Downloads |
Table Of Contents
Crypto Conditional Debug Support
Prerequisites for Crypto Conditional Debug Support
Restrictions for Crypto Conditional Debug Support
Information About Crypto Conditional Debug Support
How to Enable Crypto Conditional Debug Support
Enabling Crypto Conditional Debug Messages
Disable Crypto Debug Conditions
Enabling Crypto Error Debug Messages
Configuration Examples for the Crypto Conditional Debug CLIs
Enabling Crypto Conditional Debugging: Example
Disabling Crypto Conditional Debugging: Example
debug crypto condition unmatched
Crypto Conditional Debug Support
The Crypto Conditional Debug Support feature introduces three new command-line interfaces (CLIs) that allow users to debug an IP Security (IPSec) tunnel on the basis of predefined crypto conditions such as the peer IP address, connection-ID of a crypto engine, and security parameter index (SPI). By limiting debug messages to specific IPSec operations and reducing the amount of debug output, users can better troubleshoot a router with a large number of tunnels.
Feature History for Crypto Conditional Debug Support
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Crypto Conditional Debug Support
•
•
•
•
Prerequisites for Crypto Conditional Debug Support
To use the new crypto CLIs, you must be using a crypto image, such as the k8 or k9 subsystem.
Restrictions for Crypto Conditional Debug Support
•
•
Because extra space is needed to store the debug condition values, additional processing overhead is added to the CPU and memory usage is increased. Thus, enabling crypto conditional debugging on a router with heavy traffic should be used with caution.Information About Crypto Conditional Debug Support
To enable the conditional crypto debug commands, you should understand the following concept:
Supported Condition Types
The new crypto conditional debug CLIs—debug crypto condition, debug crypto condition unmatched, and show crypto debug-condition—allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions. Table 1 lists the supported condition types.
Table 1 Supported Condition Types for Crypto Debug CLI
connid1
An integer between 1-32766. Relevant debug messages will be shown if the current IPSec operation uses this value as the connection ID to interface with the crypto engine.
flowid1
An integer between 1-32766. Relevant debug messages will be shown if the current IPSec operation uses this value as the flow-ID to interface with the crypto engine.
FVRF
The name string of a virtual private network (VPN) routing and forwarding (VRF) instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its front-door VRF (FVRF).
IVRF
The name string of a VRF instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its inside VRF (IVRF).
peer group
A Unity group-name string. Relevant debug messages will be shown if the peer is using this group name as its identity.
peer hostname
A fully qualified domain name (FQDN) string. Relevant debug messages will be shown if the peer is using this string as its identity; for example, if the peer is enabling IKE Xauth with this FQDN string.
peer ipaddress
A single IP address. Relevant debug messages will be shown if the current IPSec operation is related to the IP address of this peer.
peer subnet
A subnet and a subnet mask that specify a range of peer IP addresses. Relevant debug messages will be shown if the IP address of the current IPSec peer falls into the specified subnet range.
peer username
A username string. Relevant debug messages will be shown if the peer is using this username as its identity; for example, if the peer is enabling IKE Extended Authentication (Xauth) with this username.
SPI1
A 32-bit unsigned integer. Relevant debug messages will be shown if the current IPSec operation uses this value as the SPI.
1 If an IPSec connid, flowid, or SPI is used as a debug condition, the debug messages for a related IPSec flow are generated. An IPSec flow has two connids, flowids, and SPIs—one inbound and one outbound. Both two connids, flowids, and SPIs can be used as the debug condition that triggers debug messages for the IPSec flow.
How to Enable Crypto Conditional Debug Support
This section contains the following procedures:
•
•
Enabling Crypto Conditional Debug Messages
To enable crypto conditional debug filtering, you must perform the following tasks.
Performance Considerations
•
Note
•
Disable Crypto Debug Conditions
If you choose to disable crypto conditional debugging, you must first disable any crypto global debug CLIs you have issued; thereafter, you can disable conditional debugging.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Enabling Crypto Error Debug Messages
To enable crypto error debug messages, you must perform the following tasks.
debug crypto error CLI
Enabling the debug crypto error command displays only error-related debug messages, thereby, allowing you to easily determine why a crypto operation, such as an IKE negotiation, has failed within your system.
