Identify VPN Issues
CDO can identify VPN issues on ASA and FTD devices. (This feature is not yet available for AWS VPC site-to-site VPN tunnels.) This article describes:
- Find VPN Tunnels with Missing Peers
- Find VPN Peers with Encryption Key Issues
- Find Incomplete or Misconfigured Access Lists Defined for a Tunnel
- Find Issues in Tunnel Configuration
Find VPN Tunnels with Missing Peers
The "Missing IP Peer" condition is more likely to occur on ASA devices than FTD devices.
- In the CDO navigation pane, click VPN > Site-to-Site VPN to open the VPN page.
- Select Table View.
- Open the Filter panel by clicking the filter icon
. - Check Detected Issues.
- Select each device reporting an issue
and look in the Peers pane at the right. One peer name will be listed. CDO reports the other peer name as, "[Missing peer IP.]"
Find VPN Peers with Encryption Key Issues
Use this approach to locate VPN Peers with encryption key issues such as:
- IKEv1 or IKEv2 keys are invalid, missing, or mismatched
- Obsolete or low encryption tunnels
- In the CDO navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
- Select Table View.
- Open the Filter panel by clicking the filter icon .
- Select each device reporting an issue and look in the Peers pane at the right. The peer information will show you both peers.
- Click on View Peers for one of the devices.
- Double-click the device reporting the issue in the Diagram View.
- Click Key Exchange in the Tunnel Details panel at the bottom. You will be able to view both devices and diagnose the key issue from that point.
Find Incomplete or Misconfigured Access Lists Defined for a Tunnel
The "incomplete or misconfigured access-list" condition could only occur on ASA devices.
- In the CDO navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
- Select Table View.
- Open the Filter panel by clicking the filter icon .
- Select each device reporting an issue and look in the Peers pane at the right. The peer information shows you both peers.
- Click on View Peers for one of the devices.
- Double-click the device reporting the issue in the Diagram View.
- Click Tunnel Details in the Tunnel Details panel at the bottom. You will see the message, "Network Policy: Incomplete"
Find Issues in Tunnel Configuration
The tunnel configuration error can occur on the FTD device in the following scenarios:
- When the IP address of a site-to-site VPN interface changes, the "Peer IP Address Value has changed".
- When the IKE value of a VPN tunnel doesn’t match the other VPN tunnel, the "IKE value Mismatch" message appears.
- In the CDO navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
- Select Table View.
- Open the Filter panel by clicking the filter icon .
- In the Tunnel Issues, click Detected Issues to view the VPN configuration reporting errors.
You can view the configuration reporting issues. - Select the VPN configuration reporting issues.
- In the Peers pane on the right, the icon appears for the peer having the issue.
Hover over the icon to see the issue and resolution.
Next Step: Continue to Resolve Tunnel Configuration Issues
Resolve Tunnel Configuration Issues
This procedure attempts to resolve these tunnel configuration issues:
- When the IP address of a site-to-site VPN interface changes, the "Peer IP Address Value has changed".
- When the IKE value of a VPN tunnel doesn’t match the other VPN tunnel, the "IKE value Mismatch" message appears.
See Find Issues in Tunnel Configuration for more information.
- In the CDO navigation bar, click Devices & Services.
- Select the device associated with the VPN configuration reporting an issue.
- Accept the device changes.
- In the CDO navigation pane, click VPN > Site-to-Site VPN to open the VPN page.
- Select the VPN configuration reporting this issue.
- In the Actions pane, click the Edit icon.
- Click Next in each step until you click the Finish button in step 4.
- Deploy the tunnel configuration to the FTD.