topic Re: Make ASA debug commands persistent in Network Security

Make ASA debug commands persistent

lukasl1991 — Fri, 01 Mar 2024 07:49:57 GMT

Hello community,

I refer to this (quite old) discussion and this answer which is not that old... But I have an ASA with software version 9.9(2)80. I would like to send debug messages via syslog even after ssh logout.

The answer tells that one should at first use logging debug-trace persistent and afterwards the desired debug commands. This sould make the debug config persistent. I paste the example here again:

debug aaa shim enabled at level 255
debug aaa shim enabled at level 255 (persistent)
debug webvpn enabled at level 255
debug webvpn enabled at level 255 (persistent)
debug webvpn xml enabled at level 255
debug webvpn xml enabled at level 255 (persistent)
debug webvpn anyconnect enabled at level 255
debug webvpn anyconnect enabled at level 255 (persistent)

Regardless of the order of these two steps I cannot make debugging persistent. What am I doing wrong? Is that feature still working? I think logging debug-trace persistent is quite useless when all debuggers won't be persistent.

Re: Make ASA debug commands persistent

MHM Cisco World — Fri, 01 Mar 2024 08:06:36 GMT

You want to send debug ad syslog to server even if there is no ssh/telnet

logging debug-trace persistent <<- this command do that

But you need also to make log level 7

Move the debug specific message to lower level like level 3 or 4 and config log level 3 or 4.

MHM

Re: Make ASA debug commands persistent

lukasl1991 — Fri, 01 Mar 2024 10:36:24 GMT

Yes, this command is persistent over different ssh sessions. And I also have issued the logging trap debug command. Now I have debug logs arriving on my syslog server.

I'd like to use additional debug commands. Their output should then arrive as %ASA-7-711001: debug_trace_msg on my syslog server. (Cisco Secure Firewall ASA Series Syslog Messages - Syslog Messages 701001 to 714011 [Cisco Secure Firewall ASA] - Cisco)

asa# show debug
debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ike-common enabled at level 255

Crypto conditional debug is turned ON

IKE peer IP address filters:
A.B.C.D/32

This also works. For example, I have the following line on my syslog server:

%ASA-7-711001: IKEv2-PROTO-7: (14829): Restarting DPD timer 10 secs#012

When I now exit the ssh session, the debug crypto commands do not persist. (The only exception is the peer address.) This answer describes that also these debug lines should persist if they are issued AFTER logging debug-trace persistent. This is what I've done. The ASA doesn't even show the suffix (persistent) in the show debug output before I quit the ssh.

Re: Make ASA debug commands persistent

MHM Cisco World — Fri, 01 Mar 2024 10:37:30 GMT

can I see logging config of asa

MHM

Re: Make ASA debug commands persistent

lukasl1991 — Fri, 01 Mar 2024 10:39:09 GMT

Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: enabled (persistent)
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 3000777717 messages logged
Trap logging: level debugging, facility 20, 2399028060 messages logged
Logging to outside <syslogA>, UDP TX:7843971 errors: 2 dropped: 22
Logging to outside <syslogB>, UDP TX:909631 errors: 4 dropped: 19
Global TCP syslog stats::
NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 0
CHANNEL_FLAP_CNT: 0, SYSLOG_PKT_LOSS: 0
PARTIAL_REWRITE_CNT: 0
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled

Re: Make ASA debug commands persistent

lukasl1991 — Fri, 01 Mar 2024 10:50:12 GMT

Ok, now it magically works. No idea what the problem was. But nevertheless, the output is

debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ike-common enabled at level 255

Crypto conditional debug is turned ON

IKE peer IP address filters:
A.B.C.D/32

without persistent in parentheses.

And after you reconnct via ssh you only have this output:

asa# sh debug

Crypto conditional debug is turned ON

IKE peer IP address filters:
A.B.C.D/32

But thats ok for me as long as the syslog messages arrive. Thanks for your efforts!

Re: Make ASA debug commands persistent

MHM Cisco World — Fri, 01 Mar 2024 11:46:13 GMT

friend you are so welcome
have a nice weekend

MHM

Re: Make ASA debug commands persistent

MHM Cisco World — Fri, 01 Mar 2024 12:05:51 GMT

by the way the crypto conditional is ON and debug appear only for peer A.B.C.D/32 <<- if that what you want it OK if not disable condition to see debug for all peers and for all VPN

MHM

Re: Make ASA debug commands persistent

lukasl1991 — Fri, 01 Mar 2024 12:11:28 GMT

Yes, this is the vpn which is to be debugged right now.

Also a nice weekend for you!