Cisco Support Community
Community Member

ASA VPN debug commands?


I have used VPN debug commands on ASAs before and they have been very helpful, but this has always been on IOS  7 & 8.  I'm working on 2 ASA's now that are on 9.1.3 and I can't establish a site to site VPN.  How can I enable debugging?

I am using via a SSH session:

term mon

debug crypto ikev1 enabled at level 127

debug crypto condition peer x.x.x.x

I then did an extended ping and nothing showed up in the console window (via SSH).

My logging is:

logging enable

logging console informational

Any ideas?


Super Bronze

Re: ASA VPN debug commands?


I very rarely resort to debugs nowadays with the ASAs when having problems with VPN connections

I typically go through the following steps

  • Use "packet-tracer" command to check that the expected traffic matches a VPN configuration on the ASA. This should result in output that shows a VPN Phase. On the first try it always ends with a VPN Phase DROP. Second try will go through if whole L2L VPN is fine but ends in a drop if there is a missmatch between the peers.
  • If the initial "packet-tracer" tests match the correct rules and therefore match the VPN configurations I will issue the "packet-tracer" command from the command history multiple times and then check how the Phase 1 negotiations are going by using the command "show crypto ikev1 sa"
  • If try to confirm from the output that the Phase 1 either goes through or at which message does the negotiation fail. If it fails I take multiple outputs of the above command (with "packet-tracer" also) to check where it stops and then confirm that the Phase 1 parameters and the PSK are correct.
  • If I can confirm that the Phase 1 goes through fine and the connection negotiation fails right after the Phase 1 negotiation then I confirm the Phase 2 configurations with the remote end.

Pretty much 90% of the time the above steps find the problem without ever touching a "debug" command on the ASA.

Even before any of the above steps I might doublecheck the configurations before testing anything.

Here is one document related to VPN

Also check the links at the bottom of the above document

- Jouni

CreatePlease to create content