ASA - Basic Troubleshooting
Basic Diagnostics
- Identify the color of the the VPN light. The VPN light should be green which means it's connected. Any other color indicates there's an issue.
- If VPN is Green and phones are not registering verify they customer has Internet from their ISP.
- Plug a phone directly into the ASA
- If the Phone registers behind the ASA directly, then it's an issue with the customer network.
- If the Phone registers behind the ASA directly, then it's an issue with the customer network.
- Power Cycle the device and give the ASA a few minutes to reconnect.
- If after a power cycle the ASA will still not connect you will need to console into the device to continue troubleshooting.
NOTE: For an ASA 5506 if a console cable is not available you can connect an ethernet cable to port 2 on the ASA and telnet to 192.168.22.1
ASA Commands to know
- Show interface ip brief:
This shows the ethernet ports and lets you know what is connected and what isn't, plus gives you IP information on VLAN 2. - vpnclient connect:
This command will try and force the connection for the VPN to connect. - ping:
ping 8.8.8.8 and then for more results do ping 8.8.8.8 repeat 1000 The purpose of this is to test their internet connection - show version:
From here you can see how many hosts the ASA can handle. -
show run:
View the current config of the ASA, this will show all the configuration of the ASA - show dhcpd binding:
Shows every IP address that the ASA is handing out - show switch mac-address-table (not available on a 5506)
-
Our ASA Server - 69.4.184.240
Another IP to ping/traceroute 69.4.184.140
Common actions
Setting a Static IP on an ASA 5505. For a 5506 replace int vlan 2 with int gigabitethernet1/1
To put a static IP on an ASA that is set to DHCP:
- Ctremote#config t
- Ctremote (config)#int vlan 2 or int gigabitethernet1/1
- Ctremote (config-if)# ip address <IP> <subnet>
- Ctremote (config-if)#route outside 0.0.0.0 0.0.0.0 <gateway IP>
- CTremote (config)# exit
Testing VPN Connection
-
CTremote#vpnclient connect
- EasyVPN client is Connected
Save (write) Changes
1. CTremote#wr
Change a static IP from one to another on an ASA 5505. For a 5506 replace int vlan 2 with int gigabitethernet1/1
-
Ctremote#show run
-note down IP address on VLAN 2 and route outside command. -
Ctremote#config t
-
Ctremote (config)#int vlan 2 or int gigabitethernet1/1
-
Ctremote (config-if)# no ip address <IP> <subnet>
-
Ctremote (config-if)#no route outside 0.0.0.0 0.0.0.0 <gateway IP>
-
CTremote (config)# exit
NOTE: Follow same instructions to put static IP on ASA that is set to DHCP for the remainder of the steps.
Change Static IP back to DHCP on an ASA 5505. For a 5506 replace int vlan 2 with int gigabitethernet1/1
- Ctremote#show run -note down IP address on VLAN 2 and route outside command.
- Ctremote#config t
- Ctremote (config)#int vlan 2 or int gigabitethernet1/1
- Ctremote (config-if)# no ip address <IP> <subnet>
- Ctremote (config-if)#no route outside 0.0.0.0 0.0.0.0 <gateway IP>
- CTremote (config)#int vlan 2 or int gigabitethernet1/1
- CTremote (config-if)#ip address dhcp setroute
- CTremote (config-if)#exit
- CTremote (config)#exit
- CTremote#wr
- Use show int ip brief to validate vlan 2 is set to DHCP.
Enable SSH on public static IP:
- Crypto key generase rsa modulus 1024
- aaa authentication ssh console LOCAL
- ssh version 2
- ssh 0.0.0.0 0.0.0.0 outside