-
Cisco IOS Debug Command Reference
-
Introduction
-
Using Debug Commands
-
Conditionally Triggered Debugging
-
debug aaa accounting through debug auto-config
-
debug backhaul-session-manager session through debug channel packets
-
debug clns esis events through debug dbconn tcp
-
debug decnet adj through debug events
-
debug fax dmsp through debug gvrp
-
debug h225 asn1 through debug ip ftp
-
debug ip http all through debug ip rsvp
-
debug ip rtp header-compression through debug ipv6 icmp
-
debug ipv6 inspect through debug local-ack state
-
debug management event through debug mpls ldp bindings
-
debug mpls ldp checkpoint through debug mwi relay events
-
debug ncia circuit through debug pxf tbridge
-
debug qllc error through debug snmp sync
-
debug sntp adjust through debug tag-switching xtagatm vc
-
debug tag-template event through debug voip application vxml
-
debug voip avlist through debug vpm signaling
-
debug vpm spi through voice call debug
-
X.25 Cause and Diagnostic Codes
-
ISDN Switch Types, Codes, and Values
-
Table Of Contents
debug condition application voice
debug crypto ace congestion-mgr
debug crypto condition unmatched
debug crypto engine accelerator logs
debug crypto ipsec client ezvpn
debug clns esis events
To display uncommon End System-to-Intermediate System (ES-IS) events, including previously unknown neighbors, neighbors that have aged out, and neighbors that have changed roles (ES-IS, for example), use the debug clns esis events command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug clns esis events
no debug clns esis events
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Examples
The following is sample output from the debug clns esis events command:
Router# debug clns esis eventsES-IS: ISH from aa00.0400.2c05 (Ethernet1), HT 30ES-IS: ESH from aa00.0400.9105 (Ethernet1), HT 150ES-IS: ISH sent to All ESs (Ethernet1): NET 49.0001.AA00.0400.6904.00, HT 299, HLEN 20The following line indicates that the router received a hello packet (ISH) from the IS at MAC address aa00.0400.2c05 on Ethernet interface 1. The hold time (or number of seconds to consider this packet valid before deleting it) for this packet is 30 seconds.
ES-IS: ISH from aa00.0400.2c05 (Ethernet1), HT 30The following line indicates that the router received a hello packet (ESH) from the ES at MAC address aa00.0400.9105 on the Ethernet interface 1. The hold time is 150 seconds.
ES-IS: ESH from aa00.0400.9105 (Ethernet1), HT 150The following line indicates that the router sent an IS hello packet on the Ethernet interface 0 to all ESs on the network. The network entity title (NET) address of the router is 49.0001.0400.AA00.6904.00; the hold time for this packet is 299 seconds; and the header length of this packet is 20 bytes.
ES-IS: ISH sent to All ESs (Ethernet1): NET 49.0001.AA00.0400.6904.00, HT 299, HLEN 20debug clns esis packets
To enable display information on End System-to-Intermediate System (ES-IS) packets that the router has received and sent, use the debug clns esis packets command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug clns esis packets
no debug clns esis packets
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Examples
The following is sample output from the debug clns esis packets command:
Router# debug clns esis packetsES-IS: ISH sent to All ESs (Ethernet0): NET47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00, HT 299, HLEN 33ES-IS: ISH sent to All ESs (Ethernet1): NET47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00, HT 299, HLEN 34ES-IS: ISH from aa00.0400.6408 (Ethernet0), HT 299ES-IS: ISH sent to All ESs (Tunnel0): NET47.0005.80ff.ef00.0000.0001.5940.1600.O906.4023.00, HT 299, HLEN 34IS-IS: ESH from 0000.0c00.bda8 (Ethernet0), HT 300The following line indicates that the router has sent an IS hello packet on Ethernet interface 0 to all ESs on the network. This hello packet indicates that the NET of the router is 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00. The hold time for this packet is 299 seconds. The packet header is 33 bytes in length.
ES-IS: ISH sent to All ESs (Ethernet0): NET 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00, HT 299, HLEN 33The following line indicates that the router has sent an IS hello packet on Ethernet interface 1 to all ESs on the network. This hello packet indicates that the NET of the router is 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00. The hold time for this packet is 299 seconds. The packet header is 33 bytes in length.
