I have used VPN debug commands on ASAs before and they have been very helpful, but this has always been on IOS 7 & 8. I'm working on 2 ASA's now that are on 9.1.3 and I can't establish a site to site VPN. How can I enable debugging?
I am using via a SSH session:
debug crypto ikev1 enabled at level 127
debug crypto condition peer x.x.x.x
I then did an extended ping and nothing showed up in the console window (via SSH).
I very rarely resort to debugs nowadays with the ASAs when having problems with VPN connections
I typically go through the following steps
Use "packet-tracer" command to check that the expected traffic matches a VPN configuration on the ASA. This should result in output that shows a VPN Phase. On the first try it always ends with a VPN Phase DROP. Second try will go through if whole L2L VPN is fine but ends in a drop if there is a missmatch between the peers.
If the initial "packet-tracer" tests match the correct rules and therefore match the VPN configurations I will issue the "packet-tracer" command from the command history multiple times and then check how the Phase 1 negotiations are going by using the command "show crypto ikev1 sa"
If try to confirm from the output that the Phase 1 either goes through or at which message does the negotiation fail. If it fails I take multiple outputs of the above command (with "packet-tracer" also) to check where it stops and then confirm that the Phase 1 parameters and the PSK are correct.
If I can confirm that the Phase 1 goes through fine and the connection negotiation fails right after the Phase 1 negotiation then I confirm the Phase 2 configurations with the remote end.
Pretty much 90% of the time the above steps find the problem without ever touching a "debug" command on the ASA.
Even before any of the above steps I might doublecheck the configurations before testing anything.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...