07-28-2021 02:11 PM
Hi,
debug crypto isakmp did not generate any log .
is there any command other than this , I want to run on a production asa .
how to run a debug command without any problem.
undeug all command revert debugging ?
Thanks
07-28-2021 02:18 PM
You need to generate interesting traffic (as defined in the crypto ACL) for the VPN to establish and therefore generate debug events. If you still don't see any debug events, is crypto isakmp/ikev1/ikev2 even enabled?
Is logging enabled to the console, vty lines?
Yes, "undebug all" turns off debugging.
07-28-2021 09:40 PM
Hi,
crypto map TEST 1 match address Outside_cryptomap
crypto map TEST 1 set pfs group5
crypto map TEST 1 set peer 1.1.1.1
crypto map TEST 1 set ikev2 ipsec-proposal AES-256
crypto map TEST 2 match address Outside_cryptomap_1
crypto map TEST 2 set peer 3.3.3.3
crypto map TEST 2 set pfs group5
crypto map TEST 2 set ikev2 ipsec-proposal AES-256
crypto map TEST 10 match address azure-vpn-acl
crypto map TEST 10 set peer 2.2.2.2
crypto map TEST 10 set ikev1 transform-set azure-ipsec-proposal-set
crypto map TEST 65535 ipsec-isakmp dynamic TEST
crypto map TEST interface Outside
tunnel-group 3.3.3.3 ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
crypto ikev2 enable Outside client-services port 443
Do I need to add "crypto ikev2 enable" ?
But My TEST 1 is working , that is also ikev2
I have problem with TEST 2
The remote side the device is not ASA ,it has only one psk . In that case what could be my "remote-authentication pre-shared-key and local-authentication pre-shared-key" .
I gave both the same psk for remote and local
Thanks
07-29-2021 12:22 AM
If you are using IKEv2 then you will need to use "debug crypto ikev2 protocol 127" and "debug crypto ikev2 platform 127".
The pre-shared key needs to be identical, so the remote and local PSK can be the same.....are you sure the other device is using IKEv2 though? You cannot use IKEv1 on one device and IKEv2 on another device and establish a VPN.
Turn on those debugs and ensure logging is enabled to display the output.
07-28-2021 03:08 PM
we are not sure, is this a Cisco router or ASA ? what is another end device?
1. Common issue we see around is config mismatch
2. make sure both the side configs match.
3. make sure IP reachable remote end to establish a connection.
here is some troubleshoot documents :
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide