02-29-2024 11:49 PM
Hello community,
I refer to this (quite old) discussion and this answer which is not that old... But I have an ASA with software version 9.9(2)80. I would like to send debug messages via syslog even after ssh logout.
The answer tells that one should at first use logging debug-trace persistent and afterwards the desired debug commands. This sould make the debug config persistent. I paste the example here again:
debug aaa shim enabled at level 255
debug aaa shim enabled at level 255 (persistent)
debug webvpn enabled at level 255
debug webvpn enabled at level 255 (persistent)
debug webvpn xml enabled at level 255
debug webvpn xml enabled at level 255 (persistent)
debug webvpn anyconnect enabled at level 255
debug webvpn anyconnect enabled at level 255 (persistent)
Regardless of the order of these two steps I cannot make debugging persistent. What am I doing wrong? Is that feature still working? I think logging debug-trace persistent is quite useless when all debuggers won't be persistent.
Solved! Go to Solution.
03-01-2024 02:49 AM - edited 03-01-2024 02:50 AM
Ok, now it magically works. No idea what the problem was. But nevertheless, the output is
debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ike-common enabled at level 255
Crypto conditional debug is turned ON
IKE peer IP address filters:
A.B.C.D/32
without persistent in parentheses.
And after you reconnct via ssh you only have this output:
asa# sh debug
Crypto conditional debug is turned ON
IKE peer IP address filters:
A.B.C.D/32
But thats ok for me as long as the syslog messages arrive. Thanks for your efforts!
03-01-2024 12:06 AM
You want to send debug ad syslog to server even if there is no ssh/telnet
logging debug-trace persistent <<- this command do that
But you need also to make log level 7
Or
Move the debug specific message to lower level like level 3 or 4 and config log level 3 or 4.
MHM
03-01-2024 02:35 AM - edited 03-01-2024 02:36 AM
Yes, this command is persistent over different ssh sessions. And I also have issued the logging trap debug command. Now I have debug logs arriving on my syslog server.
I'd like to use additional debug commands. Their output should then arrive as %ASA-7-711001: debug_trace_msg on my syslog server. (Cisco Secure Firewall ASA Series Syslog Messages - Syslog Messages 701001 to 714011 [Cisco Secure Firewall ASA] - Cisco)
asa# show debug
debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ike-common enabled at level 255
Crypto conditional debug is turned ON
IKE peer IP address filters:
A.B.C.D/32
This also works. For example, I have the following line on my syslog server:
%ASA-7-711001: IKEv2-PROTO-7: (14829): Restarting DPD timer 10 secs#012
When I now exit the ssh session, the debug crypto commands do not persist. (The only exception is the peer address.) This answer describes that also these debug lines should persist if they are issued AFTER logging debug-trace persistent. This is what I've done. The ASA doesn't even show the suffix (persistent) in the show debug output before I quit the ssh.
03-01-2024 02:37 AM
can I see logging config of asa
MHM
03-01-2024 02:39 AM
Syslog logging: enabled
Facility: 20
Timestamp logging: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: enabled (persistent)
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, 3000777717 messages logged
Trap logging: level debugging, facility 20, 2399028060 messages logged
Logging to outside <syslogA>, UDP TX:7843971 errors: 2 dropped: 22
Logging to outside <syslogB>, UDP TX:909631 errors: 4 dropped: 19
Global TCP syslog stats::
NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 0
CHANNEL_FLAP_CNT: 0, SYSLOG_PKT_LOSS: 0
PARTIAL_REWRITE_CNT: 0
Permit-hostdown logging: disabled
History logging: disabled
Device ID: disabled
Mail logging: disabled
ASDM logging: disabled
03-01-2024 02:49 AM - edited 03-01-2024 02:50 AM
Ok, now it magically works. No idea what the problem was. But nevertheless, the output is
debug crypto ipsec enabled at level 255
debug crypto ikev2 protocol enabled at level 255
debug crypto ikev2 platform enabled at level 255
debug crypto ike-common enabled at level 255
Crypto conditional debug is turned ON
IKE peer IP address filters:
A.B.C.D/32
without persistent in parentheses.
And after you reconnct via ssh you only have this output:
asa# sh debug
Crypto conditional debug is turned ON
IKE peer IP address filters:
A.B.C.D/32
But thats ok for me as long as the syslog messages arrive. Thanks for your efforts!
03-01-2024 03:46 AM
friend you are so welcome
have a nice weekend
MHM
03-01-2024 04:05 AM
by the way the crypto conditional is ON and debug appear only for peer A.B.C.D/32 <<- if that what you want it OK if not disable condition to see debug for all peers and for all VPN
MHM
03-01-2024 04:11 AM
Yes, this is the vpn which is to be debugged right now.
Also a nice weekend for you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide