Balaji makes a good point that debug can report only packets that are handled by the cpu. So various forms of fast switching etc that make use of cached information or do any kind of distributed forwarding logic will not show all of the desired information.

The other point to make is that the original post suggested using debug icmp. This would report on all icmp traffic to and from the router. But it would not report on traffic being forwarded by the router. To see icmp requests and responses originated from other devices and forwarded by the router you would need to debug ip packet. And a plain debug ip packet would report on every IP packet on or through the router. So what you would want to do is to configure an access list that had a permit for icmp (or even better a permit for icmp to or from a specific ip address) and then do the debug ip packet <acl> to be selective about what packets debug would report.

In my OP, second sentance I did refer to debig Ip packet as a possible solution.

The reason I want to affirm it at the router is the router is used as a VPN gateway to AWS. Far out in the AWS VPC are servers out of my control but they light a fire under me when they cant get to / ping a server. I am a lowly networking person, have no access to the far end server. I was to be able to see the ICMP replies from the problem server and good ones that are working as a control. My only vector to do so is from the router.

I appreciate your response and the clarification. Yes you did mention debug ip packet. I wanted to make sure that you (and especially anyone else who might read this discussion at some time in the future) would be clear about debug icmp which shows local traffic and debug ip packet which shows traffic passing through the router.