ES-IS: ISH sent to All ESs (Ethernet1): NET 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00, HT 299, HLEN 34The following line indicates that the router received a hello packet on Ethernet interface 0 from an intermediate system, aa00.0400.6408. The hold time for this packet is 299 seconds.
ES-IS: ISH from aa00.0400.6408 (Ethernet0), HT 299The following line indicates that the router has sent an IS hello packet on Tunnel interface 0 to all ESs on the network. This hello packet indicates that the NET of the router is 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00. The hold time for this packet is 299 seconds. The packet header is 33 bytes in length.
ES-IS: ISH sent to All ESs (Tunnel0): NET 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00, HT 299, HLEN 34The following line indicates that on Ethernet interface 0, the router received a hello packet from an end system with an SNPA of 0000.0c00.bda8. The hold time for this packet is 300 seconds.
IS-IS: ESH from 0000.0c00.bda8 (Ethernet0), HT 300debug clns events
To display Connectionless Network Service (CLNS) events that are occurring at the router, use the debug clns events command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug clns events
no debug clns events
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Examples
The following is sample output from the debug clns events command:
Router# debug clns eventsCLNS: Echo PDU received on Ethernet3 from 39.0001.2222.2222.2222.00!CLNS: Sending from 39.0001.3333.3333.3333.00 to 39.0001.2222.2222.2222.00via 2222.2222.2222 (Ethernet3 0000.0c00.3a18)CLNS: Forwarding packet size 117from 39.0001.2222.2222.2222.00to 49.0002.0001.AAAA.AAAA.AAAA.00via 49.0002 (Ethernet3 0000.0c00.b5a3)CLNS: RD Sent on Ethernet3 to 39.0001.2222.2222.2222.00 @ 0000.0c00.3a18,redirecting 49.0002.0001.AAAA.AAAA.AAAA.00 to 0000.0c00.b5a3The following line indicates that the router received an echo protocol data unit (PDU) on Ethernet interface 3 from source network service access point (NSAP) 39.0001.2222.2222.2222.00. The exclamation point at the end of the line has no significance.
CLNS: Echo PDU received on Ethernet3 from 39.0001.2222.2222.2222.00!The following lines indicate that the router at source NSAP 39.0001.3333.3333.3333.00 is sending a CLNS echo packet to destination NSAP 39.0001.2222.2222.2222.00 via an IS with system ID 2222.2222.2222. The packet is being sent on Ethernet interface 3, with a MAC address of 0000.0c00.3a18.
CLNS: Sending from 39.0001.3333.3333.3333.00 to 39.0001.2222.2222.2222.00via 2222.2222.2222 (Ethernet3 0000.0c00.3a18)The following lines indicate that a CLNS echo packet 117 bytes in size is being sent from source NSAP 39.0001.2222.2222.2222.00 to destination NSAP 49.0002.0001.AAAA.AAAA.AAAA.00 via the router at NSAP 49.0002. The packet is being forwarded on the Ethernet interface 3, with a MAC address of 0000.0c00.b5a3.
CLNS: Forwarding packet size 117from 39.0001.2222.2222.2222.00to 49.0002.0001.AAAA.AAAA.AAAA.00via 49.0002 (Ethernet3 0000.0c00.b5a3)The following lines indicate that the router sent a redirect packet on the Ethernet interface 3 to the NSAP 39.0001.2222.2222.2222.00 at MAC address 0000.0c00.3a18 to indicate that NSAP 49.0002.0001.AAAA.AAAA.AAAA.00 can be reached at MAC address 0000.0c00.b5a3.
CLNS: RD Sent on Ethernet3 to 39.0001.2222.2222.2222.00 @ 0000.0c00.3a18,redirecting 49.0002.0001.AAAA.AAAA.AAAA.00 to 0000.0c00.b5a3debug clns igrp packets
To display debugging information on all ISO-IGRP routing activity, use the debug clns igrp packets privileged EXEC command. The no form of this command disables debugging output.
debug clns igrp packets
no debug clns igrp packets
Syntax Description
This command has no arguments or keywords.
