topic Re: Debug particular IPSEC VPN? in Network Security

Debug particular IPSEC VPN?

CiscoBrownBelt — Fri, 21 Feb 2020 16:55:02 GMT

Running a debug but for a particular IPSEC VPN shouldn't cause much of a degradation and/or impact on performance correct or possibly?

The following is all I would need to enter?

debug crypto condition peer www.xxx.yyy.zzz

Re: Debug particular IPSEC VPN?

Rob Ingram — Fri, 08 Mar 2019 11:56:25 GMT

Hi,
If you filter using the condition peer command it shouldn't greatly impact the performance. Once you've enabled this you also need to enable the other debugs:-

debug crypto condition peer 1.1.1.1
debug crypto ikev1|iskamp (depends on what version you are running)

debug crypto ikev2

debug crypto ipsec sa

The command "show crypto debug-condition" will confirm the filter is applied to the peer ip address and which debugs are enabled.

Ensure you disable debugs once finished "undebug all"

HTH

Re: Debug particular IPSEC VPN?

CiscoBrownBelt — Mon, 11 Mar 2019 19:20:51 GMT

Awesome! So if I don't see any real traffic other than "KEv2-PROTO-7: (26228): Restarting DPD timer 10 secs", should I try and generate a ping or something that is allowed through any applicable ACLs?

Re: Debug particular IPSEC VPN?

Rob Ingram — Mon, 11 Mar 2019 20:06:01 GMT

Do you have a particular issue which you are troubleshooting?

You can run ping (not from the ASA) over the tunnel, check "show crypto ipsec sa" to determine whether the encaps|decaps are increasing or not.