When an IPsec VPN tunnel goes down, remote sites lose connectivity and users cannot access critical resources. For the CCNA 200-301 exam (objective 5.7), you must be able to systematically diagnose and resolve the most common causes of tunnel failure. In real networks, VPN tunnels are the backbone of site-to-site connectivity, and knowing how to troubleshoot them quickly separates a competent engineer from one who wastes hours rebooting routers.
Jump to a section
Imagine a secure facility with two buildings connected by an intercom system. Each building has a guard who must verify the other's identity before allowing communication. The intercom uses a shared secret phrase (pre-shared key) that both guards know. When a call is initiated, the guards first exchange 'hello' messages to agree on a language (IKE Phase 1) and establish a secure control channel. They then negotiate which specific door (encryption algorithm) and key (crypto key) to use for the actual conversation (IKE Phase 2). If the shared phrase doesn't match, the guards refuse to talk—that's a mismatch in pre-shared keys. If one guard uses a different language version (IKE version mismatch), the hello messages are garbled. If the doors they agree on don't match the doors actually installed (transform set mismatch), the conversation fails. Also, if the guards have outdated lists of allowed callers (ACL mismatch), they may hang up on a legitimate caller. Finally, if one guard's clock is off by more than a few minutes, they might think the call is a replay attack and drop it—that's a time synchronization issue. This analogy maps directly to the ISAKMP/IKE and IPsec negotiation steps.
What is IPsec and Why Does the Tunnel Go Down?
IPsec (IP Security) is a suite of protocols used to secure IP communications by authenticating and encrypting each IP packet in a data stream. A site-to-site IPsec VPN tunnel is established between two routers (or firewalls) to create a secure path for traffic between two private networks over an untrusted network like the internet. When the tunnel is 'down,' no encrypted traffic can pass, and the underlying cause can be anything from a simple configuration typo to a mismatch in security parameters.
How IPsec VPN Tunnel Establishment Works (Step by Step)
IPsec tunnel establishment follows a two-phase process using Internet Key Exchange (IKE):
Phase 1 (IKE SA): The two peers establish a secure, authenticated control channel. This can use Main Mode or Aggressive Mode. Main Mode (default) uses six messages:
Messages 1-2: Propose encryption, hash, authentication, and Diffie-Hellman group.
Messages 3-4: Exchange Diffie-Hellman public values and nonces.
Messages 5-6: Authenticate using pre-shared key or certificates.
Phase 2 (IPsec SA): Using the secure channel from Phase 1, the peers negotiate the IPsec security associations (SAs) for data traffic. This uses Quick Mode (three messages) to agree on transform sets (encryption, integrity, and encapsulation mode) and to generate keying material for each direction.
Once Phase 2 completes, the tunnel is 'up' and traffic can flow encrypted.
Key States, Timers, and Defaults
IKE SA lifetime: Default 86400 seconds (24 hours). Can be adjusted.
IPsec SA lifetime: Default 3600 seconds (1 hour). Can be per-traffic or time-based.
DPD (Dead Peer Detection): Periodic keepalives; default interval 10 seconds, retry 2 times.
ISAKMP identity: address (default) or hostname.
Transform set defaults: esp-aes 256, esp-sha-hmac, tunnel mode.
IOS CLI Verification Commands
To check the status of a tunnel, use these commands:
show crypto isakmp sa
show crypto ipsec sa
show crypto mapExample output of show crypto isakmp sa:
IPv4 Crypto ISAKMP SA
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
1001 10.1.1.1 10.2.2.2 ACTIVE aes sha psk 2 23:59:30If the SA is in MM_NO_STATE or MM_KEY_EXCH, Phase 1 has not completed. If it shows ACTIVE, Phase 1 is up.
Example output of show crypto ipsec sa:
interface: Tunnel0
Crypto map tag: CMAP, local addr 10.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.2.0/255.255.255.0/0/0)
current_peer 10.2.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.2.2.2
plaintext mtu 1400, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: noneIf no inbound/outbound SAs are present (spi=0x0), Phase 2 has not completed.
