Implement Platform Settings for VPN Troubleshooting

Available Languages

Download Options

  • PDF     (488.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (554.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (377.8 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 27, 2023
Document ID:220647

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to easily organize and identify VPN debug logs using Secure Firewall Management Center and Secure Firewall Threat Defense.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Secure Firewall Threat Defense (FTD)
    • Secure Firewall Management Center (FMC)
    • Basic understanding of navigating the FMC GUI and FTD CLI
    • Existing policy assignment for Platform Settings

    Components Used

    The information in this document is based on these software versions and hardware versions:

    • Firewall Management Center version 7.3
    • Firewall Threat Defense version 7.3

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Firewall Management Center

    Navigate to Devices > Platform Settings.

    Navigate to Platform Settings in the FMC GUI

    Click the pencil between the copy and delete icon.

    Edit the Platform Settings

    Navigate to Syslogin the left column of options and ensure Enable Logging,  and Send debug messages as syslog  are enabled. Additionally, ensure the Memory Size of the Internal Buffer is set with a value that is adequate for troubleshooting purposes.

    Enable Logging and Increase Internal Buffer Size

    Click Logging Destinations and then click +Add.

    Navigate to Logging Destinations

    In this section, the logging destination is a preference of the administrator and Internal Buffer is used. Change Event Class  to Filter on Severity and debugging.  Once this is completed, click +Add and choose webvpn, vpn, auth, and caall with Syslog severity of debugging. This step allows the administrator to filter these debug outputs to a specific syslog message of 711001. These can be modified depending type of troubleshooting. However, the ones chosen in this example cover the most commonly encountered Site-to-Site, Remote Access, and AAA VPN-related issues.

    Create Event Classes and Filters for the DebugsCreate event classes and filters for the debugs.

    warning-icon

    Warning: This changes the Buffer Logging Level to debugging and logs debugging events for the classes specified to the internal buffer. It is recommended to use this logging method for troubleshooting purposes, and not for long-term use.

    Choose Save in the top right, and then Deploythe configuration changes.

    Save and Deploy Logging Changes

    Firewall Threat Defense

    Navigate to the FTD CLI and issue the command show logging setting. The settings here reflect the changes made on the FMC. Ensure the debug-trace logging is enabled, and the buffer logging matches the classes and logging level specified.

    Display the Logging Settings in the FTD CLIDisplay the logging settings in the FTD CLI.

    Lastly, apply a debug in order to ensure the logs are being redirected to syslog:711001. In this example, debug webvpn anyconnect 255 is applied. This triggers a logging debug-trace notice, letting the administrator know that these debugs are redirected. In order to view these debugs, issue the command show log | in 711001. This syslog ID now only contains relevant VPN debugs as applied by the administrator. Existing logs can be cleared with a clear logging buffer.

    Shows all VPN Debugs are being Redirected to Syslog 711001Shows all VPN debugs are being redirected to syslog 711001.

    Revision History

    Revision Publish Date Comments
    1.0
    27-Jul-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Neal Roche
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products