Keith,
Thank you very much. I wish I knew those tips before my lab attempt.
Regards,
Mohammed Gazzaz
> Subject: RE: Best way to troubleshoot pre-configured vpn devices?
> Date: Wed, 22 Jul 2009 04:03:06 -0700
> From: [email protected]
> To: [email protected]; [email protected]
> CC: [email protected]; [email protected]
>
> Mohammed,
>
> Great tips from Pieter-Jan. Another simple tool that may assist you in
> the trouble shooting is NotePad. Sometimes in the heat of the lab,
> it easy to overlook things. If you put the crypto portion of your
> configuration from R1 into notepad, and the crypto portion of your
> configuration into a SECOND instance of notepad, and put them side by
> side, that may clarify where the configuration differences are, (if that
> is the problem). Another technique that has helped many, is to use a
> pointer, (such as a pencil), to point to the device (on paper) that you
> are viewing on the screen. So if you go the the console of R1, move the
> pencil to R1. Being clear on which device is currently being looked at
> during troubleshooting is huge, and it is easy to believe that you
> viewed the IKE Phase 1 policy, (or whatever) on R2 and you swear is it
> using DH2 when in fact you saw that on the R1.
>
> Also, which you may already do, enable logging on your ASAs, with a
> level of 6 to the buffer, and then refer to the log when
> troubleshooting. Your firewall is eager to point out things that it
> has killed/denied/etc if you will use the logging feature. On your
> routers, adding logging to your deny statements on your acls will assist
> in determining where you are inadvertently killing traffic. On your
> routers use the command of: "ip access-list log-update threshold 1" so
> that you will see all of individual deny syslog messages, instead of
> having them summarize automatically where you may not notice them right
> away. (If there are many denied packets, you may want to increase the
> threshold.)
>
> These are a couple tips that may assist you. I wish you the very best
> on your next lab date.
>
> Sincerely,
>
> Keith Barker
> CCIE #6783 (R&S / Security)
> CCSI #21763
> Instructor
> CCBOOTCAMP - A Cisco Learning Partner (CLP)
> Email: [email protected]
> Cell: 801.766.4127
> Toll Free: 877-654-2243
> Direct: +1-702-968-5100 = Outside the USA
> FAX: +1-702-446-8012
> YES! We take Cisco Learning Credits!
> Training And Remote Racks: http://www.ccbootcamp.com
>
>
> -----Original Message-----
>
>
> From: [email protected] [mailto:[email protected]] On Behalf Of
> Mohammed Gazzaz
> Sent: Tuesday, July 21, 2009 5:52 AM
> To: [email protected]
> Cc: [email protected]; [email protected]
> Subject: RE: Best way to troubleshoot pre-configured vpn devices?
>
> Thank you Pieter. Great post, It will definitely help me.
>
> Regards,
> Mohammed Gazzaz
>
> > CC: [email protected]; [email protected]
> > From: [email protected]
> > To: [email protected]
> > Subject: Re: Best way to troubleshoot pre-configured vpn devices?
> > Date: Tue, 21 Jul 2009 11:39:30 +0200
> >
> > Hello Mohammed,
> >
> > Shame to hear that you failed the test. I know it has become much
> > harder.
> >
> > For me, the troubleshooting of a VPN, independent whether pre-
> > configured or not, is always a combination of
> > debugs and shows.
> >
> > usually, I first check the configuration on both sites to see whether
>
> > phase 1 would come up anyhow. Commands like (on the asa)
> > show start | begin crypto isakmp
> > and
> > show run crypto map
> >
> > help a lot.
> > If I see a misconfiguration, such as pre-shared-key, policy settings,
>
> > transform sets, I tend to fix them first.
> >
> > Then I do the debugs
> > debug crypto isakmp
> > deb crpt ipsec
> > term mon
> >
> > And initiate the tunnel.
> > Based on the output of the debug, you can see where the tunnel then
> > fails. 9 out of 10 times, the debug in combination with the configs
> > tell me what the issue is.
> > Of course, field experience with this helps a lot. Since I do a lot of
>
> > VPN's, I know most of the ISAKMP phase messages and know which error
> > message is caused by which config error.
> >
> > Hope this helps a bit
> >
> > Kind regards
> > Pieter-Jan
> >
> > On 21 jul 2009, at 08:17, Mohammed Gazzaz wrote:
> >
> > > Hi,
> > >
> > > Last Thursday, I
> > > failed my second attempt by only 10%. Compared to my first attempt,
> I
> > > did a lot better and silly mistakes cost me the exam. I also
> > > panicked again
> > > and didn't pay attention to the small details.
> > >
> > > Maybe I was lucky
> > > but Open ended questions were very easy and I answered them in 10
> > > minutes, probably I could have answered them in 5 minutes but I
> didn't
> > > want to rush.
> > >
> > > My time management was again not good and I lost a lot of points in
>
> > > troubleshooting VPN questions.
> > >
> > > Can you guys give me some tips on how to approach this part of the
> > > exam?
> > >
> > > I
> > > mean I know how to configure different VPNs from scratch but to
> > > troubleshoot pre-configured devices is a different matter. I can use
> > > debug and show commands but probably I will spend a lot of time to
> > > solve the issue.
> > >
> > > Any help will be appreciated.
> > >
> > > Regards,
> > > Mohammed Gazzaz
> > >
> > > _________________________________________________________________
> > > Express yourself instantly with MSN Messenger! Download today it's
> > > FREE!
> > > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> > >
> >
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today it's FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
_________________________________________________________________
What can you do with the new Windows Live? Find out
http://www.microsoft.com/windows/windowslive/default.aspx
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
