Troubleshooting Basic IPSec VPNs on the Cisco ASA

As I prepare for my next (and final) attempt at the CCIE Security lab exam, I am making lists to help speed and accuracy when troubleshooting involved configurations like VPNs. Here is an example list for a basic VPN on the Cisco ASA:


Step 1 – Is ISAKMP enabled on the correct interface? crypto isakmp enable OUTSIDE

Step 2 – Check the ISAKMP policy.

Step 3 – Check the tunnel-group for correct pre-shared key.

Step 4 – Check the transform set.

Step 5 – Check the access-list for interesting traffic definition.

Step 6 – Check the crypto map.

Step 7 – Check the application of the crypto map.

In the heat of battle you can find that having a plan sure beats not having a plan at all. 🙂

8 thoughts on “Troubleshooting Basic IPSec VPNs on the Cisco ASA

  1. Hi Anthony

    Great Site/Blog!

    Can you advise the best books which have comprehensive details and explanations of the various features on ASA’s and how these can be configured. I know CISCO have their own books for the device but is there any other books which are worth reading?


  2. Hi Anthony,

    The troubleshooting guidance is very helpful. Can you share the corresponding troubleshooting commands as well? Also please guide us on what are the information to look into, from the output.

    K S Rathnam.

Leave a Reply

Your email address will not be published. Required fields are marked *