01-30-2009 10:21 AM
I've got an ASA that has over 50 IPSEC tunnels on it. It's running versiion 7.24 code. Is there a way I can turn on debugging and just look at messages as it pertains to one particular tunnel? I'd like to be able to troubleshoot a particular vpn if it does not come up, and debug isakmp and ipsec on it. I don't want to debug globally out of fear I might crash it, and also its a pain to have to filter through all the other active tunnels that I am not looking to see.
01-30-2009 01:57 PM
Unfortunately ASA 7.2 has no option to condition the ipsec debugging as ASA 8.0 does, but you can send your debugs to a syslog and search or sort these by the ip address affected, you can do this with the command "loggin debug-trace" this will start sending the debugs to your syslog configured.
01-30-2009 02:10 PM
You can set filters on your debugging, so that you only see messages from one particular tunnel:
debug crypto condition group
or by peer address:
debug crypto condition peer www.xxx.yyy.zzz
and then enable dubugging.
HTH,
Paul
01-30-2009 02:11 PM
sorry - that works on 8.x code - i didn't realize it didn't on 7.x
paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide