Loading

How to Troubleshoot Anypoint VPN with Cisco ASA devices

Data pubblicazione: Jul 28, 2025
Operazione

GOAL

To provide basic troubleshooting steps for Anypoint VPN against Cisco ASA devices.
Fasi
Note: Some ASA devices don't support an Active/Active configuration, which may pollute their logs. The inactive node will show errors like the following:
Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on interface outside
These entries can be disregarded.

Phase 1:

List IKE SAs: 
# show crypto isakmp sa

The result should show something like this:
  
Active SA: 2
Rekey SA: 0
Total IKE SA: 2

1   IKE Peer: <Tunnen1EndpointIP>
 Type    : L2L             Role    : initiator
 Rekey   : no              State   : MM_ACTIVE

Active SAs should be an even number except at rekey time. At that time, 1 SA will show as Rekey SA.

You should see at least one line with a src value for the remote gateway specified in the tunnels. The state should be MM_ACTIVE and status should be ACTIVE. The absence of an entry, or any entry in another state, indicates a misconfiguration in the IKE parameters.

Further troubleshooting should be conducted by setting the logs to debug.
Enable debug: 
# debug crypto isakmp

Disable debug: 
# no debug crypto isakmp

Phase 2:

List IPSEC SA: 
# show crypto ipsec sa

The result should show something like this: 
interface: outside
    Crypto map tag: <CryptoMapNane>, seq num: 2, local addr: <RouterLocalIPAddr>

      access-list integ-ppe-loopback extended permit ip any vpc_subnet subnet_mask
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (<VPCCIDRRange>/<VPCSubnetMask>/0/0)
      current_peer: integ-ppe1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: <RouterLocalIPAddr>, remote crypto endpt.: <CloudhubVPN_IP>

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: <OutboundSA_SPI>
      current inbound spi : <InboundSA_SPI>

    inbound esp sas:
      spi: <InboundSA_SPI> (123456789)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 4710400, crypto-map: <VPN_CryptoMap>
         sa timing: remaining key lifetime (kB/sec): (4374000/3593)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
    outbound esp sas:
      spi: 0x6D9F8D3B (1234567890)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 4710400, crypto-map: <VPN_CryptoMap>
         sa timing: remaining key lifetime (kB/sec): (4374000/3593)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
         0x00000000 0x00000001

For each tunnel interface, you should see a couple of ESP SAs; one inbound and one outbound. This assumes that an SA is listed and IPsec is configured correctly.

In Cisco ASA, the IPsec only comes up after "interesting traffic" is sent. To always keep the IPsec active, we recommend configuring SLA monitor. SLA monitor continues to send interesting traffic, keeping the IPsec active (https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/route_static.html#61801).

You can also keep a ping running against an application worker's internal DNS name to keep the tunnel alive (https://docs.mulesoft.com/runtime-manager/cloudhub-networking-guide#_dns_records).

Further troubleshooting should be conducted by setting the logs to debug.
Enable debug: 
# debug crypto ipsec

Disable debug: 
# no debug crypto ipsec

Routing:

Ping the other end of the tunnel. If this is working, then your IPsec should be up and running fine. If this is not working, check your access lists, and refer the previous IPsec section.

If you are not able to reach your Cloudhub workers, check the following:

1 - Verify that the access-list is configured to allow traffic that is associated with the crypto map.

You can do this using the following command: 
# show run crypto

Output should be similar to:
  
crypto ipsec transform-set <transform-set-name> esp-aes esp-sha-hmac
crypto map <VPN_CryptoMap> 1 match address access-list-name
crypto map <VPN_CryptoMap> 1 set pfs
crypto map <VPN_CryptoMap> 1 set peer <CloudhubVPN_IP_1> <CloudhubVPN_IP_2>
crypto map <VPN_CryptoMap> 1 set transform-set <transform-set-name>
crypto map <VPN_CryptoMap> 1 set security-association lifetime seconds 3600

2 - Check the access list:
  
# show run access-list <access-list-name>

Output should be as follows: 
access-list <access-list-name> extended permit ip any <VPCCIDRRange> <VPCSubnetMask>

Note that you should permit any or any4 in the access list:

This access list should contain a static route corresponding to your VPC CIDR and allow traffic from any subnet. If you do not wish to use the “any” source, you must use a single access-list entry for accessing the VPC range. If you specify more than one entry for this ACL without using “any” as the source, the VPN will function erratically. The any rule is also used so the security association will include the ASA outside interface where the SLA monitor traffic will be sourced from.

3 - Verify that this access list is correct.

4 - Run a traceroute from the Cisco ASA device, to see if it reaches the Cloudhub routers (for example, <CloudhubVPN_IP_1>/<CloudhubVPN_IP_2>).

If this reaches the router, then check the firewall rules defined for the VPC (https://docs.mulesoft.com/runtime-manager/vpc-firewall-rules-concept).

 
Numero articolo Knowledge

001114461

 
Caricamento
Salesforce Help | Article