Filtering an ASA VPN Packet Capture

Debugging VPN connections on an ASA firewall can be a daunting affair made even worse if there are multiple tunnels. Fortunately, Cisco have this covered with the “condition” debug command.

debug crypto condtion ……

One of the more useful commands is:

debug crypto condition peer x.x.x.x

By using this command and specifying the IP address of the peer you are troubleshooting, debug output will be restricted to the relevant tunnel drowning out the background noise.

GOTCHA: remember to remove the condition statement when you have finished otherwise a future engineer working on crypto problems on the same firewall may wonder why they get little or no debug output!

The output from the following command will show whether any debug filtering is appied:

show debug

Crypto conditional debug is turned ON

IKE peer IP address filters:
1.1.1.1/32


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.