Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Understanding the debug crypto vpnclient on PIX 6.x (EZ VPN server)

Purpose

The debug crypto vpnclient Command

For 6.x PIXs configured as Easy VPN Remotes, you can use the debug crypto vpnclient command to troubleshoot client-specific configuration and connection setup issues. The example below illustrates the use of this command, where the client is using network extension mode. Below the example, I’ve explain the numbered references found in the example.

Establishing a Remote Access Connection from an Easy VPN Remote Running 6.3
VPNC CFG: transform set unconfig attempt done                     (1)
VPNC CLI: no isakmp keepalive 10 5
VPNC CLI: no isakmp nat-traversal 20
VPNC CFG: IKE unconfig successful
VPNC CLI: no crypto map _vpnc_cm
VPNC CFG: crypto map deletion attempt done
VPNC CFG: crypto unconfig successful
VPNC CLI: no global (outside) 65001
VPNC CLI: no nat (inside) 0 access-list _vpnc_acl
VPNC CFG: nat unconfig attempt failed
VPNC CLI: no http 192.168.3.1 255.255.255.0 inside
VPNC CLI: no http server enable
VPNC CLI: no access-list _vpnc_acl
VPNC CFG: ACL deletion attempt failed
VPNC CLI: no crypto map _vpnc_cm interface outside
VPNC CFG: crypto map de/attach failed
VPNC CFG: transform sets configured                               (2)
VPNC CFG: crypto config successful
VPNC CLI: isakmp keepalive 10 5
VPNC CLI: isakmp nat-traversal 20
VPNC CFG: IKE config successful
VPNC CLI: http 192.168.3.1 255.255.255.0 inside
VPNC CLI: http server enable
VPNC CLI: aaa-server _vpnc_nwp_server protocol tacacs+
VPNC CLI: aaa-server _vpnc_nwp_server (outside) host 192.1.1.100
VPNC CLI: access-list _vpnc_nwp_acl permit ip any any
VPNC CLI: aaa authentication match _vpnc_nwp_acl outbound
    vpnc_nwp_server
VPNC CLI: no access-list _vpnc_acl
VPNC CFG: ACL deletion attempt failed
VPNC CLI: access-list _vpnc_acl permit ip host 192.1.1.101        (3)
    host 192.1.1.100
VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl
VPNC CFG: crypto map acl update successful
VPNC CLI: no crypto map _vpnc_cm interface outside
VPNC CLI: crypto map _vpnc_cm interface outside
VPNC INF: IKE trigger request done                                (4)
VPNC INF: Constructing policy download req
VPNC INF: Packing attributes for policy request
VPNC INF: Attributes being requested
VPNC ATT: INTERNAL_IP4_DNS: 4.2.2.1
VPNC ATT: ALT_PFS: 0
VPNC INF: Received application version 'Cisco Systems, Inc        (5)
    PIX-515 Version 7.0(1) built by builders on
    Thu 31-Mar-05 14:37'
VPNC ATT: ALT_CFG_SEC_UNIT: 0
VPNC ATT: ALT_CFG_USER_AUTH: 0
VPNC CLI: no aaa authentication match _vpnc_nwp_acl outbound _
    vpnc_nwp_server
VPNC CLI: no access-list _vpnc_nwp_acl permit ip any any
VPNC CLI: no aaa-server _vpnc_nwp_server
VPNC CLI: no access-list _vpnc_acl
VPNC CLI: access-list _vpnc_acl permit ip                         (6)
    192.168.3.0 255.255.255.0 any
VPNC CLI: access-list _vpnc_acl permit ip
    host 192.1.1.101 any
VPNC CLI: access-list _vpnc_acl permit ip
    host 192.1.1.101 host 192.1.1.100
VPNC CFG: _vpnc_acl no ST define done
VPNC CLI: crypto map _vpnc_cm 10 match address _vpnc_acl
VPNC CFG: crypto map acl update successful
VPNC CLI: no crypto map _vpnc_cm interface outside
VPNC CLI: crypto map _vpnc_cm interface outside
VPNC CLI: no global (outside) 65001                               (7)
VPNC CLI: no nat (inside) 0 access-list _vpnc_acl
VPNC CFG: nat unconfig attempt failed
VPNC CLI: nat (inside) 0 access-list _vpnc_acl
VPNC INF: IKE trigger request done                                (8)
http://fengnet.com/book/VPNconf/images/U2190.jpgoutput omittedhttp://fengnet.com/book/VPNconf/images/U2192.jpg

1.

This is   the first time the VPN Remote functionality was enabled on the PIX, so the   PIX is first removing any VPN commands that could cause any type of conflict.

2.

After   attempting to remove all VPN-related commands, the Remote then configures the   necessary VPN commands.

3.

An ACL is   built to allow communications between this PIX (192.1.1.101) and the Easy VPN   Server (192.1.1.100).

4.

The PIX   Remote initiates its connection to the Server and sends its policies.

5.

The Server   is a PIX 515 running FOS 7.0.

6.

Based on   the split tunneling policy passed to it by the Server, the client PIX builds   an appropriate crypto ACL.

7.

Based on   the split tunneling policy, the appropriate address translation policy is   configured.

8.

The tunnel   is now established to the Server.

Tip

Unfortunately, the debug crypto vpnclient command is not that useful for troubleshooting the setup of an IPsec session. If something is misconfigured on the Remote or Server, you'll see something like the above example repeated over and over; however, as you'll notice in the output, there is nothing that indicates what the problem is. In this example, the Remote was configured for network extension mode, but the group on the Server didn't have this policy defined. For example, with the output of the debug crypto isakmp command on the Server, you would see a message like this: "[IKEv1]: Group = salesgroup, Username = salesuser, IP = 192.1.1.101, Hardware Client connection rejected! Network Extension Mode is not allowed for this group!" Unfortunately, the debug output from the same command on a 6.3 Remote isn't as verbose, making the troubleshooting of this problem more difficult, if not impossible, from the Remote end using the debug crypto vpnclient command.

References----

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml

1601
Views
0
Helpful
0
Comments