https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162675#M357999 <HTML><HEAD></HEAD><BODY><P>jcarvaja,</P><P></P><P>Thank you. Your question answered mine. As soon as I increased the debug level I started seeing the output I was expecting. This has been a big doh!!! moment.</P><P></P><P>Thank you for your help,</P><P></P><P>Denny</P></BODY></HTML> Wed, 17 Apr 2013 21:01:51 GMT dennylester 2013-04-17T21:01:51Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162669#M357993 <P>Since upgrading from Pix to ASA, I haven't had to try to debug anything. Today I needed to debug an issue with a LAN to LAN tunnel coming up. I issued the commands I am used to using and so much debug information, not pertaining to what I am wanting to debug, is flying across the screen it's impossible to see what I am looking for. </P><P></P><P>How does one limit the debug output to the SSH session? For example, debug crypto isakmp?</P><P></P><P>Denny&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Tue, 12 Mar 2019 01:30:41 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162669#M357993 dennylester 2019-03-12T01:30:41Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162670#M357994 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you want to debug a single L2L VPN connection you can enable the following configuration</P><P></P><P><STRONG>ASA# debug crypto condition peer 1.1.1.1</STRONG></P><P></P><P>This should limit the debugs to only this specific L2L VPN Peer</P><P></P><P>You can confirm the setting with</P><P></P><P><STRONG>ASA# sh crypto debug-condition</STRONG></P><P></P><P><STRONG>Crypto conditional debug is turned ON</STRONG></P><P><STRONG>IKE debug context unmatched flag:&nbsp; OFF</STRONG></P><P><STRONG>IPSec debug context unmatched flag:&nbsp; OFF</STRONG></P><P><STRONG>IKE debug context error flag:&nbsp; OFF</STRONG></P><P><STRONG>IPSec debug context error flag:&nbsp; OFF</STRONG></P><P></P><P><STRONG>IKE peer IP address filters:</STRONG></P><P><STRONG>1.1.1.1/32</STRONG></P><P></P><P>After this you can use the <STRONG>"debug crypto isakmp"</STRONG> and <STRONG>"debug crypto ipsec"</STRONG> commands</P><P></P><P>When you are done be sure to remove the above condition we set with the command</P><P></P><P><STRONG>ASA# debug crypto condition reset</STRONG></P><P><STRONG>Do you want to clear the crypto debug filters? [confirm]</STRONG></P><P></P><P></P><P>Also, you might have to change the logging lever for monitor</P><P></P><P><STRONG>logging monitor debugging</STRONG></P><P></P><P>And during the SSH connection issue the command</P><P></P><P><STRONG>terminal monitor</STRONG></P><P></P><P>And to disable it enter</P><P></P><P><STRONG>terminal no monitor</STRONG></P><P></P><P>You should be able to disable all debugging with</P><P></P><P><STRONG>no debug all</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Wed, 17 Apr 2013 20:11:36 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162670#M357994 Jouni Forss 2013-04-17T20:11:36Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162671#M357995 <HTML><HEAD></HEAD><BODY><P>Well, I gave this a shot and again, it was outputting all sorts of debug messages to the screen pertaining to ACL's, session teardowns, etc, etc.</P><P></P><P>Do I need to go through every ACL and turn logging off to do debugging these days?</P></BODY></HTML> Wed, 17 Apr 2013 20:40:14 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162671#M357995 dennylester 2013-04-17T20:40:14Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162672#M357996 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Can you share the show debug </P><P></P><P>Regards</P></BODY></HTML> Wed, 17 Apr 2013 20:54:17 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162672#M357996 Julio Carvajal 2013-04-17T20:54:17Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162673#M357997 <HTML><HEAD></HEAD><BODY><P> I assume you mean the output of the show debug command</P><P></P><P>NOCASA5550-1# show debug</P><P>debug crypto isakmp enabled at level 1</P><P>NOCASA5550-1#</P></BODY></HTML> Wed, 17 Apr 2013 20:57:22 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162673#M357997 dennylester 2013-04-17T20:57:22Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162674#M357998 <HTML><HEAD></HEAD><BODY><P>Hmm,</P><P></P><P>I guess it does show all the connection and translation forming messages also?</P><P></P><P>I guess there is an option to temporarily disable the most common Syslog messages from being generated. Naturally this is not an ideal situation since if you have Syslog server configuration you will end up missing some logs.</P><P></P><P>The configuration command to disable some Syslog ID would be</P><P></P><P><STRONG>no logging message <SYSLOG id=""></SYSLOG></STRONG></P><P></P><P>and to return</P><P></P><P><STRONG>logging message <SYSLOG id=""></SYSLOG></STRONG></P><P></P><P></P><P>I guess it might be possible to send the debug messages to Syslog server also</P><P></P><P>Check out this command and its descriptions/usage guidelines/examples</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/l2.html#wp1793529" rel="nofollow">http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/l2.html#wp1793529</A></P><P></P><P>- Jouni</P></BODY></HTML> Wed, 17 Apr 2013 20:59:50 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162674#M357998 Jouni Forss 2013-04-17T20:59:50Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162675#M357999 <HTML><HEAD></HEAD><BODY><P>jcarvaja,</P><P></P><P>Thank you. Your question answered mine. As soon as I increased the debug level I started seeing the output I was expecting. This has been a big doh!!! moment.</P><P></P><P>Thank you for your help,</P><P></P><P>Denny</P></BODY></HTML> Wed, 17 Apr 2013 21:01:51 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162675#M357999 dennylester 2013-04-17T21:01:51Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162676#M358000 <HTML><HEAD></HEAD><BODY><P>Hello </P><P></P><P>Glad to hear that Denny</P><P></P><P>Remember to rate all of the helpful posts and mark the question as answered</P></BODY></HTML> Wed, 17 Apr 2013 21:02:51 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162676#M358000 Julio Carvajal 2013-04-17T21:02:51Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162677#M358001 <HTML><HEAD></HEAD><BODY><P>Ah,</P><P></P><P>Missunderstood you, I thought you already were seeing the VPN debug messages but had too much other stuff showing in the CLI output.</P><P></P><P>- Jouni</P></BODY></HTML> Wed, 17 Apr 2013 21:05:27 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162677#M358001 Jouni Forss 2013-04-17T21:05:27Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162678#M358002 <HTML><HEAD></HEAD><BODY><P> It could have been buried in all of that output but thousands of lines flew by so it was impossible to tell. The combination of both your answers helped me a lot.</P><P></P><P>Thank you again,</P><P></P><P>Denny</P></BODY></HTML> Wed, 17 Apr 2013 21:07:54 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/2162678#M358002 dennylester 2013-04-17T21:07:54Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/3726312#M358004 <P>Here something that might help anyone else with a lack of debug;</P> <P>&nbsp;</P> <P><A href="https://www.petenetlive.com/KB/Article/0001477" target="_self">Cisco ASA No Debug Output?</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Pete</P> <DIV id="breadcrumbs"><SPAN style="font-family: inherit;">&nbsp;</SPAN></DIV> Tue, 16 Oct 2018 13:17:26 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/3726312#M358004 Peter Long 2018-10-16T13:17:26Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/3785272#M358005 <P>ummm, the title says debug SSH, not a vpn connection.</P> Tue, 22 Jan 2019 17:25:03 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/3785272#M358005 Gerard Roy 2019-01-22T17:25:03Z https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/3785383#M358008 <P><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> does not matter what he/she is debugging, the problem is they are getting no output to the SSH session.</P> <P>&nbsp;</P> <P>P</P> Tue, 22 Jan 2019 19:03:24 GMT https://community.cisco.com/t5/network-security/how-to-debug-to-ssh-session-on-asa/m-p/3785383#M358008 Peter Long 2019-01-22T19:03:24Z