Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

debug crypto isakmp output - changed on pix v7?

Am trying to debug a VPN on a PIX upgraded to 7.2(2) and am having no joy with debug output. (am using telnet)

Config entered (always worked before!):

logging enabled

logging monitor debug

debug crypto isakmp 7

This is a working ipsec VPN between x2 PIX's one site on 192.6.12.0/24 and site 2 192.168.5.0/24 . Hosts are happliy pinging each other over the VPN, but there is nothing appearing on the telnet session. (same goes for debug crypto ipsec as well). (NB I want to see the working debug output before I change some config). Nada, nowt is there. Has something changed - do you have to have a syslog server now?

Any help appreciated.

Thanks

Dan

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: debug crypto isakmp output - changed on pix v7?

Yes - you can do that.

Glad you got it to work. If this post helped you, please rate it.

Thanks

Gilbert

6 REPLIES
Cisco Employee

Re: debug crypto isakmp output - changed on pix v7?

Dan,

If you are using telnet to access the PIX, and if you have logging enabled, I would check couple of things.

enable "term mon"

Also make sure that "logging debug-trace" is disabled. If it is enabled, all the debugs will be sent to the syslog server.

Let me know if this helps.

Thanks

Gilbert

New Member

Re: debug crypto isakmp output - changed on pix v7?

Thanks ggilbert

I had "logging debug-trace" disabled. I had tried "term mon" - but unfortunatly it dumps everything on the screen - not just the isakmp info - so its impossible to use really.

I would just be happy if I could get the debugs like it used to do under v6!

If it is no longer possible - is there a way that I can see just isakmp and ipsec debugs to a syslog whithout all the usual debug bumf getting in the way?

Thanks

Dan

Cisco Employee

Re: debug crypto isakmp output - changed on pix v7?

Dan,

do " no logg mon debug"

and just enable the debugs & do "term mon"

you should be able to seem just the debug messages on the screen for that session of telnet.

Thanks

Gilbert

New Member

Re: debug crypto isakmp output - changed on pix v7?

Gilbert

Thanks, but unfortunatly I don't get any output with the above.

Anyway! An update trying to debug the isakmp on the PIX the other side with above config:

logging enabled

logging monitor debug

debug crypto isakmp 7

worked fine (it has many more vpn tunnels! Going back to the pix the other side the same config produced no output ). This is when I sent "interesting" traffic down the one tunnel it has (I seem to remember that it would show debug output for all traffic?). However, a cl crypto isakmp sa forced the tunnel to renegociate and then I got some debug output.

Sorry, no doubt it was my fault all along! I was just expecting more output than it wanted to give me!

Thanks

Dan

New Member

Re: debug crypto isakmp output - changed on pix v7?

Thanks for your help Gilbert. We got there in the end! I was going to mark the thread answered. Shall I just do it on any of your posts?

Dan

Cisco Employee

Re: debug crypto isakmp output - changed on pix v7?

Yes - you can do that.

Glad you got it to work. If this post helped you, please rate it.

Thanks

Gilbert

1303
Views
10
Helpful
6
Replies
CreatePlease to create content