10-12-2022 08:07 AM
How do you debug VPN's on the FTD's now? It seems that Cisco has taken a step into the useless with the FTD's, and debugging was always a Cisco strong point.
I have active/standby FTD pair controlled by an FMC, all on version 7.0.1
I can now get a vpn debug on the console of the active device, however it's ALL crypto, not just the peer I want.
On the Asa the debugging consisted of 3 lines on the CLI (crypto condition, crypto ikev2 protocol and ikev2 platform. With the FTD, I need to spend 10 minutes going through a GUI to enable console logging, then at the CLI to get ALL crypto. It ignores anything I put about a peer condition, and there is just far too much output to be of any use. The GUI menus make no sense.
10-12-2022 08:33 AM - edited 10-12-2022 08:34 AM
You can use FMC for debug : what version of FTD and FMC ?
VPN config :
10-12-2022 01:35 PM - edited 10-12-2022 01:37 PM
I understand where you coming from. In my deployment running FTD 6.7.x with troubleshooting vpn are the following step which mostly i use.
1. connect to FTD managment via SSH. put in your username and password.
>
> expert
FTD:~$ sudo sfconsole
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
FTD#
debug crypto condition peer x.x.x.x
debug crypto ikev1 protocol 127
debug crypto ikev1 platform 127
debug crypto ipsec 127
show logging | i x.x.x.x
secondly, you can also steup the capture on FMC GUI but I normaly use CLI FTD to configure the captures
capture VPN type isakmp interface outside match ip host x.x.x.x host y.y.y.y
and analyse the data to troubleshoot it. FMC GUI is not very robust when its come to troubleshoot the vpn tunnels.
10-13-2022 04:07 AM - edited 10-13-2022 04:07 AM
An easier way to get to the LINA console would be to use the command "system support diagnostic-cli" from the CLISH mode ">" without having to go into expert mode.
12-10-2024 05:36 PM - edited 12-10-2024 06:18 PM
thanks
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide