Useful debug commands for VPN issues?

Unanswered Question
Feb 2nd, 2010


I'm trying to setup a VPN to another company, but I'm having no luck.  We both think we are using the correct information for phase 1 and 2.  I'm using a ASA 5520 and wondered what commands would be useful for me to debug phase 1 and/or phase 2 of the VPN?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pudawat Tue, 02/02/2010 - 15:58

HI Andy,

These are the commands to enable debugs on the ASA:

debug crypto isakmp <1-250> <--level of debug

debug crypto ipsec <1-250>



Patrick0711 Tue, 02/02/2010 - 19:31

Unlike PIX 6.x and below firmware, you dont actually need to enable ipsec debugging.  The ASA debugs are MUCH more informative...

'debug crypto isakmp 254' will provide you with packet-by-packet debugging of both Phase 1 and Phase 2 negotiations

If you want a little less, try debug level 7.

I have yet to run in to a IPSEC VPN issue that I was not able to completely and effectively troubleshoot using only this command.

debug crypto ipsec #  provides very little (if any) additional information

Andy White Wed, 02/03/2010 - 02:04

Thanks, I'm trying debug crypto isakmp 254 and debug crypto isakmp 7, but so much info comes in I can't filter out the VPN I need, any recommendations around this?



This Discussion