Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

vpn concentrator filter debugging?

I have a vpn client that is able to do their work with the Private (Default) filter enabled, but not the Public (Default) filter.

I've copied the Public filter to a new one, and expect to see 'denied' type messages in the event log. I intended to watch the denied and selectively add rules so the minimum necessary was permitted.

However, I can't seem to see any such messages - how do I do so?

I've turned on all messages, all classes, all severities, and the public address of the client. The last things I see are phase 2 complete, then nothing. When I use the private assigned address, I get nothing at all in the log.

How do I drill down to what would be 'info' messages visible via logged access lists on a router, on the 3030.


Re: vpn concentrator filter debugging?


First off, if you want to granulize access to your vpn clients, you should use filters on IPSec Groups/or L2L for site-to-site VPNs, rather than on interface, in case if you do want to restrict traffic "to" your concentrator box, you have to make sure that, you atleast permit IKE/IPSec(ESP) for IPSec clients/L2L etc.

FILTERDBG event class has to be turned on /w high sev. level along with (forward/log, or drop/log) to see each packets matching those rules you have on the VPN3K interface(Public or Private), keep in mind that it will generate a lot of events and cpu usage.

When you create such a filter, Inbound means into VPN3K, and Outbound means traffic "leaving" VPN3K, so in essence concentrator is the frame of reference.




CreatePlease to create content