Examples
The following is sample output from the debug clns igrp packets command:
Router# debug clns igrp packetsISO-IGRP: Hello sent on Ethernet3 for DOMAIN_green1ISO-IGRP: Received hello from 39.0001.3333.3333.3333.00, (Ethernet3), ht 51ISO-IGRP: Originating level 1 periodic updateISO-IGRP: Advertise dest: 2222.2222.2222ISO-IGRP: Sending update on interface: Ethernet3ISO-IGRP: Originating level 2 periodic updateISO-IGRP: Advertise dest: 0001ISO-IGRP: Sending update on interface: Ethernet3ISO-IGRP: Received update from 3333.3333.3333 (Ethernet3)ISO-IGRP: Opcode: areaISO-IGRP: Received level 2 adv for 0001 metric 1100ISO-IGRP: Opcode: stationISO-IGRP: Received level 1 adv for 3333.3333.3333 metric 1100The following line indicates that the router is sending a hello packet to advertise its existence in the DOMAIN_green1 domain:
ISO-IGRP: Hello sent on Ethernet3 for DOMAIN_green1The following line indicates that the router received a hello packet from a certain network service access point (NSAP) on Ethernet interface 3. The hold time for this information is 51 seconds.
ISO-IGRP: Received hello from 39.0001.3333.3333.3333.00, (Ethernet3), ht 51The following lines indicate that the router is generating a Level 1 update to advertise reachability to destination NSAP 2222.2222.2222 and that it is sending that update to all systems that can be reached through Ethernet interface 3:
ISO-IGRP: Originating level 1 periodic updateISO-IGRP: Advertise dest: 2222.2222.2222ISO-IGRP: Sending update on interface: Ethernet3The following lines indicate that the router is generating a Level 2 update to advertise reachability to destination area 1 and that it is sending that update to all systems that can be reached through Ethernet interface 3:
ISO-IGRP: Originating level 2 periodic updateISO-IGRP: Advertise dest: 0001ISO-IGRP: Sending update on interface: Ethernet3The following lines indicate that the router received an update from NSAP 3333.3333.3333 on Ethernet interface 3. This update indicated the area that the router at this NSAP could reach.
ISO-IGRP: Received update from 3333.3333.3333 (Ethernet3)ISO-IGRP: Opcode: areaThe following lines indicate that the router received an update advertising that the source of that update can reach area 1 with a metric of 1100. A station opcode indicates that the update included system addresses.
ISO-IGRP: Received level 2 adv for 0001 metric 1100ISO-IGRP: Opcode: stationdebug clns packet
To display information about packet receipt and forwarding to the next interface, use the debug clns packet command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug clns packet
no debug clns packet
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Examples
The following is sample output from the debug clns packet command:
Router# debug clns packetCLNS: Forwarding packet size 157from 47.0023.0001.0000.0000.0003.0001.1920.3614.3002.00 STUPI-RBSto 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4017.00via 1600.8906.4017 (Ethernet0 0000.0c00.bda8)CLNS: Echo PDU received on Ethernet0 from 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4017.00!CLNS: Sending from 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00 to47.0005.80ff.ef00.0000.0001.5940.1600.8906.4017.00via 1600.8906.4017 (Ethernet0 0000.0c00.bda8)In the following lines, the first line indicates that a Connectionless Network Service (CLNS) packet of size 157 bytes is being forwarded. The second line indicates the network service access point (NSAP) and system name of the source of the packet. The third line indicates the destination NSAP for this packet. The fourth line indicates the next hop system ID, interface, and subnetwork point of attachment (SNPA) of the router interface used to forward this packet.
CLNS: Forwarding packet size 157from 47.0023.0001.0000.0000.0003.0001.1920.3614.3002.00 STUPI-RBSto 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4017.00via 1600.8906.4017 (Ethernet0 0000.0c00.bda8)In the following lines, the first line indicates that the router received an echo protocol data unit (PDU) on the specified interface from the source NSAP. The second line indicates which source NSAP is used to send a CLNS packet to the destination NSAP, as shown on the third line. The fourth line indicates the next hop system ID, interface, and SNPA of the router interface used to forward this packet.
