Check for interesting traffic to initiate tunnel, check crypto ACLs for hit

counts
If not, verify Routing (static or RRI)
Verify if IKE SA is up (QM_Idle) for that peer
If not, verify for matching Pre-shared keys
Verify that the IKE policies (encr, auth, DH) are matching
Verify for matching IKE Identities
Verify if IPSec SAs are up (Inbound and Outbound SPIs)
If not, verify for matching IPSec transform sets
Verify for mirrored crypto ACLs on each side
Verify that the Crypto Map is applied on the right interface
Turn on IKE/IPSec debugs
IPSec Show Commands
To show IKE SA information:
show crypto isakmp sa <vrf> [detail]
show crypto isakmp peer <ip-addr>
To show IPSec SA information:
show crypto ipsec sa [ address | detail | interface | map |
per | vrf ]
To show IKE and IPSec information together :
show crypto session[ fvrf | group | ivrf ] username | detail
]
show crypto engine connection active

From <https://supportforums.cisco.com/blog/150056/ipsec-important-debugging-and-
logging>
IPSec Troubleshooting Steps
Check for interesting traffic to initiate tunnel, check crypto ACLs for hit
counts
If not, verify Routing (static or RRI)
Verify if IKE SA is up (QM_Idle) for that peer
If not, verify for matching Pre-shared keys
Verify that the IKE policies (encr, auth, DH) are matching
Verify for matching IKE Identities
Verify if IPSec SAs are up (Inbound and Outbound SPIs)
If not, verify for matching IPSec transform sets
Verify for mirrored crypto ACLs on each side
Verify that the Crypto Map is applied on the right interface
Turn on IKE/IPSec debugs
IPSec Show Commands
To show IKE SA information:
show crypto isakmp sa <vrf> [detail]
show crypto isakmp peer <ip-addr>
To show IPSec SA information:
show crypto ipsec sa [ address | detail | interface | map |
per | vrf ]
To show IKE and IPSec information together :
show crypto session[ fvrf | group | ivrf ] username | detail
]
show crypto engine connection active
Cisco IOS IPSec Debugging
These are the current IKE/IPSec debugs available; the highlighted ones are
the most useful typically
Make sure to use Crypto Conditional Debugs when trying to troubleshoot
production routers
debug crypto isakmp
debug crypto isakmp error
debug crypto isakmp ha
debug crypto ipsec
debug crypto ipsec error
debug crypto routing
debug crypto ha
debug crypto engine error
debug crypto engine packet
Crypto Conditional Debugging
We can use crypto conditional debugging when we are troubleshooting live networks
and specially where there are multiple tunnels running on the device.
The crypto conditional debug CLIsdebug crypto condition, debug crypto condition
unmatched, and show crypto debug-condition allow you to specify conditions (filter
values) in which to generate and display debug messages related only to the
specified conditions
The router will perform conditional debugging only after at least one of the
global crypto debug commandsdebug crypto isakmp, debug crypto ipsec,ordebug
crypto enginehas been enabled; thi s requirement helps to ensure that the
performance of the router will not be impacted when conditional debugging is not
being used
To enable crypto conditional debugging:
debug crypto condition <cond-type> <cond-value>
debug crypto { isakmp | ipsec | engine }
To view crypto condition debugs that have been enabled:
show crypto debug-condition [ all | peer | fvrf | ivrf |
isakmp | username | connid | spi ]
To disable crypto condition debugs:
debug crypto condition reset
Crypto Conditional Debugging

Fvrf The name string of a virtual private network (VPN) routing and forwarding
(VRF) instance; relevant debug messages will be shown if the current IPSec
operation uses this VRF instance as its front-door VRF (FVRF)
ivrf The name string of a VRF instance; relevant debug messages will be shown if
the current IPSec operation uses this VRF instance as its inside VRF (IVRF)
isakmp profile The name string of the isakmp profile to be matched against for
debugging
Local ipv4 The ip address string of the local IKE endpoint
Peer group A ezvpn group name string; relevant debug messages will be
shown if the peer is using this group name as its identity
Peer ipv4 A single IP address; relevant debug messages will be shown if the
current IPSec operation is related to the IP address of this peer
Peer subnet A subnet and a subnet mask that specify a range of peer IP
addresses; relevant debug messages will be shown if the IP address of the current
IPSec peer falls into the specified subnet range
Peer hostname A fully qualified domain name (FQDN) string; relevant debug
messages will be shown if the peer is using this string as its identity
username The username string (XAuth username or PKI-aaa username obtained from
a certificate)
Clearing VPN Tunnel

To clear IKE Phase ( Phase 1)

clear crypto isakmp sa
To clear IPSEC Phase (Phase2)
clear crypto ipsec sa
Crypto Logging
Two crypto logging enhancements were introduced in recent Cisco IOS images
Hub(config)# crypto logging ?
ezvpnezvpn logging enable/disable
sessionlogging up/down session
Crypto logging session, introduced in 12.3(14)T, displays tunnel
up/down messages:
 %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP.Peer
40.10.1.1:500Id: 40.10.1.1
%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.Peer
40.10.1.1:500Id: 40.10.1.1
Crypto logging ezvpn, introduced in 12.4(4)T, displays EasyVPN
connection messages
%CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.Peer 2.2.2.2:500
f_vrf:FVRF1Id: cisco
%CRYPTO-6-EZVPN_CONNECTION_DOWN:
(Server)Mode=NEMClient_type=CISCO_IOSUser=Group=ciscoClient_public_addr=2.
2.2.2Server_public_addr=1.1.1.2f_vrf=FVRF1
%CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP.Peer 2.2.2.2:500
f_vrf:FVRF1Id: cisco
%CRYPTO-6-EZVPN_CONNECTION_UP:
(Server)Mode=NEMClient_type=CISCO_IOSUser=Group=ciscoClient_public_addr=2.
2.2.2Server_public_addr=1.1.1.2f_vrf=FVRF1
Thats all from my side today.

From <https://supportforums.cisco.com/blog/150056/ipsec-important-debugging-and-
logging>