cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

33747
Views
0
Helpful
12
Replies
Highlighted
Beginner

How to debug to SSH session on ASA

Since upgrading from Pix to ASA, I haven't had to try to debug anything. Today I needed to debug an issue with a LAN to LAN tunnel coming up. I issued the commands I am used to using and so much debug information, not pertaining to what I am wanting to debug, is flying across the screen it's impossible to see what I am looking for.

How does one limit the debug output to the SSH session? For example, debug crypto isakmp?

Denny                   

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Mentor

Re: How to debug to SSH session on ASA

Hi,

If you want to debug a single L2L VPN connection you can enable the following configuration

ASA# debug crypto condition peer 1.1.1.1

This should limit the debugs to only this specific L2L VPN Peer

You can confirm the setting with

ASA# sh crypto debug-condition

Crypto conditional debug is turned ON

IKE debug context unmatched flag:  OFF

IPSec debug context unmatched flag:  OFF

IKE debug context error flag:  OFF

IPSec debug context error flag:  OFF

IKE peer IP address filters:

1.1.1.1/32

After this you can use the "debug crypto isakmp" and "debug crypto ipsec" commands

When you are done be sure to remove the above condition we set with the command

ASA# debug crypto condition reset

Do you want to clear the crypto debug filters? [confirm]

Also, you might have to change the logging lever for monitor

logging monitor debugging

And during the SSH connection issue the command

terminal monitor

And to disable it enter

terminal no monitor

You should be able to disable all debugging with

no debug all

- Jouni

View solution in original post

Highlighted

Re: How to debug to SSH session on ASA

Hello,

Can you share the show debug

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

12 REPLIES 12
Highlighted
Mentor

Re: How to debug to SSH session on ASA

Hi,

If you want to debug a single L2L VPN connection you can enable the following configuration

ASA# debug crypto condition peer 1.1.1.1

This should limit the debugs to only this specific L2L VPN Peer

You can confirm the setting with

ASA# sh crypto debug-condition

Crypto conditional debug is turned ON

IKE debug context unmatched flag:  OFF

IPSec debug context unmatched flag:  OFF

IKE debug context error flag:  OFF

IPSec debug context error flag:  OFF

IKE peer IP address filters:

1.1.1.1/32

After this you can use the "debug crypto isakmp" and "debug crypto ipsec" commands

When you are done be sure to remove the above condition we set with the command

ASA# debug crypto condition reset

Do you want to clear the crypto debug filters? [confirm]

Also, you might have to change the logging lever for monitor

logging monitor debugging

And during the SSH connection issue the command

terminal monitor

And to disable it enter

terminal no monitor

You should be able to disable all debugging with

no debug all

- Jouni

View solution in original post

Highlighted
Beginner

Re: How to debug to SSH session on ASA

Well, I gave this a shot and again, it was outputting all sorts of debug messages to the screen pertaining to ACL's, session teardowns, etc, etc.

Do I need to go through every ACL and turn logging off to do debugging these days?

Highlighted

Re: How to debug to SSH session on ASA

Hello,

Can you share the show debug

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted
Beginner

How to debug to SSH session on ASA

I assume you mean the output of the show debug command

NOCASA5550-1# show debug

debug crypto isakmp enabled at level 1

NOCASA5550-1#

Highlighted
Mentor

Re: How to debug to SSH session on ASA

Hmm,

I guess it does show all the connection and translation forming messages also?

I guess there is an option to temporarily disable the most common Syslog messages from being generated. Naturally this is not an ideal situation since if you have Syslog server configuration you will end up missing some logs.

The configuration command to disable some Syslog ID would be

no logging message

and to return

logging message

I guess it might be possible to send the debug messages to Syslog server also

Check out this command and its descriptions/usage guidelines/examples

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/l2.html#wp1793529

- Jouni

Highlighted
Beginner

How to debug to SSH session on ASA

jcarvaja,

Thank you. Your question answered mine. As soon as I increased the debug level I started seeing the output I was expecting. This has been a big doh!!! moment.

Thank you for your help,

Denny

Highlighted

How to debug to SSH session on ASA

Hello

Glad to hear that Denny

Remember to rate all of the helpful posts and mark the question as answered

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted
Mentor

How to debug to SSH session on ASA

Ah,

Missunderstood you, I thought you already were seeing the VPN debug messages but had too much other stuff showing in the CLI output.

- Jouni

Highlighted
Beginner

How to debug to SSH session on ASA

It could have been buried in all of that output but thousands of lines flew by so it was impossible to tell. The combination of both your answers helped me a lot.

Thank you again,

Denny

Highlighted
Explorer

Re: How to debug to SSH session on ASA

ummm, the title says debug SSH, not a vpn connection.

Highlighted
Beginner

Re: How to debug to SSH session on ASA

:) does not matter what he/she is debugging, the problem is they are getting no output to the SSH session.

 

P

Highlighted
Beginner

Re: How to debug to SSH session on ASA

Here something that might help anyone else with a lack of debug;

 

Cisco ASA No Debug Output?

 

 

 

Pete