The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Crypto Conditional Debug Support feature introduces three new command-line interfaces (CLIs) that allow users to debug an IP Security (IPSec) tunnel on the basis of predefined crypto conditions such as the peer IP address, connection-ID of a crypto engine, and security parameter index (SPI). By limiting debug messages to specific IPSec operations and reducing the amount of debug output, users can better troubleshoot a router with a large number of tunnels.
Feature History |
|
---|---|
Release |
Modification |
12.3(2)T |
This feature was introduced. |
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
To use the new crypto CLIs, you must be using a crypto image such as the k8 or k9 subsystem.
The new crypto conditional debug CLIs-- debug crypto condition , debug crypto condition unmatched , and show crypto debug-condition --allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions. The table below lists the supported condition types.
Table 1 | Supported Condition Types for Crypto Debug CLI |
Condition Type (Keyword) |
Description |
---|---|
connid 1 |
An integer between 1-32766. Relevant debug messages will be shown if the current IPSec operation uses this value as the connection ID to interface with the crypto engine. |
flowid 1 |
An integer between 1-32766. Relevant debug messages will be shown if the current IPSec operation uses this value as the flow-ID to interface with the crypto engine. |
FVRF |
The name string of a virtual private network (VPN) routing and forwarding (VRF) instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its front-door VRF (FVRF). |
IVRF |
The name string of a VRF instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its inside VRF (IVRF). |
peer group |
A Unity group-name string. Relevant debug messages will be shown if the peer is using this group name as its identity. |
peer hostname |
A fully qualified domain name (FQDN) string. Relevant debug messages will be shown if the peer is using this string as its identity; for example, if the peer is enabling IKE Xauth with this FQDN string. |
peer ipaddress |
A single IP address. Relevant debug messages will be shown if the current IPSec operation is related to the IP address of this peer. |
peer subnet |
A subnet and a subnet mask that specify a range of peer IP addresses. Relevant debug messages will be shown if the IP address of the current IPSec peer falls into the specified subnet range. |
peer username |
A username string. Relevant debug messages will be shown if the peer is using this username as its identity; for example, if the peer is enabling IKE Extended Authentication (Xauth) with this username. |
SPI 1 |
A 32-bit unsigned integer. Relevant debug messages will be shown if the current IPSec operation uses this value as the SPI. |
Note |
Specifying numerous debug conditions may consume CPU cycles and negatively affect router performance. |
If you choose to disable crypto conditional debugging, you must first disable any crypto global debug CLIs you have issued ; thereafter, you can disable conditional debugging.
Note |
The reset keyword can be used to disable all configured conditions at one time. |
To enable crypto error debug messages, you must perform the following tasks.
Enabling the debug crypto error command displays only error-related debug messages, thereby, allowing you to easily determine why a crypto operation, such as an IKE negotiation, has failed within your system.
Note |
When enabling this command, ensure that global crypto debug commands are not enabled; otherwise, the global commands will override any possible error-related debug messages. |
The following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2, or 10.1.1.3, and when the connection-ID 2000 of crypto engine 0 is used. This example also shows how to enable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditional settings.
Router# debug crypto condition connid 2000 engine-id 1 Router# debug crypto condition peer ipv4 10.1.1.1 Router# debug crypto condition peer ipv4 10.1.1.2 Router# debug crypto condition peer ipv4 10.1.1.3 Router# debug crypto condition unmatched ! Verify crypto conditional settings. Router# show crypto debug-condition Crypto conditional debug currently is turned ON IKE debug context unmatched flag:ON IPsec debug context unmatched flag:ON Crypto Engine debug context unmatched flag:ON IKE peer IP address filters: 10.1.1.1 10.1.1.2 10.1.1.3 Connection-id filters:[connid:engine_id]2000:1, ! Enable global crypto CLIs to start conditional debugging. Router# debug crypto isakmp Router# debug crypto ipsec Router# debug crypto engine
The following example shows how to disable all crypto conditional settings and verify that those settings have been disabled:
Router# debug crypto condition reset ! Verify that all crypto conditional settings have been disabled. Router# show crypto debug-condition Crypto conditional debug currently is turned OFF IKE debug context unmatched flag:OFF IPsec debug context unmatched flag:OFF Crypto Engine debug context unmatched flag:OFF
The following sections provide references to the Crypto Conditional Debug Support feature.
Related Topic |
Document Title |
---|---|
IPSec and IKE configuration tasks |
"Internet Key Exchange for IPsec VPNs" section of Cisco IOS Security Configuration Guide: Secure Connectivity |
IPSec and IKE commands |
Cisco IOS Security Command Reference |
Standards |
Title |
---|---|
None |
-- |
MIBs |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco IOS software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs |
Title |
---|---|
None |
-- |
Description |
Link |
---|---|
Technical Assistance Center (TAC) home page, containing 30,000 pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content. |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.