Howto get 'debug' commands on a PIX 501 to work?

Discussion in 'Cisco' started by Nibly, Feb 21, 2005.

  1. Nibly

    Nibly Guest

    Hi,

    The questions im asking might seem simple and easy to most of you. But
    ive tried and tried wihtout success so now im trying to get a little
    helping hand.

    What i dont get is how can i see the output from commands like these?
    "debug crypto ipsec"
    "debug crypto isakmp"

    Do i need to console cable? i dont have it here so if there are more
    ways im open for anything.

    Thanks,
    Nibly
     
    Nibly, Feb 21, 2005
    #1
    1. Advertisements

  2. :The questions im asking might seem simple and easy to most of you. But
    :ive tried and tried wihtout success so now im trying to get a little
    :helping hand.

    :What i dont get is how can i see the output from commands like these?
    :"debug crypto ipsec"
    :"debug crypto isakmp"

    :Do i need to console cable?

    You do not need to use a console cable. Those messages will be
    sent to the -first- active telnet or ssh session.

    Probably all you need to do is configure logging on

    The setting of 'logging console' or 'logging monitor' do not
    affect the first active session. To emphasize: I am running
    with 'logging console disabled' and 'logging monitor disabled'
    at the moment, and I get the debug messages to my ssh sessions.
     
    Walter Roberson, Feb 21, 2005
    #2
    1. Advertisements

  3. Nibly

    220volt Guest

    When you type debug crypto ipsec" or any other commant all you're doing is
    turning the debug engine on. You will have to generate some packets in order
    to see output. The best way is to turn all debugs on or just those you're
    trying to troubleshoot and do extended ping from one peer to other . Hope
    this helps.
    To see full article on this go to:
    http://www.cisco.com/en/US/products...s_configuration_example09186a008015bfd2.shtml

    For example:


    The next step is to turn on some crypto debugs to generate interesting
    traffic.

    In this example, these debugs are turned on:

    a.. debug crypto engine

    b.. debug crypto IPSec

    c.. debug crypto key-exchange

    d.. debug crypto isakmp

    To see the output of the debugs, you must first generate some interesting
    traffic. Issue an extended ping from the Ethernet port of uBR904-2 to the PC
    on uBR924-1 (IP address 19.19.19.1).

    ubr904-2# ping ip

    Target IP address: 19.19.19.1

    !--- IP address of PC1 behind the Ethernet of uBR924-1.

    Repeat count [5]: 100

    !--- Sends 100 pings.

    Datagram size [100]:
    Timeout in seconds [2]:
    Extended commands [n]: y
    Source address or interface: 18.18.18.18

    !--- IP address of the Ethernet behind uBR904-2.

    Type of service [0]:
    Set DF bit in IP header? [no]:
    Validate reply data? [no]:
    Data pattern [0xABCD]:
    Loose, Strict, Record, Timestamp, Verbose[none]:
    Sweep range of sizes [n]:
    Type escape sequence to abort.
    Sending 100, 100-byte ICMP Echos to 19.19.19.1, timeout is 2 seconds:The
    uBR924-2 shows this debug output:

