cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
46351
Views
0
Helpful
12
Replies

How to debug to SSH session on ASA

dennylester
Level 1
Level 1

Since upgrading from Pix to ASA, I haven't had to try to debug anything. Today I needed to debug an issue with a LAN to LAN tunnel coming up. I issued the commands I am used to using and so much debug information, not pertaining to what I am wanting to debug, is flying across the screen it's impossible to see what I am looking for.

How does one limit the debug output to the SSH session? For example, debug crypto isakmp?

Denny                   

2 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If you want to debug a single L2L VPN connection you can enable the following configuration

ASA# debug crypto condition peer 1.1.1.1

This should limit the debugs to only this specific L2L VPN Peer

You can confirm the setting with

ASA# sh crypto debug-condition

Crypto conditional debug is turned ON

IKE debug context unmatched flag:  OFF

IPSec debug context unmatched flag:  OFF

IKE debug context error flag:  OFF

IPSec debug context error flag:  OFF

IKE peer IP address filters:

1.1.1.1/32

After this you can use the "debug crypto isakmp" and "debug crypto ipsec" commands

When you are done be sure to remove the above condition we set with the command

ASA# debug crypto condition reset

Do you want to clear the crypto debug filters? [confirm]

Also, you might have to change the logging lever for monitor

logging monitor debugging

And during the SSH connection issue the command

terminal monitor

And to disable it enter

terminal no monitor

You should be able to disable all debugging with

no debug all

- Jouni

View solution in original post

Hello,

Can you share the show debug

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

12 Replies 12

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

If you want to debug a single L2L VPN connection you can enable the following configuration

ASA# debug crypto condition peer 1.1.1.1

This should limit the debugs to only this specific L2L VPN Peer

You can confirm the setting with

ASA# sh crypto debug-condition

Crypto conditional debug is turned ON

IKE debug context unmatched flag:  OFF

IPSec debug context unmatched flag:  OFF

IKE debug context error flag:  OFF

IPSec debug context error flag:  OFF

IKE peer IP address filters:

1.1.1.1/32

After this you can use the "debug crypto isakmp" and "debug crypto ipsec" commands

When you are done be sure to remove the above condition we set with the command

ASA# debug crypto condition reset

Do you want to clear the crypto debug filters? [confirm]

Also, you might have to change the logging lever for monitor

logging monitor debugging

And during the SSH connection issue the command

terminal monitor

And to disable it enter

terminal no monitor

You should be able to disable all debugging with

no debug all

- Jouni

Well, I gave this a shot and again, it was outputting all sorts of debug messages to the screen pertaining to ACL's, session teardowns, etc, etc.

Do I need to go through every ACL and turn logging off to do debugging these days?

Hello,

Can you share the show debug

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I assume you mean the output of the show debug command

NOCASA5550-1# show debug

debug crypto isakmp enabled at level 1

NOCASA5550-1#

Hmm,

I guess it does show all the connection and translation forming messages also?

I guess there is an option to temporarily disable the most common Syslog messages from being generated. Naturally this is not an ideal situation since if you have Syslog server configuration you will end up missing some logs.

The configuration command to disable some Syslog ID would be

no logging message

and to return

logging message

I guess it might be possible to send the debug messages to Syslog server also

Check out this command and its descriptions/usage guidelines/examples

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/l2.html#wp1793529

- Jouni

jcarvaja,

Thank you. Your question answered mine. As soon as I increased the debug level I started seeing the output I was expecting. This has been a big doh!!! moment.

Thank you for your help,

Denny

Hello

Glad to hear that Denny

Remember to rate all of the helpful posts and mark the question as answered

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ah,

Missunderstood you, I thought you already were seeing the VPN debug messages but had too much other stuff showing in the CLI output.

- Jouni

It could have been buried in all of that output but thousands of lines flew by so it was impossible to tell. The combination of both your answers helped me a lot.

Thank you again,

Denny

ummm, the title says debug SSH, not a vpn connection.

:) does not matter what he/she is debugging, the problem is they are getting no output to the SSH session.

 

P

Peter Long
Level 1
Level 1

Here something that might help anyone else with a lack of debug;

 

Cisco ASA No Debug Output?

 

 

 

Pete

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: