Ubaid,
Thanks a lot.
Regards,
Mohamed
> From: [email protected]
> To: [email protected]
> Subject: Re: Best way to troubleshoot pre-configured vpn devices?
> Date: Thu, 23 Jul 2009 06:56:18 +1000
> CC: [email protected]; [email protected];
> [email protected]; [email protected]
>
> Some tips from me
>
> ASA
>
> Show asp drop
>
> Packet-tracer command
>
> Capture command with acl
>
> Capture command with asp drop
>
> Regular VPN debugging commands for isakmp and ipsec
>
> Listen to ipexpert audio COD (ipsec section is great)
>
> Cisco website ipsec troubleshooting section
>
> There are couple of cisco press books which have good chapters on
> ipsec and there is dedicated book on ssl VPNs
>
>
>
>
>
>
> Regards,
> Ubaid Iftikhar
>
>
> Sent from my iPhone
>
> On 22/07/2009, at 9:12 PM, Mohammed Gazzaz <[email protected]> wrote:
>
> > Keith,
> >
> > Thank you very much. I wish I knew those tips before my lab attempt.
> >
> > Regards,
> > Mohammed Gazzaz
> >
> >> Subject: RE: Best way to troubleshoot pre-configured vpn devices?
> >> Date: Wed, 22 Jul 2009 04:03:06 -0700
> >> From: [email protected]
> >> To: [email protected]; [email protected]
> >> CC: [email protected]; [email protected]
> >>
> >> Mohammed,
> >>
> >> Great tips from Pieter-Jan. Another simple tool that may assist
> >> you in
> >> the trouble shooting is NotePad. Sometimes in the heat of the
> >> lab,
> >> it easy to overlook things. If you put the crypto portion of your
> >> configuration from R1 into notepad, and the crypto portion of your
> >> configuration into a SECOND instance of notepad, and put them side by
> >> side, that may clarify where the configuration differences are, (if
> >> that
> >> is the problem). Another technique that has helped many, is to use a
> >> pointer, (such as a pencil), to point to the device (on paper) that
> >> you
> >> are viewing on the screen. So if you go the the console of R1,
> >> move the
> >> pencil to R1. Being clear on which device is currently being
> >> looked at
> >> during troubleshooting is huge, and it is easy to believe that you
> >> viewed the IKE Phase 1 policy, (or whatever) on R2 and you swear is
> >> it
> >> using DH2 when in fact you saw that on the R1.
> >>
> >> Also, which you may already do, enable logging on your ASAs, with a
> >> level of 6 to the buffer, and then refer to the log when
> >> troubleshooting. Your firewall is eager to point out things that it
> >> has killed/denied/etc if you will use the logging feature. On your
> >> routers, adding logging to your deny statements on your acls will
> >> assist
> >> in determining where you are inadvertently killing traffic. On your
> >> routers use the command of: "ip access-list log-update threshold 1"
> >> so
> >> that you will see all of individual deny syslog messages, instead of
> >> having them summarize automatically where you may not notice them
> >> right
> >> away. (If there are many denied packets, you may want to increase
> >> the
> >> threshold.)
> >>
> >> These are a couple tips that may assist you. I wish you the very
> >> best
> >> on your next lab date.
> >>
> >> Sincerely,
> >>
> >> Keith Barker
> >> CCIE #6783 (R&S / Security)
> >> CCSI #21763
> >> Instructor
> >> CCBOOTCAMP - A Cisco Learning Partner (CLP)
> >> Email: [email protected]
> >> Cell: 801.766.4127
> >> Toll Free: 877-654-2243
> >> Direct: +1-702-968-5100 = Outside the USA
> >> FAX: +1-702-446-8012
> >> YES! We take Cisco Learning Credits!