Note
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for the Crypto Conditional Debug CLIs
This section includes the following examples:
•
•
Enabling Crypto Conditional Debugging: Example
The following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2, or 10.1.1.3, and when the connection-ID 2000 of crypto engine 0 is used. This example also shows how to enable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditional settings.
Router# debug crypto condition connid 2000 engine-id 1Router# debug crypto condition peer ipv4 10.1.1.1Router# debug crypto condition peer ipv4 10.1.1.2Router# debug crypto condition peer ipv4 10.1.1.3Router# debug crypto condition unmatched! Verify crypto conditional settings.Router# show crypto debug-conditionCrypto conditional debug currently is turned ONIKE debug context unmatched flag:ONIPsec debug context unmatched flag:ONCrypto Engine debug context unmatched flag:ONIKE peer IP address filters:10.1.1.1 10.1.1.2 10.1.1.3Connection-id filters:[connid:engine_id]2000:1,! Enable global crypto CLIs to start conditional debugging.Router# debug crypto isakmpRouter# debug crypto ipsecRouter# debug crypto engineDisabling Crypto Conditional Debugging: Example
The following example shows how to disable all crypto conditional settings and verify that those settings have been disabled:
Router# debug crypto condition reset! Verify that all crypto conditional settings have been disabled.Router# show crypto debug-conditionCrypto conditional debug currently is turned OFFIKE debug context unmatched flag:OFFIPsec debug context unmatched flag:OFFCrypto Engine debug context unmatched flag:OFFAdditional References
The following sections provide references to the Crypto Conditional Debug Support feature.
Related Documents
IPSec and IKE configuration tasks
Cisco IOS Security Configuration Guide
IPSec and IKE commands
Cisco IOS Security Command Reference
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.3 T command reference publications.
•
debug crypto condition
To define conditional debug filters, use the debug crypto condition command in privileged EXEC mode. To disable conditional debugging, use the no form of this command.
debug crypto condition [connid integer engine-id integer] [flowid integer engine-id integer] [fvrf string] [ivrf string] [peer [group string] [hostname string] [ipv4 ipaddress] [subnet subnet mask] [username string]] [spi integer] reset]
no debug crypto condition [connid integer engine-id integer] [flowid integer engine-id integer] [fvrf string] [ivrf string] [peer [group string] [hostname string] [ipv4 ipaddress] [subnet subnet mask] [username string]] [spi integer]
Syntax Description
connid integer1
(Optional) Internet Key Exchange (IKE) and IP Security (IPSec) connection ID filter. Valid values range from 1 to 32766.
engine-id integer
(Optional) Crypto engine ID value, which can be retrieved via the show crypto isakmp sa detail command. Valid values are1, which represents software engines, and 2, which represents hardware engines.
flowid integer
(Optional) IPSec flow-ID filter. Valid values range from 1 to 32766.
fvrf string1
(Optional) Front-door virtual private network (VPN) routing and forwarding (FVRF) filter. The string argument must be the name string of an FVRF instance.
ivrf string1
(Optional) Inside VRF (FVRF) filter. The string argument must be the name string of an IVRF instance.
peer1
(Optional) IKE peer filter. At least one of the following keywords and arguments must be used:
•
•
•
•
•
spi integer1
(Optional) Security policy index (SPI) filter. The integer must be a 32-bit unsigned integer.
reset
(Optional) Deletes all crypto debug filters.
Note
1 Additional conditional filters (ipv4 address, subnet mask, username, hostname, group, connection-ID, flow-ID, SPI, FVRF, and IVRF) can be specified more than once by repeating the debug crypto condition command with any of the available filters.
Defaults
Crypto conditional debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Before enabling the debug crypto condition command, you must decide what debug condition types (also known as debug filters) and values will be used. The volume of debug messages is dependent on the number of conditions you define.
Note
To begin crypto conditional debugging, you must also enable at least one global crypto debug command—debug crypto isakmp, debug crypto ipsec, and debug crypto engine; otherwise, conditional debugging will not occur. This requirement helps to ensure that the performance of the router will not be impacted when conditional debugging is not being used.
Note
Examples
The following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2, or 10.1.1.3 and when the connection-ID 2000 of crypto engine 0 is used. This example also shows how to enable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditional settings.
