debug crypto isakmp output - changed on pix v7?

Answered Question

Am trying to debug a VPN on a PIX upgraded to 7.2(2) and am having no joy with debug output. (am using telnet)

Config entered (always worked before!):

logging enabled

logging monitor debug

debug crypto isakmp 7

This is a working ipsec VPN between x2 PIX's one site on 192.6.12.0/24 and site 2 192.168.5.0/24 . Hosts are happliy pinging each other over the VPN, but there is nothing appearing on the telnet session. (same goes for debug crypto ipsec as well). (NB I want to see the working debug output before I change some config). Nada, nowt is there. Has something changed - do you have to have a syslog server now?

Any help appreciated.

Thanks

Dan

I have this problem too.
0 votes
Correct Answer by ggilbert about 9 years 6 months ago

Yes - you can do that.

Glad you got it to work. If this post helped you, please rate it.

Thanks

Gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
ggilbert Wed, 07/11/2007 - 07:53

Dan,

If you are using telnet to access the PIX, and if you have logging enabled, I would check couple of things.

enable "term mon"

Also make sure that "logging debug-trace" is disabled. If it is enabled, all the debugs will be sent to the syslog server.

Let me know if this helps.

Thanks

Gilbert

Thanks ggilbert

I had "logging debug-trace" disabled. I had tried "term mon" - but unfortunatly it dumps everything on the screen - not just the isakmp info - so its impossible to use really.

I would just be happy if I could get the debugs like it used to do under v6!

If it is no longer possible - is there a way that I can see just isakmp and ipsec debugs to a syslog whithout all the usual debug bumf getting in the way?

Thanks

Dan

ggilbert Wed, 07/11/2007 - 08:29

Dan,

do " no logg mon debug"

and just enable the debugs & do "term mon"

you should be able to seem just the debug messages on the screen for that session of telnet.

Thanks

Gilbert

Gilbert

Thanks, but unfortunatly I don't get any output with the above.

Anyway! An update trying to debug the isakmp on the PIX the other side with above config:

logging enabled

logging monitor debug

debug crypto isakmp 7

worked fine (it has many more vpn tunnels! Going back to the pix the other side the same config produced no output ). This is when I sent "interesting" traffic down the one tunnel it has (I seem to remember that it would show debug output for all traffic?). However, a cl crypto isakmp sa forced the tunnel to renegociate and then I got some debug output.

Sorry, no doubt it was my fault all along! I was just expecting more output than it wanted to give me!

Thanks

Dan

Correct Answer
ggilbert Wed, 07/11/2007 - 14:33

Yes - you can do that.

Glad you got it to work. If this post helped you, please rate it.

Thanks

Gilbert

Actions

This Discussion