CLNS: Echo PDU received on Ethernet0 from 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4017.00!CLNS: Sending from 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4023.00 to 47.0005.80ff.ef00.0000.0001.5940.1600.8906.4017.00via 1600.8906.4017 (Ethernet0 0000.0c00.bda8)debug clns routing
To display debugging information for all Connectionless Network Service (CLNS) routing cache updates and activities involving the CLNS routing table, use the debug clns routing command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug clns routing
no debug clns routing
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Examples
The following is sample output from the debug clns routing command:
Router# debug clns routingCLNS-RT: cache increment:17CLNS-RT: Add 47.0023.0001.0000.0000.0003.0001 to prefix table, next hop 1920.3614.3002CLNS-RT: Aging cache entry for: 47.0023.0001.0000.0000.0003.0001.1920.3614.3002.06CLNS-RT: Deleting cache entry for: 47.0023.0001.0000.0000.0003.0001.1920.3614.3002.06The following line indicates that a change to the routing table has resulted in an addition to the fast-switching cache:
CLNS-RT: cache increment:17The following line indicates that a specific prefix route was added to the routing table, and indicates the next hop system ID to that prefix route. In other words, when the router receives a packet with the prefix 47.0023.0001.0000.0000.0003.0001 in the destination address of that packet, it forwards that packet to the router with the MAC address 1920.3614.3002.
CLNS-RT: Add 47.0023.0001.0000.0000.0003.0001 to prefix table, next hop 1920.3614.3002The following lines indicate that the fast-switching cache entry for a certain network service access point (NSAP) has been invalidated and then deleted:
CLNS-RT: Aging cache entry for: 47.0023.0001.0000.0000.0003.0001.1920.3614.3002.06CLNS-RT: Deleting cache entry for: 47.0023.0001.0000.0000.0003.0001.1920.3614.3002.06debug cls message
To display information about Cisco Link Services (CLS) messages, use the debug cls message command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cls message
no debug cls message
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
The debug cls message command displays the primitives (state), selector, header length, and data size.
Examples
The following is sample output from the debug cls message command. For example, CLS-->DLU indicates the direction of the flow that is described by the status. From CLS to dependent logical unit (DLU), a request was established to the connection endpoint. The header length is 48 bytes, and the data size is 104 bytes.
Router# debug cls message(FRAS Daemon:CLS-->DLU):ID_STN.Ind to uSAP: 0x607044C4 sel: LLC hlen: 40, dlen: 54(FRAS Daemon:CLS-->DLU):ID_STN.Ind to uSAP: 0x6071B054 sel: LLC hlen: 40, dlen: 46(FRAS Daemon:DLU-->SAP):REQ_OPNSTN.Req to pSAP: 0x608021F4 sel: LLC hlen: 48, dlen: 104(FRAS Daemon:CLS-->DLU):REQ_OPNSTN.Cfm(NO_REMOTE_STN) to uCEP: 0x607FFE84 sel: LLC hlen: 48, dlen: 104The status possibilities include the following: enabled, disabled, request open station, open station, close station, activate SA, deactivate service access point (SAP), XID, exchange identification (XID) station, connect station, signal station, connect, disconnect, connected, data, flow, unnumbered data, modify SAP, test, activate ring, deactivate ring, test station, and unnumbered data station.
Related Commands
debug cls vdlc
To display information about Cisco Link Services (CLS) Virtual Data Link Control (VDLC), use the debug cls vdlc command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cls vdlc
no debug cls vdlc
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
The debug cls message command displays primitive state transitions, selector, and source and destination MAC and service access points (SAPs).
Also use the show cls command to display additional information on CLS VDLC.
CautionUse the debug cls vdlc command with caution because it can generate a substantial amount of output.
Examples
The following messages are sample output from the debug cls vdlc command. In the following scenario, the systems network architecture (SNA) service point—also called native service point (NSP)—is setting up two connections through VDLC and data-link switching (DLSw): one from NSP to VDLC and one from DLSw to VDLC. VDLC joins the two.
The NSP initiates a connection from 4000.05d2.0001 as follows:
VDLC: Req Open Stn Req PSap 0x7ACE00, port 0x79DF98 4000.05d2.0001(0C)->4000.1060.1000(04)In the next message, VDLC sends a test station request to DLSw for destination address 4000.1060.1000.
VDLC: Send UFrame E3: 4000.05d2.0001(0C)->4000.1060.1000(00)In the next two messages, DLSw replies with test station response, and NSP goes to a half-open state. NSP is waiting for the DLSw connection to VDLC.
VDLC: Sap to Sap TEST_STN_RSP VSap 0x7B68C0 4000.1060.1000(00)->4000.05d2.0001(0C)VDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_OPENING->VDLC_HALF_OPENThe NSP sends an exchange identification (XID) and changes state as follows:
VDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_HALF_OPEN->VDLC_XID_RSP_PENDINGVDLC: CEP to SAP ID_REQ 4000.05d2.0001(0C)->4000.1060.1000(04) via bridging SAP (DLSw)In the next several messages, DLSw initiates its connection, which matches the half-open connection with NSP:
VDLC: Req Open Stn Req PSap 0x7B68C0, port 0x7992A0 4000.1060.1000(04)->4000.05d2.0001(0C)VDLC: two-way connection establishedVDLC: 4000.1060.1000(04)->4000.05d2.0001(0C): VDLC_IDLE->VDLC_OPENIn the following messages, DLSw sends an XID response, and the NSP connection goes from the state XID Response Pending to Open. The XID exchange follows:
VDLC: CEP to CEP ID_RSP 4000.1060.1000(04)->4000.05d2.0001(0C)VDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_XID_RSP_PENDING->VDLC_OPENVDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_OPEN->VDLC_XID_RSP_PENDINGVDLC: CEP to CEP ID_REQ 4000.05d2.0001(0C)->4000.1060.1000(04)VDLC: CEP to CEP ID_RSP 4000.1060.1000(04)->4000.05d2.0001(0C)VDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_XID_RSP_PENDING->VDLC_OPENVDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_OPEN->VDLC_XID_RSP_PENDINGVDLC: CEP to CEP ID_REQ 4000.05d2.0001(0C)->4000.1060.1000(04)VDLC: CEP to CEP ID_RSP 4000.1060.1000(04)->4000.05d2.0001(0C)VDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_XID_RSP_PENDING->VDLC_OPENVDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_OPEN->VDLC_XID_RSP_PENDINGVDLC: CEP to CEP ID_REQ 4000.05d2.0001(0C)->4000.1060.1000(04)VDLC: CEP to CEP ID_RSP 4000.1060.1000(04)->4000.05d2.0001(0C)VDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_XID_RSP_PENDING->VDLC_OPENVDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_OPEN->VDLC_XID_RSP_PENDINGVDLC: CEP to CEP ID_REQ 4000.05d2.0001(0C)->4000.1060.1000(04)When DLSw is ready to connect, the front-end processor (FEP) sends a set asynchronous balanced mode extended (SABME) command as follows:
VDLC: CEP to CEP CONNECT_REQ 4000.1060.1000(04)->4000.05d2.0001(0C)VDLC: 4000.05d2.0001(0C)->4000.1060.1000(04): VDLC_XID_RSP_PENDING->VDLC_OPENIn the following messages, NSP accepts the connection and sends an unnumbered acknowledgment (UA) to the FEP:
VDLC: CEP to CEP CONNECT_RSP 4000.05d2.0001(0C)->4000.1060.1000(04)VDLC: FlowReq QUENCH OFF 4000.1060.1000(04)->4000.05d2.0001(0C)The following messages show the data flow:
VDLC: DATA 4000.1060.1000(04)->4000.05d2.0001(0C)VDLC: DATA 4000.05d2.0001(0C)->4000.1060.1000(04)...VDLC: DATA 4000.1060.1000(04)->4000.05d2.0001(0C)VDLC: DATA 4000.05d2.0001(0C)->4000.1060.1000(04)Related Commands
debug cme-xml
To generate debug messages for the Cisco Unified CallManager Express XML application, use the debug cme-xml command in privileged EXEC mode. To disable debugging, use the no form of the command.
debug cme-xml
no debug cme-xml
Syntax Description
This command has no keywords or arguments.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The show fb-its-log command displays the contents of the XML event table.
Examples
The following example shows the progress of an XML request that has been sent to Cisco Unified CallManager Express:
Router# debug cme-xml*Aug 5 06:27:25.727: CME got a raw XML message.*Aug 5 06:27:25.727: doc 0x63DB85E8, doc->doc_type 3, req 0x655FDCD0*Aug 5 06:27:25.727: CME extracted a XML document*Aug 5 06:27:25.727: Response buffer 0x63DCFD58, len = 4096*Aug 5 06:27:25.727: First Tag ID SOAP_HEADER_TAG_ID 58720257*Aug 5 06:27:25.727: First Attribute ID SOAP_ENV_ATTR 50331649*Aug 5 06:27:25.727: cme_xml_process_soap_header*Aug 5 06:27:25.727: cme_xml_process_soap_body*Aug 5 06:27:25.731: cme_xml_process_axl*Aug 5 06:27:25.731: cme_xml_process_request*Aug 5 06:27:25.731: cme_xml_process_ISgetGlobal*Aug 5 06:27:25.731: CME XML sent 811 bytes response.Related Commands
debug cns config
To turn on debugging messages related to the Cisco Networking Services (CNS) Configuration Agent, use the debug cns config command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cns config {agent | all | connection | notify}
no debug cns config {agent | all | connection | notify}
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to turn on or turn off debugging messages related to the CNS Configuration Agent.
Examples
In the following example, debugging messages are enabled for CNS configuration processes:
Router# debug cns config all00:04:09: config_id_get: entered00:04:09: config_id_get: Invoking cns_id_mode_get()00:04:09: config_id_get: cns_id_mode_get() returned INTERNAL00:04:09: config_id_get: successful exit cns_config_id=minna1,cns_config_id_len=600:04:09: cns_establish_connect_intf(): The device is already connected with the config server00:04:09: cns_initial_config_agent(): connecting with port 8000:04:09: pull_config() entered00:04:09: cns_config_id(): returning config_id=minna100:04:09: Message finished 150 readend00:04:09: %CNS-4-NOTE: SUCCESSFUL_COMPLETION-Process= "CNS Initial Configuration Agent", ipl= 0, pid= 8200:04:10: %SYS-5-CONFIG_I: Configured from console by console
Related Commands
debug cns event
To turn on debugging messages related to the Cisco Networking Services (CNS) Event Gateway, use the debug cns event command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cns event {agent | all | connection | subscriber}
no debug cns event {agent | all | connection | subscriber}
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to turn on or turn off debugging messages related to the CNS Event Gateway.
Examples
In the following example, debugging messages about all CNS Events are enabled:
Router# debug cns event all00:09:14: %CNS-4-NOTE: SUCCESSFUL_COMPLETION-Process= "CNS Initial Configuration Agent", ipl= 0, pid= 8200:09:14: event_agent():event_agent starting ..00:09:14: event_agent_open_connection(): attempting socket connect to Primary Gateway00:09:14: event_agent_open_connection():cns_socket_connect() succeeded:return_code=000:09:14: event_agent_open_connection():timeout_len=1:ka_total_timeout =0:total_timeout=000:09:14: event_id_get: entered00:09:14: event_id_get: Invoking cns_id_mode_get()debug cns exec
To display debugging messages about Cisco Networking Services (CNS) exec agent services, use the debug cns exec command in privileged EXEC mode. To disable debugging output, use the no or undebug form of this command.
debug cns exec {agent | all | decode | messages}
no debug cns exec {agent | all | decode | messages}
undebug cns exec {agent | all | decode | messages}
Syntax Description
Defaults
Debugging output is disabled.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use the debug cns exec command to troubleshoot CNS exec agent services.
