debug crypto isakmp output - changed on pix v7?

Answered Question
Jul 11th, 2007
User Badges:

Am trying to debug a VPN on a PIX upgraded to 7.2(2) and am having no joy with debug output. (am using telnet)


Config entered (always worked before!):


logging enabled

logging monitor debug

debug crypto isakmp 7


This is a working ipsec VPN between x2 PIX's one site on 192.6.12.0/24 and site 2 192.168.5.0/24 . Hosts are happliy pinging each other over the VPN, but there is nothing appearing on the telnet session. (same goes for debug crypto ipsec as well). (NB I want to see the working debug output before I change some config). Nada, nowt is there. Has something changed - do you have to have a syslog server now?


Any help appreciated.


Thanks


Dan


Correct Answer by ggilbert about 9 years 11 months ago

Yes - you can do that.


Glad you got it to work. If this post helped you, please rate it.


Thanks

Gilbert

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
ggilbert Wed, 07/11/2007 - 07:53
User Badges:
  • Cisco Employee,

Dan,


If you are using telnet to access the PIX, and if you have logging enabled, I would check couple of things.


enable "term mon"


Also make sure that "logging debug-trace" is disabled. If it is enabled, all the debugs will be sent to the syslog server.


Let me know if this helps.


Thanks

Gilbert

dcooke@fwcommer... Wed, 07/11/2007 - 08:24
User Badges:

Thanks ggilbert


I had "logging debug-trace" disabled. I had tried "term mon" - but unfortunatly it dumps everything on the screen - not just the isakmp info - so its impossible to use really.


I would just be happy if I could get the debugs like it used to do under v6!


If it is no longer possible - is there a way that I can see just isakmp and ipsec debugs to a syslog whithout all the usual debug bumf getting in the way?


Thanks


Dan

ggilbert Wed, 07/11/2007 - 08:29
User Badges:
  • Cisco Employee,

Dan,


do " no logg mon debug"


and just enable the debugs & do "term mon"


you should be able to seem just the debug messages on the screen for that session of telnet.


Thanks

Gilbert

dcooke@fwcommer... Wed, 07/11/2007 - 09:23
User Badges:

Gilbert


Thanks, but unfortunatly I don't get any output with the above.


Anyway! An update trying to debug the isakmp on the PIX the other side with above config:


logging enabled

logging monitor debug

debug crypto isakmp 7


worked fine (it has many more vpn tunnels! Going back to the pix the other side the same config produced no output ). This is when I sent "interesting" traffic down the one tunnel it has (I seem to remember that it would show debug output for all traffic?). However, a cl crypto isakmp sa forced the tunnel to renegociate and then I got some debug output.


Sorry, no doubt it was my fault all along! I was just expecting more output than it wanted to give me!


Thanks


Dan


dcooke@fwcommer... Wed, 07/11/2007 - 09:26
User Badges:

Thanks for your help Gilbert. We got there in the end! I was going to mark the thread answered. Shall I just do it on any of your posts?


Dan

Correct Answer
ggilbert Wed, 07/11/2007 - 14:33
User Badges:
  • Cisco Employee,

Yes - you can do that.


Glad you got it to work. If this post helped you, please rate it.


Thanks

Gilbert

Actions

This Discussion