Crypto Conditional Debugging
Crypto Conditional Debugging
We can use crypto conditional debugging when we are troubleshooting live networks and specially where there are multiple tunnels running on the device.
· The crypto conditional debug CLIs—debug crypto condition, debug crypto condition unmatched, and show crypto debug-condition— allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions
· The router will perform conditional debugging only after at least one of the global crypto debug commands—debug crypto isakmp, debug crypto ipsec, or debug crypto engine—has been enabled; thi s requirement helps to ensure that the performance of the router will not be impacted when conditional debugging is not being used
· To enable crypto conditional debugging:
– debug crypto condition
– debug crypto { isakmp | ipsec | engine }
· To view crypto condition debugs that have been enabled:
– show crypto debug-condition [ all | peer | fvrf | ivrf | isakmp | username | connid | spi ]
· To disable crypto condition debugs:
– debug crypto condition reset
Crypto Conditional Debugging
| Fvrf | The name string of a virtual private network (VPN) routing and forwarding (VRF) instance; relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its front-door VRF (FVRF) |
| ivrf | The name string of a VRF instance; relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its inside VRF (IVRF) |
| isakmp profile | The name string of the isakmp profile to be matched against for debugging |
| Local ipv4 | The ip address string of the local IKE endpoint |
| Peer group | A ezvpn group name string; relevant debug messages will be shown if the peer is using this group name as its identity |
| Peer ipv4 | A single IP address; relevant debug messages will be shown if the current IPSec operation is related to the IP address of this peer |
| Peer subnet | A subnet and a subnet mask that specify a range of peer IP addresses; relevant debug messages will be shown if the IP address of the current IPSec peer falls into the specified subnet range |
| Peer hostname | A fully qualified domain name (FQDN) string; relevant debug messages will be shown if the peer is using this string as its identity |
| username | The username string (XAuth username or PKI-aaa username obtained from a certificate) |
Clearing VPN Tunnel
· To clear IKE Phase ( Phase 1)
– clear crypto isakmp sa
· To clear IPSEC Phase (Phase2)
– clear crypto ipsec sa
Crypto Logging
Two crypto logging enhancements were introduced in recent Cisco IOS images
Hub(config)# crypto logging ?
– ezvpn ezvpn logging enable/disable
– session logging up/down session
– Crypto logging session, introduced in 12.3(14)T, displays tunnel up/down messages:
– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 40.10.1.1:500 Id: 40.10.1.1
– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 40.10.1.1:500 Id: 40.10.1.1
– Crypto logging ezvpn, introduced in 12.4(4)T, displays EasyVPN connection messages
– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer 2.2.2.2:500 f_vrf: FVRF1 Id: cisco
– %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Server) Mode=NEM Client_type=CISCO_IOS User= Group=cisco Client_public_addr=2.2.2.2 Server_public_addr=1.1.1.2 f_vrf=FVRF1
– %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer 2.2.2.2:500 f_vrf: FVRF1 Id: cisco
– %CRYPTO-6-EZVPN_CONNECTION_UP: (Server) Mode=NEM Client_type=CISCO_IOS User= Group=cisco Client_public_addr=2.2.2.2 Server_public_addr=1.1.1.2 f_vrf=FVRF1
That’s all from my side today.
I am thinking of coming up with few known issues or scenarios in my next blog, hence looking forward to your inputs and feedbacks. Thanks
0 Response to "Crypto Conditional Debugging"
Post a Comment