Debugging VPN connections on an ASA firewall can be a daunting affair made even worse if there are multiple tunnels. Fortunately, Cisco have this covered with the “condition” debug command.
debug crypto condtion ……
One of the more useful commands is:
debug crypto condition peer x.x.x.x
By using this command and specifying the IP address of the peer you are troubleshooting, debug output will be restricted to the relevant tunnel drowning out the background noise.
GOTCHA: remember to remove the condition statement when you have finished otherwise a future engineer working on crypto problems on the same firewall may wonder why they get little or no debug output!
The output from the following command will show whether any debug filtering is appied:
show debug
Crypto conditional debug is turned ON
IKE peer IP address filters:
1.1.1.1/32