cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
2519
Views
0
Helpful
3
Replies

IPSec Site to Site VPN Debug Command

haidar_alm
Level 1
Level 1

Hello,

I normally use ASDM to check events relating to connection issues. However, I'm wondering what is the best way to use in debugging issues on a production FW with many VPNs and connections?

Trying to identify VPN issues between two sites.

I've got the following enabled:

logging enable
logging buffered informational
logging trap informational
logging asdm informational
logging host switch.link 192.168.x.x
logging host switch.link 192.168.x.x
logging rate-limit 50 1 level 6

Would debug crypto Ipsec 127 be sufficient to display statistics on screen? Will log the session to capture output.

Also, should I change the logging buffered, trap, asdm from informational to debugging since the requirement is to get the debugging output?

Otherwise, based on your experience, what is the best way/steps to get a debug from an ASA FW?

Many thanks,

Mike

3 Replies 3

Hi

Normally you only run the debug commands when you are actually troubleshooting something. What I will do if I don't have a logg server available is to change the logging buffered to debugging and in SecureCRT (which is the terminal emulator I'm using) save the output on the screen to a text file and then search through that text file for the peer IP of the VPN etc.

If you run debugging level on buffered, trap and host at the same time it will burden the ASA quite significantly if there is a lot of output.

The best thing would be to have a linux based log server where you can use tools like grep to search through the output.

Hi Henrik and thank you for the reply.

I also use SecureCRT and i love it!
:)

So, based on the above commands, during the troubleshooting window, change the logging buffered to debugging, and then run the:

debug crypto ipsec <level>

Obviously save the logging before running the command.

May i also ask what this command does:

logging asdm informational ?

How is this different than logging onto asdm, going to monitor, Log, and setting the logging to debugging?

Unless this controls the information displayed on the asdm log window? But then why have the option to chose between informational or debugging on the GUI?

Many thanks,

M

Well you sometimes have to run debug crypto ikev1|ikve2 if you are not even completing phase 1 of the tunnel. Sometimes there could even be some problem that happends after phase 2 is completed but it's only showing by debugging phase 1.

Not sure since I almost never use the GUI, but could it be the logging window at the bottom on the first page?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: