Showing results for 
Search instead for 
Did you mean: 

vpn tunnel troubleshooting question


I have notice that sometines when debugging VPN tunnels using (I have seen this on both PIX5xx and ASA 5510)

debug cry isakmp

debug cry ipsec

That sometimes when sending traffic that should trigger the tunnel initiation, I see nothing in the debug and other times I do.

Even when the tunnel gets established and I know phase 1 and phase 2 successfully completed)

Is there something I am missing?


If I want to put a monitor session on the outside interface of the ASA to capture traffic to and from the tunnel peer end,

would I filter the monitor to capture the tunnel secure LAN endpoint, or the peer endpoint, or would I see traffic from both of these subnets on the remote end?




The reason to this is that if you only use debug cry isakmp , it will be a "debug cry isakmp 1".

In som of the newer versions i beleave the first was 7.x you got a 1-255 debug options.

So here is was will solve it:

debug cry isakmp 200

debug cry ipsec 200

is you whant binary debug (hex) use 255, normaly 200 is plenty.



PS. Please rate...


I will give it a try

That worked, but what is the sifnificance of the 200?

And how can I debug a particular tunnel phae 1 or 2?


The number is only a debug level, but 200 is mutch info but not hex. I have not been able to finde a description on the differet levels.

The debug crypto isakmp 200 (Phase I)

The debug crypto ipsec 200 (PhanseII)

To debug a specific VPN session you can not, sorry. This in only on show option peer .

If you only need phase I debug 90% of the time normaly. I only use the isakmp.

I hope this helps you.

PS. The number is in many other debugs too. :-)


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: