By ISAKMP policies, I am referring to the parameters that have been configured after issuing the command ' crypto isakmp policy ' within the sub-prompt.
Check the ISAKMP policies that are configured on both the ends of the tunnel to check if the parameters are matched. Upon issuing command 1, if you see the status as ' MM_NO_STATE' on an ASA or ' MM_WAIT_MSG2' on a router, then you would want to -Ī.
(Henceforth throughout the document, I shall be referring to the above mentioned commands as command 1 and command 2 respectively)ġ. These numbers should be more or less equal. The second command will show you the tunnel stats in detail showing clearly the number of packets encapsulated and decapsulated through the vpn tunnel. For an tunnel to be perfectly up and passing traffic like it is supposed to, you should see a status ' MM_ACTIVE' on an ASA and ' QM_IDLE' on a router. The first command will show the state of the tunnel. ' show crypto ipsec sa' or ' sh cry ips sa' ' show crypto isakmp sa' or ' sh cry isa sa'Ģ. So here's a small reference sheet that you could use while trying to sort such issues.įirstly, the two most important commands when troubleshooting any vpn tunnel on a cisco device:ġ. I understand that a lot of our customers and users have issues troubleshooting Site-to-Site VPN tunnels.
