013
Contents
Introduction
Core Issue
Scenario
debug Commands Used
ASA Configuration
Debugging
Tunnel Verification
ISAKMP
IPsec
Related Information
Core Issue
Scenario
debug Commands Used
ASA Configuration
Debugging
Tunnel Verification
ISAKMP
IPsec
Related Information
Introduction
This document describes debugs on the Cisco Adaptive Security Appliance (ASA) when both aggressive
mode and pre−shared key (PSK) are used. The translation of certain debug lines into configuration is also
discussed. Cisco recommends you have a basic knowledge of IPsec and Internet Key Exchange (IKE).
mode and pre−shared key (PSK) are used. The translation of certain debug lines into configuration is also
discussed. Cisco recommends you have a basic knowledge of IPsec and Internet Key Exchange (IKE).
This document does not discuss passing traffic after the tunnel has been established.
Core Issue
IKE and IPsec debugs are sometimes cryptic, but you can use them in order to understand problems with
IPsec VPN tunnel establishment.
IPsec VPN tunnel establishment.
Scenario
Aggressive mode is typically used in case of Easy VPN (EzVPN) with software (Cisco VPN Client) and
hardware clients (Cisco ASA 5505 Adaptive Security Appliance or Cisco IOS
hardware clients (Cisco ASA 5505 Adaptive Security Appliance or Cisco IOS
®
Software routers), but only
when a pre−shared key is used. Unlike main mode, aggressive mode consists of three messages.
The debugs are from an ASA that runs software version 8.3.2 and acts as an EzVPN server. The EzVPN client
is a software client.
is a software client.
debug Commands Used
These are the debug commands used in this document:
debug crypto isakmp 127
debug crypto ipsec 127