Router# debug crypto condition connid 2000 engine-id 1Router# debug crypto condition peer ipv4 10.1.1.1Router# debug crypto condition peer ipv4 10.1.1.2Router# debug crypto condition peer ipv4 10.1.1.3Router# debug crypto condition unmatched! Verify crypto conditional settings.Router# show crypto debug-conditionCrypto conditional debug currently is turned ONIKE debug context unmatched flag:ONIPsec debug context unmatched flag:ONCrypto Engine debug context unmatched flag:ONIKE peer IP address filters:10.1.1.1 10.1.1.2 10.1.1.3Connection-id filters:[connid:engine_id]2000:1,! Enable global crypto CLIs to start conditional debugging.Router# debug crypto isakmpRouter# debug crypto ipsecRouter# debug crypto engineThe following example show how to disable all crypto conditional settings via the reset keyword:
Router# debug crypto condition reset! Verify that all crypto conditional settings have been disabled.Router# show crypto debug-conditionCrypto conditional debug currently is turned OFFIKE debug context unmatched flag:OFFIPsec debug context unmatched flag:OFFCrypto Engine debug context unmatched flag:OFFRelated Commands
debug crypto condition unmatched
To display crypto conditional debug messages when context information is unavailable to check against debug conditions, use the debug crypto condition unmatched command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug crypto condition unmatched [isakmp | ipsec | engine]
no debug crypto condition unmatched [isakmp | ipsec | engine]
Syntax Description
Defaults
Debug messages that do not have context information to match any debug conditions (filters) will not be printed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
After the debug crypto condition command has been enabled, you can use the debug crypto condition unmatched command to define whether the debug output is being printed when no context information is available in the code to check against the debug filters. For example, if the crypto engine's connection-ID is the filter that the debug conditions are being checked against, the debug crypto condition unmatched command displays debug messages in the early negotiation phase when a connection-ID is unavailable to check against debug conditions.
Examples
The following example shows how to enable debug messages for all crypto-related areas:
Router# debug crypto condition unmatchedRelated Commands
debug crypto error
To enable error debugging for a crypto area, use the debug crypto error command in privileged EXEC mode. To disable crypto error debugging, use the no form of this command.
debug crypto {isakmp | ipsec | engine} error
no debug crypto {isakmp | ipsec | engine} error
Syntax Description
Defaults
Crypto error debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug crypto error command will display only error-related debug messages; that is, an error debug will not be shown if the operation is functioning properly.
This command should be used when debug conditions cannot be determined; for example, enable this command when a random, small subset of IKE peers is failing negotiation.
Note
Note
Examples
The following example shows how to enable IPSec-related error messages:
Router# debug crypto error ipsec errorshow crypto debug-condition
To display crypto debug conditions that have already been enabled in the router, use the show crypto debug-condition command in privileged EXEC mode.
show crypto debug-condition {[peer] [connid] [spi] [fvrf] [ivrf] [unmatched]}
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
You can specify as many filter values as specified via the debug crypto condition command. (You cannot specify a filter value that you did not use in the debug crypto condition command.) If no keywords are specified, all configured crypto conditions will be shown.
Examples
The following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2, or 10.1.1.3 and when the connection ID 2000 of crypto engine 0 is used. This example also shows how to enable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditional settings.
Router# debug crypto condition connid 2000 engine-id 1Router# debug crypto condition peer ipv4 10.1.1.1Router# debug crypto condition peer ipv4 10.1.1.2Router# debug crypto condition peer ipv4 10.1.1.3Router# debug crypto condition unmatched! Verify crypto conditional settings.Router# show crypto debug-conditionCrypto conditional debug currently is turned ONIKE debug context unmatched flag:ONIPsec debug context unmatched flag:ONCrypto Engine debug context unmatched flag:ONIKE peer IP address filters:10.1.1.1 10.1.1.2 10.1.1.3Connection-id filters:[connid:engine_id]2000:1,! Enable global crypto CLIs to start conditional debugging.Router# debug crypto isakmpRouter# debug crypto ipsecRouter# debug crypto engineThe following example shows how to disable all crypto conditional settings via the reset keyword:
Router# debug crypto condition reset! Verify that all crypto conditional settings have been disabled.Router# show crypto debug-conditionCrypto conditional debug currently is turned OFFIKE debug context unmatched flag:OFFIPsec debug context unmatched flag:OFFCrypto Engine debug context unmatched flag:OFFRelated Commands
Defines conditional debug filters.
Displays crypto conditional debug messages when context information is unavailable to check against debug conditions.
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