How It Interacts with Related Protocols
Routing: The tunnel interface must have a route pointing to the remote network. Without it, traffic won't trigger the crypto map.
NAT: If NAT occurs between peers, IPsec may break unless NAT-Traversal (NAT-T) is enabled (UDP 4500).
Firewalls: UDP 500 (ISAKMP) and ESP (IP protocol 50) must be allowed. Also, UDP 4500 for NAT-T.
ACLs: The crypto ACL on both sides must be mirror images. A mismatch causes no interesting traffic to match.
Common Causes of Tunnel Down
Mismatched pre-shared keys – Phase 1 authentication fails.
Mismatched IKE policies – Encryption, hash, DH group, or authentication method differ.
Mismatched transform sets – Phase 2 fails because encryption/integrity settings don't match.
ACL mismatch – The crypto ACLs on each side define different traffic to protect.
Routing issues – No route to the remote peer or to the remote network via the tunnel.
Firewall blocking – UDP 500, ESP, or NAT-T ports blocked.
Time skew – If using certificates, time difference > 5 minutes can cause certificate validation failure.
Troubleshooting with Debug
Use debug crypto isakmp and debug crypto ipsec to see negotiation messages. This is high CPU, but essential for pinpointing the issue. Look for error messages like:
- %CRYPTO-4-IKMP_BAD_MESSAGE – indicates mismatched parameters.
- %CRYPTO-4-IKMP_NO_PEER – peer unreachable.
- %CRYPTO-4-IKMP_NO_POLICY – no matching IKE policy.
Always use no debug all when done.
Verify IKE Phase 1 status
Use `show crypto isakmp sa` to see if Phase 1 is ACTIVE. If the state is MM_NO_STATE, MM_KEY_EXCH, or MM_WAIT_MSG_*, Phase 1 has not completed. Check for mismatched IKE policies (encryption, hash, DH group, authentication). Verify that the pre-shared key is the same on both sides using `show running-config | include crypto isakmp key`. Also ensure the peer IP address is reachable via `ping`.
Verify IKE Phase 2 status
Use `show crypto ipsec sa` to see if IPsec SAs are present. Look for inbound and outbound SAs (spi values). If none exist, Phase 2 failed. Common causes: mismatched transform sets (check with `show crypto ipsec transform-set`), mismatched crypto ACLs (use `show access-lists`), or lifetime mismatch. Ensure the crypto map is applied to the correct interface.
Check crypto ACLs for mirror image
The crypto ACL on each side must be a mirror image (source/destination swapped). Use `show access-lists <acl-name>` to display the ACL. For example, if side A permits 10.1.1.0/24 to 10.2.2.0/24, side B must permit 10.2.2.0/24 to 10.1.1.0/24. A common mistake is using the same ACL on both sides, which causes traffic to not match and the tunnel to never be initiated.
Verify routing and interface status
Ensure the tunnel interface is up/up (`show ip interface brief`). Check that there is a route to the remote private network via the tunnel interface (`show ip route`). Also verify that the router knows how to reach the remote peer's public IP (routing or default route). Without proper routing, packets destined for the remote network will not be sent into the tunnel.
Check firewall and NAT configuration
Ensure that firewalls between the peers allow UDP 500 (ISAKMP) and IP protocol 50 (ESP). If NAT is involved, verify that NAT-T is enabled (UDP 4500). On Cisco routers, NAT-T is automatically negotiated if both sides support it. Use `show crypto isakmp sa` to see if NAT-T is being used (the port may show 4500). If NAT is breaking IPsec, consider using `crypto isakmp nat-traversal`.
Verify time synchronization
If using certificates or if the router has a clock skew of more than 5 minutes, IKE authentication may fail. Use `show clock` on both peers to compare times. If out of sync, configure NTP (`ntp server <ip>`). Even with pre-shared keys, time skew can cause issues if DPD timers are too tight or if certificate validation is used. Always synchronize clocks in production.