    ubr904-2#
    01:50:37: IPSec(sa_request): ,
    (key eng. msg.) src= 18.18.18.18, dest= 19.19.19.19,
    src_proxy= 18.18.18.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 19.19.19.0/255.255.255.0/0/0 (type=4),
    protocol= AH, transform= ah-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0x19911A16(428939798), conn_id= 0, keysize= 0, flags= 0x4004
    01:50:37: IPSec(sa_request): ,
    (key Eng. msg.) src= 18.18.18.18, dest= 19.19.19.19,
    src_proxy= 18.18.18.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 19.19.19.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= ESP-Des ,
    lifedur= 3600s and 4608000kb,
    spi= 0x7091981(118036865), conn_id= 0, keysize= 0, flags= 0x4004
    01:50:37: ISAKMP: received ke message (1/2)
    01:50:37: ISAKMP (0:1): sitting IDLE. Starting QM immediately (QM_IDLE)
    01:50:37: ISAKMP (0:1): beginning Quick Mode exchange, M-ID of 1108017901
    01:50:37: CryptoEngine0: generate hmac context for conn id 1
    01:50:37: ISAKMP (1): sending packet to 19.19.19.19 (I) QM_IDLE
    01:50:37: ISAKMP (1): received packet from 19.19.19.19 (I) QM_IDLE
    01:50:37: CryptoEngine0: generate hmac context for conn id 1
    01:50:37: ISAKMP (0:1): processing SA payload. message ID = 1108017901
    01:50:37: ISAKMP (0:1): Checking IPSec proposal 1
    01:50:37: ISAKMP: transform 1, AH_MD5
    01:50:37: ISAKMP: attributes in transform:
    01:50:3.!!!!!!!!!!!!!!!!!!!!!!!7: ISAKMP: encaps is 1
     
    220volt, Feb 21, 2005
    #3
  4. Nibly

    Nibly Guest

    Hi and thanks for the response! The thing is that logging is on it even
    logs to a syslog server. But i cant see any output directed from such
    commands like 'debug crypto ipsec'. Nothing shows up either in the first
    and only telnet/ssh session, or syslog. Appreciate it if you have any
    other ideas or comments.

    This is the version on my running pix 501:
    Cisco PIX Firewall Version 6.3(4)
    Cisco PIX Device Manager Version 3.0(2)


    Regards,
    Nibly
     
    Nibly, Feb 21, 2005
    #4
  5. :Hi and thanks for the response! The thing is that logging is on it even
    :logs to a syslog server. But i cant see any output directed from such
    :commands like 'debug crypto ipsec'. Nothing shows up either in the first
    :and only telnet/ssh session, or syslog. Appreciate it if you have any
    :eek:ther ideas or comments.

    Here is the setup I have on the 501 I am using now:

    logging on
    logging timestamp
    logging buffered debugging
    logging trap debugging
    logging history debugging
    logging facility 21
    logging host inside IP


    'logging timestamp' adds a host timestamp for syslog.
    'logging buffered' has to do with what shows up for 'show log'.
    'logging trap' is what is sent for syslog.
    'loging history' is, confusingly, what is sent for snmp traps.
    'logging facility' has to do with the facility number for syslog.
    'logging host' is where to send syslog.

    When I ssh in from the inside and 'debug crypto ipsec' then
    I do get the expected debug messages... I have been using
    this extensively over the last week, and did NOT have to do
    anything fancy such as 'logging monitor debug'. Which,
    incidently, is something you should try.

    The documentation for 'logging monitor' specifically references
    telnet but not ssh: possibly the distinction is important.
     
    Walter Roberson, Feb 21, 2005
    #5
  6. Nibly

    Nibly Guest

    This is really wierd. I tested the same commands on another pix wich
    uses an earlier software and boom it outputs the debug information. But
    ive checked to configuration on both units, and they are equal when it
    comes to logging etc.

    What im going todo now i dont know. Ive even reset the pix to its
    factory default and issued command by command the same settings on the
    other pix, still it wont report anything back from the debug commands.

    Maybe i should try to downgrade the software? Possibly a buggy
    software/firmware release on it? Thing this is my last option. Could be
    the cause of some other problems ive been having too.

    Open for any other suggestiongs ofcourse... Thanks for taking the time
    to reply! Always appreciated!

    Thanks,
    Andre
     
    Nibly, Feb 22, 2005
    #6
  7. :This is really wierd. I tested the same commands on another pix wich
    :uses an earlier software and boom it outputs the debug information.

    You mentioned 6.3(4) as I recall. That's the version I have on the
    501 I was doing a lot of work with. Thus it isn't -just- because
    of the version change; a subtle bug is always possible though.
     
    Walter Roberson, Feb 22, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.