vpn tunnel troubleshooting question

Unanswered Question
Jun 21st, 2008
User Badges:

I have notice that sometines when debugging VPN tunnels using (I have seen this on both PIX5xx and ASA 5510)

debug cry isakmp

debug cry ipsec

That sometimes when sending traffic that should trigger the tunnel initiation, I see nothing in the debug and other times I do.

Even when the tunnel gets established and I know phase 1 and phase 2 successfully completed)

Is there something I am missing?


If I want to put a monitor session on the outside interface of the ASA to capture traffic to and from the tunnel peer end,

would I filter the monitor to capture the tunnel secure LAN endpoint, or the peer endpoint, or would I see traffic from both of these subnets on the remote end?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
knudsen-s Sun, 06/22/2008 - 04:54
User Badges:


The reason to this is that if you only use debug cry isakmp , it will be a "debug cry isakmp 1".

In som of the newer versions i beleave the first was 7.x you got a 1-255 debug options.

So here is was will solve it:

debug cry isakmp 200

debug cry ipsec 200

is you whant binary debug (hex) use 255, normaly 200 is plenty.



PS. Please rate...

wilson_1234_2 Mon, 06/23/2008 - 09:37
User Badges:

That worked, but what is the sifnificance of the 200?

And how can I debug a particular tunnel phae 1 or 2?

knudsen-s Tue, 06/24/2008 - 00:31
User Badges:


The number is only a debug level, but 200 is mutch info but not hex. I have not been able to finde a description on the differet levels.

The debug crypto isakmp 200 (Phase I)

The debug crypto ipsec 200 (PhanseII)

To debug a specific VPN session you can not, sorry. This in only on show option peer .

If you only need phase I debug 90% of the time normaly. I only use the isakmp.

I hope this helps you.

PS. The number is in many other debugs too. :-)



This Discussion