Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
699
Views
10
Helpful
4
Replies

debug site to site VPN from FMC

michael18
Level 1
Level 1

‎02-09-2023 05:36 AM

On ASA it was possible to do 'debug crypto isakmp sa 127' etc to see any problems with VPN tunnel. How is this done on a remote FTD managed by FMC. 

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎02-09-2023 05:43 AM

@michael18 Change the Platform Settings Policy via the FMC to configure logging to a destination (buffer, monitor, syslog etc)

Then from the FTD CLI go to "system support diagnostic-cli" and run "debug crypto ikev1 127". 

 

 

michael18
Level 1
Level 1
In response to Rob Ingram

‎02-10-2023 02:24 AM

Thanks for the reply. Ive set logging according to the guide: Configure Management Access to FTD (HTTPS and SSH) via FMC - Cisco

I can see logs using the limited CLI in the FMC advanced trouble shooting tool but nothing appearing in remote syslog server. logs show udp packets being sent fromFTD

Also followed guide to enable SSH but it wont work. 

Bring back ASA!

 

0 Helpful

Rob Ingram
VIP
VIP
In response to michael18

‎02-10-2023 02:28 AM

@michael18 can you run tcpdump on the syslog server (filter on the FTD IP) and determine whether the logs are actually received?

Can you run "show logging" from the FTD CLI and provide the output, just so we can confirm the actual settings.

0 Helpful

michael18
Level 1
Level 1
In response to Rob Ingram

‎02-10-2023 03:06 AM

Do you need to see the full log or just whats enabled?

Syslog logging: enabled
Facility: 20
Timestamp logging: enabled
Timezone: disabled
Hide Username logging: enabled
Standby logging: disabled
Debug-trace logging: enabled (persistent)
Console logging: disabled
Monitor logging: disabled
Buffer logging: level debugging, class auth ip session snmp webvpn ca ssl, 14604506 messages logged
Trap logging: level debugging, class auth ip session snmp sys vpn ca ssl, facility 20, 3861867 messages logged
Logging to outside 10.96.1.127, UDP TX:34444
Global TCP syslog stats::
NOT_PUTABLE: 0, ALL_CHANNEL_DOWN: 152
CHANNEL_FLAP_CNT: 152, SYSLOG_PKT_LOSS: 0
PARTIAL_REWRITE_CNT: 0
Permit-hostdown logging: enabled
History logging: disabled
Device ID: hostname "LEEFPR001"
Mail logging: disabled
ASDM logging: disabled
FMC logging: list MANAGER_VPN_EVENT_LIST, class auth ip session snmp sys vpn webvpn ca ssl, 1576 messages logged

 

0 Helpful
Customers Also Viewed These Support Documents