Skip to main content

 

 

Cisco Defense Orchestrator

Identify VPN Issues

CDO can identify VPN issues on ASA and FTD devices. (This feature is not yet available for AWS VPC site-to-site VPN tunnels.) This article describes:

Find VPN Tunnels with Missing Peers

The "Missing IP Peer" condition is more likely to occur on ASA devices than FTD devices.

  1. In the CDO navigation pane, click VPN > Site-to-Site VPN to open the VPN page.
  2. Select Table View.
  3. Open the Filter panel by clicking the filter icon filter_icon.png.
  4. Check Detected Issues.
  5. Select each device reporting an issue red_triangle_white_exclamation.png and look in the Peers pane at the right. One peer name will be listed. CDO reports the other peer name as, "[Missing peer IP.]"

Find VPN Peers with Encryption Key Issues  

Use this approach to locate VPN Peers with encryption key issues such as:

  • IKEv1 or IKEv2 keys are invalid, missing, or mismatched
  • Obsolete or low encryption tunnels
  1. In the CDO navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
  2. Select Table View.
  3. Open the Filter panel by clicking the filter icon filter_icon.png.
  4. Select each device reporting an issue red_triangle_white_exclamation.png and look in the Peers pane at the right. The peer information will show you both peers. 
  5. Click on View Peers for one of the devices.
  6. Double-click the device reporting the issue in the Diagram View.
  7. Click Key Exchange in the Tunnel Details panel at the bottom. You will be able to view both devices and diagnose the key issue from that point.

Find Incomplete or Misconfigured Access Lists Defined for a Tunnel

The "incomplete or misconfigured access-list" condition could only occur on ASA devices.

  1. In the CDO navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
  2. Select Table View.
  3. Open the Filter panel by clicking the filter icon filter_icon.png.
  4. Select each device reporting an issue red_triangle_white_exclamation.png and look in the Peers pane at the right. The peer information shows you both peers. 
  5. Click on View Peers for one of the devices.
  6. Double-click the device reporting the issue in the Diagram View.
  7. Click Tunnel Details in the Tunnel Details panel at the bottom. You will see the message, "Network Policy: Incomplete"

Find Issues in Tunnel Configuration

The tunnel configuration error can occur on the FTD device in the following scenarios: 

  • When the IP address of a site-to-site VPN interface changes, the "Peer IP Address Value has changed".
  • When the IKE value of a VPN tunnel doesn’t match the other VPN tunnel, the "IKE value Mismatch" message appears. 
  1. In the CDO navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
  2. Select Table View.
  3. Open the Filter panel by clicking the filter icon filter_icon.png.
  4. In the Tunnel Issues, click Detected Issues to view the VPN configuration reporting errors.
    You can view the configuration reporting issues red_triangle_white_exclamation.png
  5. Select the VPN configuration reporting issues. 
  6. In the Peers pane on the right, the red_triangle_white_exclamation.png icon appears for the peer having the issue.
    Hover over the red_triangle_white_exclamation.png icon to see the issue and resolution. 

Resolution

  1. In the CDO navigation bar, click Devices & Services.
  2. Select the device associated with the VPN configuration reporting an issue. 
  3. Accept the device changes
  4. In the CDO navigation pane, click VPN > Site-to-Site VPN to open the VPN page.
  5. Select the VPN configuration reporting this issue.
  6. In the Actions pane, click the Edit icon.
  7. Click Next in each step until you click the Finish button in step 4. 
  8. Deploy the tunnel configuration to the FTD.