Posts

VPN IPSec debug conditional on cisco ASA/IOS

Lets say you have 200 site to site IPsec VPNs and you need to troubleshoot one specific tunnel which is not working. How can we troubleshoot this VPN tunnel. So you can look at the logs and pipe for the peer IP but that may be difficult as you will have very busy logs, to get in-depth troubleshooting data for troubleshooting a VPN on cisco ASA you can try the below method.

Cisco ASA IPSec VPN Conditional debugging

This has been tested on code version (8.0+), The condition statement allows filters to be set for VPN debugs. For example, to create a VPN debug for remote peer 1.2.3.4, do the following:

As indicated above, this is also useful is debugging client vpn user accounts. You can view current debug conditions

Can also define multiple peers:

Next, turn on the Debug (level 200 should be sufficient to get you detailed information)

When complete, turn off the debug and conditions

Cisco IOS IPSec VPN Conditional debugging

The same can be done on a cisco IOS router below is how it can be done:

verify debug condition:

enable crypto debugging

reset the debug crypto condition filters: