Skip to main content

 

 

Cisco Defense Orchestrator

Identify VPN Issues

CDO can identify VPN issues on ASA and FTD devices. (This features is not yet available for AWS VPC site-to-site VPN tunnels.) This article describes:

Find VPN Tunnels with Missing Peers

The "Missing IP Peer" condition is more likely to occur on ASA devices than FTD devices.

  1. From the main navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
  2. Select Table View.
  3. Open the Filter panel by clicking the filter icon filter_icon.png.
  4. Check Detected Issues.
  5. Select each device reporting an issue red_triangle_white_exclamation.png and look in the Peers pane at the right. One peer name will be listed. CDO reports the other peer name as, "[Missing peer IP.]"

Find VPN Peers with Encryption Key Issues  

Use this approach to locate VPN Peers with encryption key issues such as:

  • IKEv1 or IKEv2 keys are invalid, missing, or mismatched
  • Obsolete or low encryption tunnels
  1. From the main navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
  2. Select Table View.
  3. Open the Filter panel by clicking the filter icon filter_icon.png.
  4. Select each device reporting an issue red_triangle_white_exclamation.png and look in the Peers pane at the right. The peer information will show you both peers. 
  5. Click on View Peers for one of the devices.
  6. Double-click the device reporting the issue in the Diagram View.
  7. Click Key Exchange in the Tunnel Details panel at the bottom. You will be able to view both devices and diagnose the key issue from that point.

Find Incomplete or Misconfigured Access Lists Defined for a Tunnel

The "incomplete or misconfigured access list" condition could only occur on ASA devices.

  1. From the main navigation bar, click VPN > Site-to-Site VPN to open the VPN page.
  2. Select Table View.
  3. Open the Filter panel by clicking the filter icon filter_icon.png.
  4. Select each device reporting an issue red_triangle_white_exclamation.png and look in the Peers pane at the right. The peer information shows you both peers. 
  5. Click on View Peers for one of the devices.
  6. Double-click the device reporting the issue in the Diagram View.
  7. Click Tunnel Details in the Tunnel Details panel at the bottom. You will see the message, "Network Policy: Incomplete"