ISR 4300 debug ip icmp or deb crypto isak , in console not view anythings

Roberto Casagrande · ‎05-30-2019

Sorry,

the isr has a 2 vrf, and it's responding when I send a ping, but if I type terminal monitor or if I am connect with serial port, I dont see any output for troubleshooting .

thanks in advanced

Robertp

Giuseppe Larosa · ‎05-30-2019

Hello Roberto,

first of all, check with

show debug

what debug are enabled if you see anything telling about conditions perform first undebug all then re-enable the desired debugging.

I have checked that debug ip icmp has no VRF option and your traffic may be in a VRF.

You could try to use another type of debug

check if

debug ip packet accepts the VRF option

use an ACL to describe the traffic you want to debug

like

access-list 101 icmp host 1.1.1.1 host 2.2.2.2

debug ip packet detail 101 vrf <vrf-name>

it is very important to use an ACL with this debug command to avoid to overload the router.

Edit:

Also debug ip packet does not support the VRF option.

Hope to help

Giuseppe

Roberto Casagrande · ‎05-31-2019

Hi Giuseppe,

I enabled deb crypto isakmp and ipsec and icmp.

The problem is only with icmp

I see few message icmp, these messages is not traffic generated form me, but not see when I ping of my PC to ip public where I am connected.

I see messages if I ping from ISR Router to other device, but when I send icmp from other device to router, I don't see nothing.

I inserited logging console debug.

Fortunatly I don't need anymore (now) ,debug crypto isakmp, because the vpn with vrf work fine.

If anyone have a idea why not see icmp debug ok, but now I can go on with work.

Thanks a lot

Roberto

xidasd · ‎02-06-2021

Did you solve it? I have same problem in debugging icmp packets on ISR4321 router.

Richard Burts · ‎02-06-2021

We do not know much about your environment and that makes it difficult to give good advice. Are you saying that similar to the original post that debug for certain things like isakmp work fine but debug for icmp does not work fine? If you enable debug for icmp do you get some output but not all the output that you expect? Or do you get no output at all?

I offer the observation that debug can report only on things that were processed by the cpu. In our modern environment where we have multiple features that reduce dependance on the cpu that makes debug a less reliable tool.

HTH

Rick

xidasd · ‎02-06-2021

Yes the CEF switching might be the reason but my router platform seems not to support disabling a CEF switching. Thank you for the useful information.

Richard Burts · ‎02-07-2021

You are welcome. This is a significant point and one that is frequently not well recognized. Many of us (especially those with long experience in networking) tend to assume that with the appropriate debug that we can see just about anything happening on our network device. We need to recognize that this is not as true as it used to be and that tools like packet capture may need to play the role that we sometimes used debug for.

HTH

Rick

Roberto Casagrande · ‎05-30-2021

No i didn’t

Richard Burts · ‎05-30-2021

Roberto

Am I correct in understanding from your posts that the issue with debug was with transit traffic (traffic passing through the router rather than traffic from the router)? If is the case then the comments about enhanced forwarding of much transit traffic means that the cpu did not see that traffic and therefore could not generate debug about it.

HTH

Rick

xidasd · ‎02-06-2021

I have same problem in ISR4321 too.