Tests on a vpn-box

These are some fast test to see if your vpn-boxes is done the things he needs to do…

How to check if your tunnels are correctly mounted?

show crypto session

You’ll need a result that looks like (pay special attention to the session status):

Crypto session current status
Interface: Ethernet0
Session status: UP-ACTIVE
Peer: 212.71.17.65 port 4500
IKE SA: local 192.168.253.26/4500 remote 212.71.17.65/4500 Active
IPSEC FLOW: permit 47 host 10.128.76.128 host 212.71.17.65
Active SAs: 2, origin: crypto map

Interface: Ethernet0
Session status: UP-ACTIVE
Peer: 194.7.19.33 port 4500
IKE SA: local 192.168.253.26/4500 remote 194.7.19.33/4500 Active
IPSEC FLOW: permit 47 host 10.128.76.128 host 194.7.19.33
Active SAs: 2, origin: crypto map

Some steps to troubleshoot a vpn tunnel

debug crypto isakmp (deb cry is)
terminal monitor (term mon)
clear crypto session (cle cry ses)

This will disconnect your vpn-box for a while (+/- 5 seconds), but it should come back up rarther quick, and give you a lot of information about the tunnels.

How to test a ‘unicast’ connection?

telnet 194.7.19.65 1494 /source-interface vlan 2

Basiclly, you connect towards a public ip (make sure that the route is known) on a specific port (make sure that there’s no blocking firewall) from a specific source (make sure about the route, access-list and maybe natting).

How can you now test if the mutlicast is coming in?

sh ip mroute (see if the dedicated group is in there)
sh ip mroute count (see if any packets are passing by)
sh ip igmp membership all (who’s asking what?)