ASA crypto debug, can you see the IKE proposals offered by the peer

richyvrlimited · ‎02-14-2023

As per the title, is there a debug I can use which will output the IKE proposals offered by a peer?

I've a tunnel to Azure that's suddenly stopped working, syslog's are showing failed to find a matching policy. I've carte blanch added every IKE policy available to the tunnel group, but no change. I'm curious what the other end is actually offering!

From experience I know you can see offered proposals from the Sophos XG and Checkpoint firewalls so curious if the ASA can too.

Thank you

Rob Ingram · ‎02-14-2023

@richyvrlimited a couple of methods, the easiest I find is taking a packet capture on the outside interface, this will list all the IKE proposal sent by the peer when establishing the tunnel.

You would also get this information in a IKEv1/IKEv2 debug output.

richyvrlimited · ‎02-14-2023

Thanks Rob,

I ran debug crypto IKEv2 protocol 127 and 255 and didn't see any mentions of it

packet capture is a good shout, thank you

MHM Cisco World · ‎02-14-2023

debug crypto ikev2 protocol 127
debug crypto ikev2 platform 127

share the output of above and I will point you where is proposal

Rob Ingram · ‎02-14-2023

@richyvrlimited you would see the Proposal(s) in the initial SA INIT packet in a packet capture.

Below is the ASA IKEv2 debug guide, you can see where the proposals are referenced - search for IKEv2-PROTO-4: which will take you to the section where can see the crypto algorithms.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/115935-asa-ikev2-debugs.html

You can then take a debug on your ASA, copy the output to notepad - do a search as above to identify what you are looking for.