Purpose

Atri Basu · ‎11-01-2010

Purpose

The debug crypto vpnclient Command

For 6.x PIXs configured as Easy VPN Remotes, you can use the debug crypto vpnclient command to troubleshoot client-specific configuration and connection setup issues. The example below illustrates the use of this command, where the client is using network extension mode. Below the example, I’ve explain the numbered references found in the example.

Establishing a Remote Access Connection from an Easy VPN Remote Running 6.3

VPNC CFG: transform set unconfig attempt done                     (1)

VPNC CLI: no isakmp keepalive 10 5

VPNC CLI: no isakmp nat-traversal 20

VPNC CFG: IKE unconfig successful

VPNC CLI: no crypto map _vpnc_cm

VPNC CFG: crypto map deletion attempt done

VPNC CFG: crypto unconfig successful

VPNC CLI: no global (outside) 65001

VPNC CLI: no nat (inside) 0 access-list _vpnc_acl

VPNC CFG: nat unconfig attempt failed

VPNC CLI: no http 192.168.3.1 255.255.255.0 inside

VPNC CLI: no http server enable

VPNC CLI: no access-list _vpnc_acl

VPNC CFG: ACL deletion attempt failed

VPNC CLI: no crypto map _vpnc_cm interface outside

VPNC CFG: crypto map de/attach failed

VPNC CFG: transform sets configured                               (2)

VPNC CFG: crypto config successful

VPNC CLI: isakmp keepalive 10 5

VPNC CLI: isakmp nat-traversal 20

VPNC CFG: IKE config successful

VPNC CLI: http 192.168.3.1 255.255.255.0 inside

VPNC CLI: http server enable

VPNC CLI: aaa-server _vpnc_nwp_server protocol tacacs+

VPNC CLI: aaa-server _vpnc_nwp_server (outside) host 192.1.1.100

VPNC CLI: access-list _vpnc_nwp_acl permit ip any any

VPNC CLI: aaa authentication match _vpnc_nwp_acl outbound

    vpnc_nwp_server

VPNC CLI: no access-list _vpnc_acl

VPNC CFG: ACL deletion attempt failed

VPNC CLI: access-list _vpnc_acl permit ip host 192.1.1.101        (3)

    host 192.1.1.100

VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl

VPNC CFG: crypto map acl update successful

VPNC CLI: no crypto map _vpnc_cm interface outside

VPNC CLI: crypto map _vpnc_cm interface outside

VPNC INF: IKE trigger request done                                (4)

VPNC INF: Constructing policy download req

VPNC INF: Packing attributes for policy request

VPNC INF: Attributes being requested

VPNC ATT: INTERNAL_IP4_DNS: 4.2.2.1

VPNC ATT: ALT_PFS: 0

VPNC INF: Received application version 'Cisco Systems, Inc        (5)

    PIX-515 Version 7.0(1) built by builders on

    Thu 31-Mar-05 14:37'

VPNC ATT: ALT_CFG_SEC_UNIT: 0

VPNC ATT: ALT_CFG_USER_AUTH: 0

VPNC CLI: no aaa authentication match _vpnc_nwp_acl outbound _

    vpnc_nwp_server

VPNC CLI: no access-list _vpnc_nwp_acl permit ip any any

VPNC CLI: no aaa-server _vpnc_nwp_server

VPNC CLI: no access-list _vpnc_acl

VPNC CLI: access-list _vpnc_acl permit ip                         (6)

    192.168.3.0 255.255.255.0 any

VPNC CLI: access-list _vpnc_acl permit ip

    host 192.1.1.101 any

VPNC CLI: access-list _vpnc_acl permit ip

    host 192.1.1.101 host 192.1.1.100

VPNC CFG: _vpnc_acl no ST define done

VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl

VPNC CFG: crypto map acl update successful

VPNC CLI: no crypto map _vpnc_cm interface outside

VPNC CLI: crypto map _vpnc_cm interface outside

VPNC CLI: no global (outside) 65001                               (7)

VPNC CLI: no nat (inside) 0 access-list _vpnc_acl

VPNC CFG: nat unconfig attempt failed

VPNC CLI: nat (inside) 0 access-list _vpnc_acl

VPNC INF: IKE trigger request done                                (8)

output omitted

1.	This is the first time the VPN Remote functionality was enabled on the PIX, so the PIX is first removing any VPN commands that could cause any type of conflict.
2.	After attempting to remove all VPN-related commands, the Remote then configures the necessary VPN commands.
3.	An ACL is built to allow communications between this PIX (192.1.1.101) and the Easy VPN Server (192.1.1.100).
4.	The PIX Remote initiates its connection to the Server and sends its policies.
5.	The Server is a PIX 515 running FOS 7.0.
6.	Based on the split tunneling policy passed to it by the Server, the client PIX builds an appropriate crypto ACL.
7.	Based on the split tunneling policy, the appropriate address translation policy is configured.
8.	The tunnel is now established to the Server.

Tip

Unfortunately, the debug crypto vpnclient command is not that useful for troubleshooting the setup of an IPsec session. If something is misconfigured on the Remote or Server, you'll see something like the above example repeated over and over; however, as you'll notice in the output, there is nothing that indicates what the problem is. In this example, the Remote was configured for network extension mode, but the group on the Server didn't have this policy defined. For example, with the output of the debug crypto isakmp command on the Server, you would see a message like this: "[IKEv1]: Group = salesgroup, Username = salesuser, IP = 192.1.1.101, Hardware Client connection rejected! Network Extension Mode is not allowed for this group!" Unfortunately, the debug output from the same command on a 6.3 Remote isn't as verbose, making the troubleshooting of this problem more difficult, if not impossible, from the Remote end using the debug crypto vpnclient command.

References----

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

Understanding the debug crypto vpnclient on PIX 6.x (EZ VPN server)

Purpose

The debug crypto vpnclient Command

Establishing a Remote Access Connection from an Easy VPN Remote Running 6.3