04-17-2013 01:02 PM - edited 03-11-2019 06:30 PM
Since upgrading from Pix to ASA, I haven't had to try to debug anything. Today I needed to debug an issue with a LAN to LAN tunnel coming up. I issued the commands I am used to using and so much debug information, not pertaining to what I am wanting to debug, is flying across the screen it's impossible to see what I am looking for.
How does one limit the debug output to the SSH session? For example, debug crypto isakmp?
Denny
Solved! Go to Solution.
04-17-2013 01:11 PM
Hi,
If you want to debug a single L2L VPN connection you can enable the following configuration
ASA# debug crypto condition peer 1.1.1.1
This should limit the debugs to only this specific L2L VPN Peer
You can confirm the setting with
ASA# sh crypto debug-condition
Crypto conditional debug is turned ON
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF
IKE peer IP address filters:
1.1.1.1/32
After this you can use the "debug crypto isakmp" and "debug crypto ipsec" commands
When you are done be sure to remove the above condition we set with the command
ASA# debug crypto condition reset
Do you want to clear the crypto debug filters? [confirm]
Also, you might have to change the logging lever for monitor
logging monitor debugging
And during the SSH connection issue the command
terminal monitor
And to disable it enter
terminal no monitor
You should be able to disable all debugging with
no debug all
- Jouni
04-17-2013 01:54 PM
Hello,
Can you share the show debug
Regards
04-17-2013 01:11 PM
Hi,
If you want to debug a single L2L VPN connection you can enable the following configuration
ASA# debug crypto condition peer 1.1.1.1
This should limit the debugs to only this specific L2L VPN Peer
You can confirm the setting with
ASA# sh crypto debug-condition
Crypto conditional debug is turned ON
IKE debug context unmatched flag: OFF
IPSec debug context unmatched flag: OFF
IKE debug context error flag: OFF
IPSec debug context error flag: OFF
IKE peer IP address filters:
1.1.1.1/32
After this you can use the "debug crypto isakmp" and "debug crypto ipsec" commands
When you are done be sure to remove the above condition we set with the command
ASA# debug crypto condition reset
Do you want to clear the crypto debug filters? [confirm]
Also, you might have to change the logging lever for monitor
logging monitor debugging
And during the SSH connection issue the command
terminal monitor
And to disable it enter
terminal no monitor
You should be able to disable all debugging with
no debug all
- Jouni
04-17-2013 01:40 PM
Well, I gave this a shot and again, it was outputting all sorts of debug messages to the screen pertaining to ACL's, session teardowns, etc, etc.
Do I need to go through every ACL and turn logging off to do debugging these days?
04-17-2013 01:54 PM
Hello,
Can you share the show debug
Regards
04-17-2013 01:57 PM
I assume you mean the output of the show debug command
NOCASA5550-1# show debug
debug crypto isakmp enabled at level 1
NOCASA5550-1#
04-17-2013 01:59 PM
Hmm,
I guess it does show all the connection and translation forming messages also?
I guess there is an option to temporarily disable the most common Syslog messages from being generated. Naturally this is not an ideal situation since if you have Syslog server configuration you will end up missing some logs.
The configuration command to disable some Syslog ID would be
no logging message
and to return
logging message
I guess it might be possible to send the debug messages to Syslog server also
Check out this command and its descriptions/usage guidelines/examples
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/l2.html#wp1793529
- Jouni
04-17-2013 02:01 PM
jcarvaja,
Thank you. Your question answered mine. As soon as I increased the debug level I started seeing the output I was expecting. This has been a big doh!!! moment.
Thank you for your help,
Denny
04-17-2013 02:02 PM
Hello
Glad to hear that Denny
Remember to rate all of the helpful posts and mark the question as answered
04-17-2013 02:05 PM
Ah,
Missunderstood you, I thought you already were seeing the VPN debug messages but had too much other stuff showing in the CLI output.
- Jouni
04-17-2013 02:07 PM
It could have been buried in all of that output but thousands of lines flew by so it was impossible to tell. The combination of both your answers helped me a lot.
Thank you again,
Denny
01-22-2019 09:25 AM
ummm, the title says debug SSH, not a vpn connection.
01-22-2019 11:03 AM
:) does not matter what he/she is debugging, the problem is they are getting no output to the SSH session.
P
10-16-2018 06:17 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide