Re: Debug VPN on FTD

spencercook · ‎10-12-2022

How do you debug VPN's on the FTD's now? It seems that Cisco has taken a step into the useless with the FTD's, and debugging was always a Cisco strong point.

I have active/standby FTD pair controlled by an FMC, all on version 7.0.1

I can now get a vpn debug on the console of the active device, however it's ALL crypto, not just the peer I want.

On the Asa the debugging consisted of 3 lines on the CLI (crypto condition, crypto ikev2 protocol and ikev2 platform. With the FTD, I need to spend 10 minutes going through a GUI to enable console logging, then at the CLI to get ALL crypto. It ignores anything I put about a peer condition, and there is just far too much output to be of any use. The GUI menus make no sense.

balaji.bandi · ‎10-12-2022

You can use FMC for debug : what version of FTD and FMC ?

https://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/firepower_threat_defense_vpn_troubleshooting.html

VPN config :

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_threat_defense_site_to_site_vpns.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Sheraz.Salim · ‎10-12-2022

I understand where you coming from. In my deployment running FTD 6.7.x with troubleshooting vpn are the following step which mostly i use.

1. connect to FTD managment via SSH. put in your username and password.

>
> expert
FTD:~$ sudo sfconsole
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

FTD#

debug crypto condition peer x.x.x.x
debug crypto ikev1 protocol 127
debug crypto ikev1 platform 127
debug crypto ipsec 127

show logging | i x.x.x.x

secondly, you can also steup the capture on FMC GUI but I normaly use CLI FTD to configure the captures

capture VPN type isakmp interface outside match ip host x.x.x.x host y.y.y.y

and analyse the data to troubleshoot it. FMC GUI is not very robust when its come to troubleshoot the vpn tunnels.

please do not forget to rate.

Aref Alsouqi · ‎10-13-2022

An easier way to get to the LINA console would be to use the command "system support diagnostic-cli" from the CLISH mode ">" without having to go into expert mode.