05-30-2019 06:42 AM
Sorry,
the isr has a 2 vrf, and it's responding when I send a ping, but if I type terminal monitor or if I am connect with serial port, I dont see any output for troubleshooting .
thanks in advanced
Robertp
05-30-2019 11:39 AM - edited 05-30-2019 11:47 AM
Hello Roberto,
first of all, check with
show debug
what debug are enabled if you see anything telling about conditions perform first undebug all then re-enable the desired debugging.
I have checked that debug ip icmp has no VRF option and your traffic may be in a VRF.
You could try to use another type of debug
check if
debug ip packet accepts the VRF option
use an ACL to describe the traffic you want to debug
like
access-list 101 icmp host 1.1.1.1 host 2.2.2.2
debug ip packet detail 101 vrf <vrf-name>
it is very important to use an ACL with this debug command to avoid to overload the router.
Edit:
Also debug ip packet does not support the VRF option.
Hope to help
Giuseppe
05-31-2019 03:56 AM
Hi Giuseppe,
I enabled deb crypto isakmp and ipsec and icmp.
The problem is only with icmp
I see few message icmp, these messages is not traffic generated form me, but not see when I ping of my PC to ip public where I am connected.
I see messages if I ping from ISR Router to other device, but when I send icmp from other device to router, I don't see nothing.
I inserited logging console debug.
Fortunatly I don't need anymore (now) ,debug crypto isakmp, because the vpn with vrf work fine.
If anyone have a idea why not see icmp debug ok, but now I can go on with work.
Thanks a lot
Roberto
02-06-2021 03:34 AM
Did you solve it? I have same problem in debugging icmp packets on ISR4321 router.
02-06-2021 03:11 PM
We do not know much about your environment and that makes it difficult to give good advice. Are you saying that similar to the original post that debug for certain things like isakmp work fine but debug for icmp does not work fine? If you enable debug for icmp do you get some output but not all the output that you expect? Or do you get no output at all?
I offer the observation that debug can report only on things that were processed by the cpu. In our modern environment where we have multiple features that reduce dependance on the cpu that makes debug a less reliable tool.
02-06-2021 08:12 PM - edited 02-06-2021 08:16 PM
Yes the CEF switching might be the reason but my router platform seems not to support disabling a CEF switching. Thank you for the useful information.
02-07-2021 09:29 AM
You are welcome. This is a significant point and one that is frequently not well recognized. Many of us (especially those with long experience in networking) tend to assume that with the appropriate debug that we can see just about anything happening on our network device. We need to recognize that this is not as true as it used to be and that tools like packet capture may need to play the role that we sometimes used debug for.
05-30-2021 04:49 AM
No i didn’t
05-30-2021 06:49 AM
Roberto
Am I correct in understanding from your posts that the issue with debug was with transit traffic (traffic passing through the router rather than traffic from the router)? If is the case then the comments about enhanced forwarding of much transit traffic means that the cpu did not see that traffic and therefore could not generate debug about it.
02-06-2021 03:32 AM
I have same problem in ISR4321 too.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: