Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

ISR 4300 debug ip icmp or deb crypto isak , in console not view anythings


the isr has a 2 vrf, and it's responding when I send a ping, but if I type terminal monitor or if  I am connect with serial port, I dont see any output for troubleshooting .

thanks in advanced 


Giuseppe Larosa
Hall of Fame Master

Hello Roberto,

first of all, check with

show debug

what debug are enabled if you see anything telling about conditions perform first undebug all then re-enable the desired debugging.


I have checked that debug ip icmp has no VRF option and your traffic may be in a VRF.

You could try to use another type of debug

check if

debug ip packet   accepts the VRF option

use an ACL to describe the traffic you want to debug


access-list 101 icmp host host


debug ip packet detail 101 vrf <vrf-name>

it is very important to use an ACL with this debug command to avoid to overload the router.



Also debug ip packet does not support the VRF option.


Hope to help



Hi Giuseppe,

I enabled deb crypto isakmp and ipsec and icmp.

The problem is only with icmp


I see few message icmp, these messages is not traffic generated form me, but not see when I ping of my PC to ip public where I am connected. 

I see messages if I ping from ISR Router to other device, but when I send icmp from other device to router, I don't see nothing.

I inserited logging console debug.

Fortunatly I don't need anymore (now) ,debug crypto isakmp, because the vpn with vrf work fine. 

If anyone have a idea why not see icmp debug ok, but now I can go on with work.

Thanks a lot 


Did you solve it? I have same problem in debugging icmp packets on ISR4321 router.

We do not know much about your environment and that makes it difficult to give good advice. Are you saying that similar to the original post that debug for certain things like isakmp work fine but debug for icmp does not work fine? If you enable debug for icmp do you get some output but not all the output that you expect? Or do you get no output at all?


I offer the observation that debug can report only on things that were processed by the cpu. In our modern environment where we have multiple features that reduce dependance on the cpu that makes debug a less reliable tool.



Yes the CEF switching might be the reason but my router platform  seems not to support disabling a CEF switching. Thank you for the useful information.


You are welcome. This is a significant point and one that is frequently not well recognized. Many of us (especially those with long experience in networking) tend to assume that with the appropriate debug that we can see just about anything happening on our network device. We need to recognize that this is not as true as it used to be and that tools like packet capture may need to play the role that we sometimes used debug for.



I have same problem in ISR4321 too.