Re: Useful debug commands for VPN issues?

Andy White · ‎02-02-2010

Hello,

I'm trying to setup a VPN to another company, but I'm having no luck. We both think we are using the correct information for phase 1 and 2. I'm using a ASA 5520 and wondered what commands would be useful for me to debug phase 1 and/or phase 2 of the VPN?

Thanks

Collin Clark · ‎02-02-2010

Here's a great troubleshooting guide for VPN-

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

Hope it helps.

pudawat · ‎02-02-2010

HI Andy,

These are the commands to enable debugs on the ASA:

debug crypto isakmp <1-250> <--level of debug

debug crypto ipsec <1-250>

Thanks,

Pradhuman

Patrick0711 · ‎02-02-2010

Unlike PIX 6.x and below firmware, you dont actually need to enable ipsec debugging. The ASA debugs are MUCH more informative...

'debug crypto isakmp 254' will provide you with packet-by-packet debugging of both Phase 1 and Phase 2 negotiations

If you want a little less, try debug level 7.

I have yet to run in to a IPSEC VPN issue that I was not able to completely and effectively troubleshoot using only this command.

debug crypto ipsec # provides very little (if any) additional information

Andy White · ‎02-03-2010

Thanks, I'm trying debug crypto isakmp 254 and debug crypto isakmp 7, but so much info comes in I can't filter out the VPN I need, any recommendations around this?

Thanks

Mike Wise · ‎02-03-2010

Lower the debug level.