Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

vpn tunnel troubleshooting question

I have notice that sometines when debugging VPN tunnels using (I have seen this on both PIX5xx and ASA 5510)

debug cry isakmp

debug cry ipsec

That sometimes when sending traffic that should trigger the tunnel initiation, I see nothing in the debug and other times I do.

Even when the tunnel gets established and I know phase 1 and phase 2 successfully completed)

Is there something I am missing?

Also,

If I want to put a monitor session on the outside interface of the ASA to capture traffic to and from the tunnel peer end,

would I filter the monitor to capture the tunnel secure LAN endpoint, or the peer endpoint, or would I see traffic from both of these subnets on the remote end?

4 REPLIES
New Member

Re: vpn tunnel troubleshooting question

HI,

The reason to this is that if you only use debug cry isakmp , it will be a "debug cry isakmp 1".

In som of the newer versions i beleave the first was 7.x you got a 1-255 debug options.

So here is was will solve it:

debug cry isakmp 200

debug cry ipsec 200

is you whant binary debug (hex) use 255, normaly 200 is plenty.

:-)

/Soren

PS. Please rate...

New Member

Re: vpn tunnel troubleshooting question

Thanks,

I will give it a try

New Member

Re: vpn tunnel troubleshooting question

That worked, but what is the sifnificance of the 200?

And how can I debug a particular tunnel phae 1 or 2?

New Member

Re: vpn tunnel troubleshooting question

Hi,

The number is only a debug level, but 200 is mutch info but not hex. I have not been able to finde a description on the differet levels.

The debug crypto isakmp 200 (Phase I)

The debug crypto ipsec 200 (PhanseII)

To debug a specific VPN session you can not, sorry. This in only on show option peer .

If you only need phase I debug 90% of the time normaly. I only use the isakmp.

I hope this helps you.

PS. The number is in many other debugs too. :-)

/Soren

151
Views
10
Helpful
4
Replies
CreatePlease to create content