Identify VPN Issues

Find VPN Tunnels with Missing Peers

The "Missing IP Peer" condition is more likely to occur on ASA devices than FTD devices.

1. In the CDO navigation pane, click VPN > Site-to-Site VPN to open the VPN page.
2. Select Table View.
3. Open the Filter panel by clicking the filter icon .
4. Check Detected Issues.
5. Select each device reporting an issue  and look in the Peers pane at the right. One peer name will be listed. CDO reports the other peer name as, "[Missing peer IP.]"

Find VPN Peers with Encryption Key Issues  

Use this approach to locate VPN Peers with encryption key issues such as:

• IKEv1 or IKEv2 keys are invalid, missing, or mismatched
• Obsolete or low encryption tunnels

1. In the CDO navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
2. Select Table View.
3. Open the Filter panel by clicking the filter icon .
4. Select each device reporting an issue  and look in the Peers pane at the right. The peer information will show you both peers. 
5. Click on View Peers for one of the devices.
6. Double-click the device reporting the issue in the Diagram View.
7. Click Key Exchange in the Tunnel Details panel at the bottom. You will be able to view both devices and diagnose the key issue from that point.

Find Incomplete or Misconfigured Access Lists Defined for a Tunnel

The "incomplete or misconfigured access-list" condition could only occur on ASA devices.

1. In the CDO navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
2. Select Table View.
3. Open the Filter panel by clicking the filter icon .
4. Select each device reporting an issue  and look in the Peers pane at the right. The peer information shows you both peers. 
5. Click on View Peers for one of the devices.
6. Double-click the device reporting the issue in the Diagram View.
7. Click Tunnel Details in the Tunnel Details panel at the bottom. You will see the message, "Network Policy: Incomplete"

Find Issues in Tunnel Configuration

The tunnel configuration error can occur on the FTD device in the following scenarios: 

• When the IP address of a site-to-site VPN interface changes, the "Peer IP Address Value has changed".
• When the IKE value of a VPN tunnel doesn’t match the other VPN tunnel, the "IKE value Mismatch" message appears. 

1. In the CDO navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
2. Select Table View.
3. Open the Filter panel by clicking the filter icon .
4. In the Tunnel Issues, click Detected Issues to view the VPN configuration reporting errors.
   You can view the configuration reporting issues . 
5. Select the VPN configuration reporting issues. 
6. In the Peers pane on the right, the  icon appears for the peer having the issue.
   Hover over the  icon to see the issue and resolution. 

Next Step: Continue to Resolve Tunnel Configuration Issues

Resolve Tunnel Configuration Issues

This procedure attempts to resolve these tunnel configuration issues:

• When the IP address of a site-to-site VPN interface changes, the "Peer IP Address Value has changed".
• When the IKE value of a VPN tunnel doesn’t match the other VPN tunnel, the "IKE value Mismatch" message appears. 

See Find Issues in Tunnel Configuration for more information.

1. In the CDO navigation bar, click Devices & Services.
2. Select the device associated with the VPN configuration reporting an issue. 
3. Accept the device changes. 
4. In the CDO navigation pane, click VPN > Site-to-Site VPN to open the VPN page.
5. Select the VPN configuration reporting this issue.
6. In the Actions pane, click the Edit icon.
7. Click Next in each step until you click the Finish button in step 4. 
8. Deploy the tunnel configuration to the FTD.