Monitoring and Troubleshooting IPsec
VPNs
Some useful Cisco IOS commands for monitoring your IPsec VPNs include
the following:
■ show crypto isakmp sa—This command shows all the IKE SAs
currently active on the router. Look for a status of QM_IDLE to verify
that the SA is active.
■ show crypto ipsec sa—This command shows the parameters used by
each SA and shows traffic flow. Look for the count of packets being
encrypted and decrypted, to verify the VPNs operation.
To troubleshoot VPN problems, first verify IP connectivity. If that exists,
review your configuration one more time. If the configuration looks correct
on both peers, you can view detailed information about the IKE negotiations
by using the command debug crypto isakmp.