> >> Training And Remote Racks: http://www.ccbootcamp.com
> >>
> >>
> >> -----Original Message-----
> >>
> >>
> >> From: [email protected] [mailto:[email protected]] On
> >> Behalf Of
> >> Mohammed Gazzaz
> >> Sent: Tuesday, July 21, 2009 5:52 AM
> >> To: [email protected]
> >> Cc: [email protected]; [email protected]
> >> Subject: RE: Best way to troubleshoot pre-configured vpn devices?
> >>
> >> Thank you Pieter. Great post, It will definitely help me.
> >>
> >> Regards,
> >> Mohammed Gazzaz
> >>
> >>> CC: [email protected]; [email protected]
> >>> From: [email protected]
> >>> To: [email protected]
> >>> Subject: Re: Best way to troubleshoot pre-configured vpn devices?
> >>> Date: Tue, 21 Jul 2009 11:39:30 +0200
> >>>
> >>> Hello Mohammed,
> >>>
> >>> Shame to hear that you failed the test. I know it has become much
> >>> harder.
> >>>
> >>> For me, the troubleshooting of a VPN, independent whether pre-
> >>> configured or not, is always a combination of
> >>> debugs and shows.
> >>>
> >>> usually, I first check the configuration on both sites to see
> >>> whether
> >>
> >>> phase 1 would come up anyhow. Commands like (on the asa)
> >>> show start | begin crypto isakmp
> >>> and
> >>> show run crypto map
> >>>
> >>> help a lot.
> >>> If I see a misconfiguration, such as pre-shared-key, policy
> >>> settings,
> >>
> >>> transform sets, I tend to fix them first.
> >>>
> >>> Then I do the debugs
> >>> debug crypto isakmp
> >>> deb crpt ipsec
> >>> term mon
> >>>
> >>> And initiate the tunnel.
> >>> Based on the output of the debug, you can see where the tunnel then
> >>> fails. 9 out of 10 times, the debug in combination with the configs
> >>> tell me what the issue is.
> >>> Of course, field experience with this helps a lot. Since I do a
> >>> lot of
> >>
> >>> VPN's, I know most of the ISAKMP phase messages and know which error
> >>> message is caused by which config error.
> >>>
> >>> Hope this helps a bit
> >>>
> >>> Kind regards
> >>> Pieter-Jan
> >>>
> >>> On 21 jul 2009, at 08:17, Mohammed Gazzaz wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> Last Thursday, I
> >>>> failed my second attempt by only 10%. Compared to my first attempt,
> >> I
> >>>> did a lot better and silly mistakes cost me the exam. I also
> >>>> panicked again
> >>>> and didn't pay attention to the small details.
> >>>>
> >>>> Maybe I was lucky
> >>>> but Open ended questions were very easy and I answered them in 10
> >>>> minutes, probably I could have answered them in 5 minutes but I
> >> didn't
> >>>> want to rush.
> >>>>
> >>>> My time management was again not good and I lost a lot of points in
> >>
> >>>> troubleshooting VPN questions.
> >>>>
> >>>> Can you guys give me some tips on how to approach this part of the
> >>>> exam?
> >>>>
> >>>> I
> >>>> mean I know how to configure different VPNs from scratch but to
> >>>> troubleshoot pre-configured devices is a different matter. I can
> >>>> use
> >>>> debug and show commands but probably I will spend a lot of time to
> >>>> solve the issue.
> >>>>
> >>>> Any help will be appreciated.
> >>>>
> >>>> Regards,
> >>>> Mohammed Gazzaz
> >>>>
> >>>> _________________________________________________________________
> >>>> Express yourself instantly with MSN Messenger! Download today it's
> >>>> FREE!
> >>>> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >>>>
> >>>
> >>
> >> _________________________________________________________________
> >> Express yourself instantly with MSN Messenger! Download today it's
> >> FREE!
> >> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
> >>
> >
> > _________________________________________________________________
> > What can you do with the new Windows Live? Find out
> > http://www.microsoft.com/windows/windowslive/default.aspx
> >
_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