In a typical enterprise environment, site-to-site IPsec VPNs connect branch offices to the headquarters. For example, a retail chain might have 50 stores each with a Cisco router terminating a VPN to the data center. The most common real-world issue is that after a router reboot, the tunnel fails to come up because the pre-shared key was not re-entered correctly after a configuration change. Another scenario: when a new firewall is placed in the path, the administrator forgets to allow ESP traffic, causing the tunnel to flap or stay down. In production, network engineers often use a phased rollout: first verify Phase 1 with show crypto isakmp sa, then Phase 2 with show crypto ipsec sa. They also rely on syslog messages like %CRYPTO-4-IKMP_BAD_MESSAGE to quickly identify mismatches. A common scale consideration: with many tunnels, the router's CPU can spike during rekey events. Performance tuning includes adjusting SA lifetimes to reduce rekey frequency. When misconfigured, the most subtle issue is an ACL mismatch that causes the tunnel to come up but no traffic to be encrypted, leading to dropped packets or black holes. Engineers learn to always verify the crypto ACLs on both sides are exact mirrors.
On the CCNA 200-301 exam, objective 5.7 covers troubleshooting IPsec VPN tunnels. The exam will present a scenario where a tunnel is down and you must identify the cause from show command outputs or configuration snippets. The most common wrong answers are:
Wrong answer: 'The tunnel interface is down' – Candidates see a tunnel interface status down/down and blame the interface. But the tunnel interface is a virtual interface; it can be up even if the underlying physical link is down. The real issue is often an ACL or routing problem.
Wrong answer: 'The crypto map is not applied' – While this is a possible cause, exam questions often have the crypto map applied correctly. Candidates jump to this without checking Phase 1 or Phase 2 SAs.
Wrong answer: 'The pre-shared key is missing' – The key might be present but mismatched. Candidates often forget to check both sides.
Wrong answer: 'NAT is breaking the tunnel' – NAT is a common issue, but the exam often provides evidence that NAT-T is enabled or that no NAT is occurring. Look for clues like show crypto isakmp sa showing port 500 or 4500.
Decision rule: Start with show crypto isakmp sa – if Phase 1 is not ACTIVE, the problem is in IKE policy or key. If Phase 1 is ACTIVE but Phase 2 SAs are missing, the problem is in transform sets or crypto ACLs. Use debug crypto isakmp to see exact error messages. The exam may show a snippet like %CRYPTO-4-IKMP_BAD_MESSAGE which indicates a mismatch. Remember that the crypto ACL must be a mirror image – this is a classic trap.
Specific values: ISAKMP default lifetime 86400 seconds, IPsec SA default 3600 seconds. Default transform set: esp-aes 256 esp-sha-hmac. DPD interval 10 seconds. Know these for multiple-choice questions.
IKE Phase 1 uses UDP port 500; Phase 2 uses ESP (IP protocol 50) or AH (51).
Default IKE SA lifetime is 86400 seconds (24 hours); default IPsec SA lifetime is 3600 seconds (1 hour).
Crypto ACLs must be mirror images on both peers, otherwise Phase 2 fails.
Use `show crypto isakmp sa` to verify Phase 1 status; 'ACTIVE' means Phase 1 is up.
Use `show crypto ipsec sa` to verify Phase 2; look for inbound/outbound SAs with non-zero SPI.
Common cause of tunnel down: mismatched pre-shared keys or IKE policies.
NAT-T uses UDP 4500; enabled automatically if both peers support it.
These come up on the exam all the time. Here's how to tell them apart.
IKEv1
Uses Main Mode or Aggressive Mode (6 or 3 messages for Phase 1).
Separate Phase 1 and Phase 2 exchanges.
Less secure due to fewer built-in protections (e.g., no built-in DDoS protection).
