Wednesday, 26 August 2015

Enabling isakmp and ipsec debugging on Cisco ASA and IOS Router

On the ASA / router run:

config t
monitor logging 7 // This allows you to see the output on vty lines e.g. telnet / SSH sessions

debug crypto isakmp 127
debug crypto ipsec 127

We can also filter the logging to a specific VPN peer e.g.:

debug crypto condition peer 1.1.1.1

If you are not seeing any expected output verify whether syslog is turned on with:

show logging

If it is you can use ADSM under Monitoring >> Logging to view / filter etc. the logs.

To help debug any VPN issues you can also use the following command to troubleshoot ISAKMP:

show isakmp sa

show ipsec sa

and

show isakmp sa detail

0 comments:

Post a Comment