Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2236
Views
10
Helpful
6
Replies

debug crypto isakmp output - changed on pix v7?

Go to solution
dcooke
Level 1
Level 1

‎07-11-2007 07:37 AM - edited ‎03-11-2019 03:43 AM

Am trying to debug a VPN on a PIX upgraded to 7.2(2) and am having no joy with debug output. (am using telnet)

Config entered (always worked before!):

logging enabled

logging monitor debug

debug crypto isakmp 7

This is a working ipsec VPN between x2 PIX's one site on 192.6.12.0/24 and site 2 192.168.5.0/24 . Hosts are happliy pinging each other over the VPN, but there is nothing appearing on the telnet session. (same goes for debug crypto ipsec as well). (NB I want to see the working debug output before I change some config). Nada, nowt is there. Has something changed - do you have to have a syslog server now?

Any help appreciated.

Thanks

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to dcooke

‎07-11-2007 02:33 PM

Yes - you can do that.

Glad you got it to work. If this post helped you, please rate it.

Thanks

Gilbert

View solution in original post

6 Replies 6

Go to solution
ggilbert
Cisco Employee
Cisco Employee

‎07-11-2007 07:53 AM

Dan,

If you are using telnet to access the PIX, and if you have logging enabled, I would check couple of things.

enable "term mon"

Also make sure that "logging debug-trace" is disabled. If it is enabled, all the debugs will be sent to the syslog server.

Let me know if this helps.

Thanks

Gilbert

0 Helpful

Go to solution
dcooke
Level 1
Level 1
In response to ggilbert

‎07-11-2007 08:24 AM

Thanks ggilbert

I had "logging debug-trace" disabled. I had tried "term mon" - but unfortunatly it dumps everything on the screen - not just the isakmp info - so its impossible to use really.

I would just be happy if I could get the debugs like it used to do under v6!

If it is no longer possible - is there a way that I can see just isakmp and ipsec debugs to a syslog whithout all the usual debug bumf getting in the way?

Thanks

Dan

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to dcooke

‎07-11-2007 08:29 AM

Dan,

do " no logg mon debug"

and just enable the debugs & do "term mon"

you should be able to seem just the debug messages on the screen for that session of telnet.

Thanks

Gilbert

Go to solution
dcooke
Level 1
Level 1
In response to ggilbert

‎07-11-2007 09:23 AM

Gilbert

Thanks, but unfortunatly I don't get any output with the above.

Anyway! An update trying to debug the isakmp on the PIX the other side with above config:

logging enabled

logging monitor debug

debug crypto isakmp 7

worked fine (it has many more vpn tunnels! Going back to the pix the other side the same config produced no output ). This is when I sent "interesting" traffic down the one tunnel it has (I seem to remember that it would show debug output for all traffic?). However, a cl crypto isakmp sa forced the tunnel to renegociate and then I got some debug output.

Sorry, no doubt it was my fault all along! I was just expecting more output than it wanted to give me!

Thanks

Dan

0 Helpful

Go to solution
dcooke
Level 1
Level 1
In response to dcooke

‎07-11-2007 09:26 AM

Thanks for your help Gilbert. We got there in the end! I was going to mark the thread answered. Shall I just do it on any of your posts?

Dan

0 Helpful

Go to solution
ggilbert
Cisco Employee
Cisco Employee
In response to dcooke

‎07-11-2007 02:33 PM

Yes - you can do that.

Glad you got it to work. If this post helped you, please rate it.

Thanks

Gilbert

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card