Default lifetime 86400 seconds for Phase 1.
Not as robust in handling network changes.
IKEv2
Uses a single exchange (4 messages) for both Phase 1 and Phase 2.
Simpler and faster negotiation.
Built-in DDoS protection and improved security (e.g., optional EAP).
Default lifetime 86400 seconds for IKE SA.
More resilient, supports MOBIKE for mobility.
Mistake
If the tunnel interface is up, the IPsec tunnel is up.
Correct
The tunnel interface can be up/up even if no IPsec SAs exist. The tunnel is only functional when both Phase 1 and Phase 2 SAs are established.
Candidates confuse the virtual interface state with the actual security association state.
Mistake
The crypto ACL should permit all traffic from the local network to the remote network.
Correct
The crypto ACL should only permit the traffic you want to encrypt. Permitting all traffic can cause routing loops or unexpected behavior.
Candidates think a broad ACL is safer, but it can cause problems like hairpinning.
Mistake
If the pre-shared key matches, Phase 1 will always succeed.
Correct
Phase 1 also requires matching IKE policies (encryption, hash, DH group, authentication method). A mismatch in any of these will cause Phase 1 to fail.
Candidates focus only on the PSK and forget that the entire policy must match.
Mistake
NAT always breaks IPsec tunnels.
Correct
NAT breaks IPsec only if NAT-T is not supported. Most modern routers support NAT-T, which encapsulates ESP in UDP 4500 to bypass NAT.
Candidates may have experience with older equipment that didn't support NAT-T, but the exam assumes modern IOS.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
MM_NO_STATE means that IKE Phase 1 has not been initiated or has failed. This is often due to a mismatch in IKE policies (encryption, hash, DH group, authentication) or the pre-shared key. Also check that the peer IP address is reachable via ping. Use `debug crypto isakmp` to see the exact error. Common fixes: verify the IKE policy on both sides, ensure the pre-shared key is identical, and check for firewall blocking UDP 500.
Use `show crypto isakmp sa` and look at the port number. If NAT-T is active, the port will show 4500 instead of 500. Also, the command `show crypto ipsec sa` will show 'NAT-T' in the details. If NAT is present and NAT-T is not used, the tunnel may fail. Ensure both routers support NAT-T (most modern IOS do). You can also configure `crypto isakmp nat-traversal` to force it.
The 'inbound esp sas' section displays the inbound IPsec security associations (SAs) for ESP. It includes the SPI (Security Parameter Index), the encryption and integrity algorithms, and the lifetime. If no inbound SAs are listed, Phase 2 has not completed. You need both inbound and outbound SAs for the tunnel to function.
Yes, a mismatch in the transform set will cause Phase 2 to fail. The transform set includes the encryption algorithm (e.g., aes-cbc-256), integrity algorithm (e.g., esp-sha-hmac), and mode (tunnel or transport). Both peers must have identical transform sets. Use `show crypto ipsec transform-set` to verify.
This is often due to a lifetime mismatch or a routing change. If the IKE or IPsec SA lifetimes differ, the tunnel may drop when one side tries to rekey. Also, if a route changes, the tunnel may not have a path. Check the lifetimes with `show crypto isakmp sa` and `show crypto ipsec sa`. Also verify that DPD is configured to detect dead peers.
Use `clear crypto sa` to clear all IPsec SAs, or `clear crypto sa peer <ip>` for a specific peer. To clear IKE SAs, use `clear crypto isakmp <connection-id>`. After clearing, the tunnel will renegotiate. This is useful after making configuration changes.
The default IKE SA lifetime is 86400 seconds (24 hours). The default IPsec SA lifetime is 3600 seconds (1 hour). These can be changed with the `crypto isakmp policy` and `crypto ipsec security-association lifetime` commands. Make sure both peers have matching lifetimes or the rekey may fail.
You've just covered Troubleshoot: IPsec VPN Tunnel Down — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?