06-21-2008 06:43 PM
I have notice that sometines when debugging VPN tunnels using (I have seen this on both PIX5xx and ASA 5510)
debug cry isakmp
debug cry ipsec
That sometimes when sending traffic that should trigger the tunnel initiation, I see nothing in the debug and other times I do.
Even when the tunnel gets established and I know phase 1 and phase 2 successfully completed)
Is there something I am missing?
Also,
If I want to put a monitor session on the outside interface of the ASA to capture traffic to and from the tunnel peer end,
would I filter the monitor to capture the tunnel secure LAN endpoint, or the peer endpoint, or would I see traffic from both of these subnets on the remote end?
06-22-2008 04:54 AM
HI,
The reason to this is that if you only use debug cry isakmp , it will be a "debug cry isakmp 1".
In som of the newer versions i beleave the first was 7.x you got a 1-255 debug options.
So here is was will solve it:
debug cry isakmp 200
debug cry ipsec 200
is you whant binary debug (hex) use 255, normaly 200 is plenty.
:-)
/Soren
PS. Please rate...
06-22-2008 05:50 AM
Thanks,
I will give it a try
06-23-2008 09:37 AM
That worked, but what is the sifnificance of the 200?
And how can I debug a particular tunnel phae 1 or 2?
06-24-2008 12:31 AM
Hi,
The number is only a debug level, but 200 is mutch info but not hex. I have not been able to finde a description on the differet levels.
The debug crypto isakmp 200 (Phase I)
The debug crypto ipsec 200 (PhanseII)
To debug a specific VPN session you can not, sorry. This in only on show option peer
If you only need phase I debug 90% of the time normaly. I only use the isakmp.
I hope this helps you.
PS. The number is in many other debugs too. :-)
/Soren
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: