Gather debug information more efficiently

robertsalka · ‎09-08-2022

I use "debug crypto ikev2", "debug crypto ipsec", and "debug crypto pki trans" to extract lots of information from the FlexVPN clients landing on my ASR. The information I am required to collect, log and forward includes CN of the cert used for pki, the public IP of the user, Session build/close and other stuff as well. Is there an appliance that can collect the information more efficiently, because my processor is getting slammed form logging everything.

We have a Stealth Watch appliance on prem, but i have been told that it's not capable of collecting the information listed above without debugging on the host equipment.

MHM Cisco World · ‎09-08-2022

deb crypto ikev2 packet
deb crypto ikev2 internal

this two command can help you

robertsalka · ‎09-08-2022

But there isnt any other way to collect this information without debugging?

Georg Pauwen · ‎09-08-2022

Hello,

debugging is hard on the CPU, no doubt about it. What you could do is run an EEM script that executes show commands and send you just the information you need. What exactly do you need to extract (what specific parts of the debug output) ?

robertsalka · ‎09-09-2022

We are tracking when a IKEv2 session is attempted, the public IP's used for the PKI negotiation, the CN of the Cert used, the validation statement from CRL, the issued IPs of the VPN connection, the session open statement, and finally the session closed statement. All of those logs need to be correlated and timestamped. We accomplish that goal currently by debugging, logging with level debugging, and then use syslog to a collection point. We are currently using an ASR1001-X and are willing to spend money upgrading if that is the only option.