debug crypto ipsec 255 displays nothing

vidourekmar · ‎02-20-2012

Hello.

I have ASA5540 with asa712-k8.bin.

There is a plenty of tunnels ended and it works.

But i have one tunnel, which doesn't work.

I tried turn on "debug crypto isakmp" and it show this:

RECV PACKET from 10.200.79.161

ISAKMP Header

Initiator COOKIE: 26 d4 84 f9 00 f0 c4 54

Responder COOKIE: 38 e8 d2 c5 10 70 d5 69

Next Payload: Hash

Version: 1.0

Exchange Type: Quick Mode

Flags: (Encryption)

MessageID: 9B95CE5B

Length: 292

Feb 17 00:31:20 [IKEv1]: IP = 10.200.79.161, Received encrypted packet with no matching SA, dropping

So there is problem with IPSEC and with no matching SA, but i don't know which one.

Then i try to turn on "debug crypto ipsec 255" but it displays nothing.

Could someone help me what i'm doing wrong?

here is logging config:

logging buffer-size 100000

logging console debugging

logging monitor debugging

logging buffered debugging

logging asdm informational

Thanks

Martin

Marvin Rhoads · ‎02-20-2012

Your logging commands look correct and your debug syntax also appears correct. Could you, just to double check, check the output of "show logging"?

FYI, I find the debug crypto ipsec /isakmp commands to be fine at debugging level 7 for almost all purposes.

Also, in 8.0(2) or later you can use the "debug crypto condition " to further narrow down the output for only the problematic remote peer. (and verify it's not on already!) Unfortunately, that command won't be supported on your 7.1(2) ASA software.