Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
3
Replies

how to isolate debug of vpn on ASA

mjsully
Level 1
Level 1

‎01-30-2009 10:21 AM

I've got an ASA that has over 50 IPSEC tunnels on it. It's running versiion 7.24 code. Is there a way I can turn on debugging and just look at messages as it pertains to one particular tunnel? I'd like to be able to troubleshoot a particular vpn if it does not come up, and debug isakmp and ipsec on it. I don't want to debug globally out of fear I might crash it, and also its a pain to have to filter through all the other active tunnels that I am not looking to see.

Labels:
0 Helpful
3 Replies 3

Ivan Martinon
Level 7
Level 7

‎01-30-2009 01:57 PM

Unfortunately ASA 7.2 has no option to condition the ipsec debugging as ASA 8.0 does, but you can send your debugs to a syslog and search or sort these by the ip address affected, you can do this with the command "loggin debug-trace" this will start sending the debugs to your syslog configured.

0 Helpful

pstebner10
Level 1
Level 1

‎01-30-2009 02:10 PM

You can set filters on your debugging, so that you only see messages from one particular tunnel:

debug crypto condition group

or by peer address:

debug crypto condition peer www.xxx.yyy.zzz

and then enable dubugging.

HTH,

Paul

0 Helpful

pstebner10
Level 1
Level 1
In response to pstebner10

‎01-30-2009 02:11 PM

sorry - that works on 8.x code - i didn't realize it didn't on 7.x

paul

0 Helpful
Customers Also Viewed These Support Documents