cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2225
Views
10
Helpful
6
Replies

debug crypto isakmp output - changed on pix v7?

dcooke
Level 1
Level 1

Am trying to debug a VPN on a PIX upgraded to 7.2(2) and am having no joy with debug output. (am using telnet)

Config entered (always worked before!):

logging enabled

logging monitor debug

debug crypto isakmp 7

This is a working ipsec VPN between x2 PIX's one site on 192.6.12.0/24 and site 2 192.168.5.0/24 . Hosts are happliy pinging each other over the VPN, but there is nothing appearing on the telnet session. (same goes for debug crypto ipsec as well). (NB I want to see the working debug output before I change some config). Nada, nowt is there. Has something changed - do you have to have a syslog server now?

Any help appreciated.

Thanks

Dan

1 Accepted Solution

Accepted Solutions

Yes - you can do that.

Glad you got it to work. If this post helped you, please rate it.

Thanks

Gilbert

View solution in original post

6 Replies 6

ggilbert
Cisco Employee
Cisco Employee

Dan,

If you are using telnet to access the PIX, and if you have logging enabled, I would check couple of things.

enable "term mon"

Also make sure that "logging debug-trace" is disabled. If it is enabled, all the debugs will be sent to the syslog server.

Let me know if this helps.

Thanks

Gilbert

Thanks ggilbert

I had "logging debug-trace" disabled. I had tried "term mon" - but unfortunatly it dumps everything on the screen - not just the isakmp info - so its impossible to use really.

I would just be happy if I could get the debugs like it used to do under v6!

If it is no longer possible - is there a way that I can see just isakmp and ipsec debugs to a syslog whithout all the usual debug bumf getting in the way?

Thanks

Dan

Dan,

do " no logg mon debug"

and just enable the debugs & do "term mon"

you should be able to seem just the debug messages on the screen for that session of telnet.

Thanks

Gilbert

Gilbert

Thanks, but unfortunatly I don't get any output with the above.

Anyway! An update trying to debug the isakmp on the PIX the other side with above config:

logging enabled

logging monitor debug

debug crypto isakmp 7

worked fine (it has many more vpn tunnels! Going back to the pix the other side the same config produced no output ). This is when I sent "interesting" traffic down the one tunnel it has (I seem to remember that it would show debug output for all traffic?). However, a cl crypto isakmp sa forced the tunnel to renegociate and then I got some debug output.

Sorry, no doubt it was my fault all along! I was just expecting more output than it wanted to give me!

Thanks

Dan

Thanks for your help Gilbert. We got there in the end! I was going to mark the thread answered. Shall I just do it on any of your posts?

Dan

Yes - you can do that.

Glad you got it to work. If this post helped you, please rate it.

Thanks

Gilbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: