Solved: Re: Make ASA debug commands persistent

lukasl1991 · ‎02-29-2024

Hello community,

I refer to this (quite old) discussion and this answer which is not that old... But I have an ASA with software version 9.9(2)80. I would like to send debug messages via syslog even after ssh logout.

The answer tells that one should at first use logging debug-trace persistent and afterwards the desired debug commands. This sould make the debug config persistent. I paste the example here again:

debug aaa shim enabled at level 255
debug aaa shim enabled at level 255 (persistent)
debug webvpn enabled at level 255
debug webvpn enabled at level 255 (persistent)
debug webvpn xml enabled at level 255
debug webvpn xml enabled at level 255 (persistent)
debug webvpn anyconnect enabled at level 255
debug webvpn anyconnect enabled at level 255 (persistent)

Regardless of the order of these two steps I cannot make debugging persistent. What am I doing wrong? Is that feature still working? I think logging debug-trace persistent is quite useless when all debuggers won't be persistent.

lukasl1991 · ‎03-01-2024

Ok, now it magically works. No idea what the problem was. But nevertheless, the output is

debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ike-common enabled at level 255

Crypto conditional debug is turned ON

IKE peer IP address filters:
A.B.C.D/32

without persistent in parentheses.

And after you reconnct via ssh you only have this output:

asa# sh debug

Crypto conditional debug is turned ON

IKE peer IP address filters:
A.B.C.D/32

But thats ok for me as long as the syslog messages arrive. Thanks for your efforts!

View solution in original post

MHM Cisco World · ‎03-01-2024

You want to send debug ad syslog to server even if there is no ssh/telnet

logging debug-trace persistent <<- this command do that

But you need also to make log level 7

Or

Move the debug specific message to lower level like level 3 or 4 and config log level 3 or 4.

MHM

lukasl1991 · ‎03-01-2024

Yes, this command is persistent over different ssh sessions. And I also have issued the logging trap debug command. Now I have debug logs arriving on my syslog server.

I'd like to use additional debug commands. Their output should then arrive as %ASA-7-711001: debug_trace_msg on my syslog server. (Cisco Secure Firewall ASA Series Syslog Messages - Syslog Messages 701001 to 714011 [Cisco Secure Firewall ASA] - Cisco)

asa# show debug
debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ike-common enabled at level 255

Crypto conditional debug is turned ON

IKE peer IP address filters:
A.B.C.D/32

This also works. For example, I have the following line on my syslog server:

%ASA-7-711001: IKEv2-PROTO-7: (14829): Restarting DPD timer 10 secs#012

When I now exit the ssh session, the debug crypto commands do not persist. (The only exception is the peer address.) This answer describes that also these debug lines should persist if they are issued AFTER logging debug-trace persistent. This is what I've done. The ASA doesn't even show the suffix (persistent) in the show debug output before I quit the ssh.

MHM Cisco World · ‎03-01-2024

can I see logging config of asa

MHM

lukasl1991 · ‎03-01-2024

Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: enabled (persistent)
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 3000777717 messages logged
Trap logging: level debugging, facility 20, 2399028060 messages logged
Logging to outside <syslogA>, UDP TX:7843971 errors: 2 dropped: 22
Logging to outside <syslogB>, UDP TX:909631 errors: 4 dropped: 19
Global TCP syslog stats::
NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 0
CHANNEL_FLAP_CNT: 0, SYSLOG_PKT_LOSS: 0
PARTIAL_REWRITE_CNT: 0
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled

lukasl1991 · ‎03-01-2024

Ok, now it magically works. No idea what the problem was. But nevertheless, the output is

debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ike-common enabled at level 255

Crypto conditional debug is turned ON

IKE peer IP address filters:
A.B.C.D/32

without persistent in parentheses.

And after you reconnct via ssh you only have this output:

asa# sh debug

Crypto conditional debug is turned ON

IKE peer IP address filters:
A.B.C.D/32

But thats ok for me as long as the syslog messages arrive. Thanks for your efforts!

MHM Cisco World · ‎03-01-2024

friend you are so welcome
have a nice weekend

MHM

MHM Cisco World · ‎03-01-2024

by the way the crypto conditional is ON and debug appear only for peer A.B.C.D/32 <<- if that what you want it OK if not disable condition to see debug for all peers and for all VPN

MHM

lukasl1991 · ‎03-01-2024

Yes, this is the vpn which is to be debugged right now.

Also a nice weekend for you!