VPN debugging on ASA

  1. Check to see if there are duplicate ASP tables: sh asp table classify cryptosh asp table vpn-context detail
  2. Filter debug output to single or multiple tunnels: debug crypto condition peer <remote peer>
  3. Debug commands for IKEv1 and IKEv2: debug crypto ikev1 127debug crypto ikev2 protocol 127
  4. Debug commands for ipsec: debug crypto ipsec 127

Reduce dropped packets during rekey

Set the following command on your cisco asa to stop random vpn drops from happening. This command will keep stateful connections alive when the vpn connection drops. This issue might present itself whenever the vpn tunnel is in the middle of rekeying, but this commands will keep the sessions alive until the rekey is done and the VPN is operational again.

sysopt connection preserve-vpn-flows