how to isolate debug of vpn on ASA

Unanswered Question
Jan 30th, 2009
User Badges:

I've got an ASA that has over 50 IPSEC tunnels on it. It's running versiion 7.24 code. Is there a way I can turn on debugging and just look at messages as it pertains to one particular tunnel? I'd like to be able to troubleshoot a particular vpn if it does not come up, and debug isakmp and ipsec on it. I don't want to debug globally out of fear I might crash it, and also its a pain to have to filter through all the other active tunnels that I am not looking to see.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Fri, 01/30/2009 - 13:57
User Badges:
  • Cisco Employee,

Unfortunately ASA 7.2 has no option to condition the ipsec debugging as ASA 8.0 does, but you can send your debugs to a syslog and search or sort these by the ip address affected, you can do this with the command "loggin debug-trace" this will start sending the debugs to your syslog configured.

pstebner10 Fri, 01/30/2009 - 14:10
User Badges:

You can set filters on your debugging, so that you only see messages from one particular tunnel:

debug crypto condition group

or by peer address:

debug crypto condition peer

and then enable dubugging.



pstebner10 Fri, 01/30/2009 - 14:11
User Badges:

sorry - that works on 8.x code - i didn't realize it didn't on 7.x



This Discussion