Identify VPN Issues

Find VPN Tunnels with Missing Peers

The "Missing IP Peer" condition is more likely to occur on ASA devices than FTD devices.

1. From the main navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
2. Select Table View.
3. Open the Filter panel by clicking the filter icon .
4. Check Detected Issues.
5. Select each device reporting an issue  and look in the Peers pane at the right. One peer name will be listed. CDO reports the other peer name as, "[Missing peer IP.]"

Find VPN Peers with Encryption Key Issues  

Use this approach to locate VPN Peers with encryption key issues such as:

• IKEv1 or IKEv2 keys are invalid, missing, or mismatched
• Obsolete or low encryption tunnels

1. From the main navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
2. Select Table View.
3. Open the Filter panel by clicking the filter icon .
4. Select each device reporting an issue  and look in the Peers pane at the right. The peer information will show you both peers. 
5. Click on View Peers for one of the devices.
6. Double-click the device reporting the issue in the Diagram View.
7. Click Key Exchange in the Tunnel Details panel at the bottom. You will be able to view both devices and diagnose the key issue from that point.

Find Incomplete or Misconfigured Access Lists Defined for a Tunnel

The "incomplete or misconfigured access list" condition could only occur on ASA devices.

1. From the main navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
2. Select Table View.
3. Open the Filter panel by clicking the filter icon .
4. Select each device reporting an issue  and look in the Peers pane at the right. The peer information shows you both peers. 
5. Click on View Peers for one of the devices.
6. Double-click the device reporting the issue in the Diagram View.
7. Click Tunnel Details in the Tunnel Details panel at the bottom. You will see the message, "Network Policy: Incomplete"