Examples
The following example shows a debugging message for the CNS exec agent when a response has been posted to HTTP:
Router# debug cns exec agent4d20h: CNS exec agent: response postedRelated Commands
debug cns image
To display debugging messages about Cisco Networking Services (CNS) image agent services, use the debug cns image command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cns image {agent | all | connection | error}
no debug cns image {agent | all | connection | error}
Syntax Description
Defaults
If no keyword is specified, all debugging messages are displayed.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use the debug cns image command to troubleshoot CNS image agent services.
debug cns management
To display information about Cisco Networking Services (CNS) management, use the debug cns management command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cns management {snmp | xml}
no debug cns management {snmp | xml}
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
In the following example, debugging messages about SNMP- and XML-encapsulated CNS-management events are enabled:
Router# debug cns management snmpRouter# debug cns management xmlRouter# show debuggingCNS Management (SNMP Encapsulation) debugging is onCNS Management (Encap XML) debugging is onRouter# show running-config | include cnscns mib-access encapsulation snmpcns mib-access encapsulation xmlcns notifications encapsulation snmpcns notifications encapsulation xmlcns event 10.1.1.1 11011Router#00:12:50: Enqueued a notification in notif_q00:12:50: ea_produce succeeded Subject:cisco.cns.mibaccess:notification Message Length:38500:12:50: Trap sent via CNS Transport Mapping.Router#00:13:31: Response sent via CNS Transport Mapping.Router#00:14:38: Received a request00:14:38: ea_produce succeeded Subject:cisco.cns.mibaccess:response Message Length:241Related Commands
debug cns xml
To turn on debugging messages related to the Cisco Networking Services (CNS) eXtensible Markup Language (XML) parser, use the debug cns xml command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cns xml {all | decode | dom | parser}
no debug cns xml {all | decode | dom | parser}
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
In the following example, debugging messages for the CNS XML parser are enabled:
Router# debug cns xml parser00:12:05: Registering tag <config-server>00:12:05: Registering tag <server-info>00:12:05: Registering tag <ip-address>00:12:05: Registering tag <web-page>00:12:05: Registering tag <config-event>00:12:05: Registering tag <identifier>00:12:05: Registering tag <config-id>00:12:05: Registering tag <config-data>00:12:05: Registering tag <cli>00:12:05: Registering tag <error-info>00:12:05: Registering tag <error-message>00:12:05: Registering tag <line-number>00:12:05: Registering tag <config-write>00:12:05: Registering tag <exec-cmd-event>00:12:05: Registering tag <identifier-exec>00:12:05: Registering tag <event-response>00:12:05: Registering tag <reply-subject>00:12:05: Registering tag <server-response>00:12:05: Registering tag <ip-address-exec>00:12:05: Registering tag <port-number>00:12:05: Registering tag <url>00:12:05: Registering tag <cli-exec>00:12:05: Registering tag <config-pwd>00:12:06: Pushing tag <config-data> on to stack00:12:06: open tag is <config-data>00:12:06: Pushing tag <config-id> on to stack00:12:06: open tag is <config-id>00:12:06: Popping tag <config-id> off stack00:12:06: close tag is </config-id>00:12:06: Pushing tag <cli> on to stack00:12:06: open tag is <cli>00:12:06: Popping tag <cli> off stack00:12:06: close tag is </cli>00:12:06: Popping tag <config-data> off stack00:12:06: close tag is </config-data>00:12:06: %CNS-4-NOTE: SUCCESSFUL_COMPLETION-Process= "CNS Initial Configuration Agent", ipl= 0, pid= 96Related Commands
cns event
Configures the CNS Event Gateway.
show cns event
Displays information about the CNS Event Agent.
debug cns xml-parser
Note
To turn on debugging messages related to the Cisco Networking Services (CNS) eXtensible Markup Language (XML) parser, use the debug cns xml-parser command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cns xml-parser
no debug cns xml-parser
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
In the following example, debugging messages for the CNS XML parser are enabled:
Router# debug cns xml-parser00:12:05: Registering tag <config-server>00:12:05: Registering tag <server-info>00:12:05: Registering tag <ip-address>00:12:05: Registering tag <web-page>00:12:05: Registering tag <config-event>00:12:05: Registering tag <identifier>00:12:05: Registering tag <config-id>00:12:05: Registering tag <config-data>00:12:05: Registering tag <cli>00:12:05: Registering tag <error-info>00:12:05: Registering tag <error-message>00:12:05: Registering tag <line-number>00:12:05: Registering tag <config-write>00:12:05: Registering tag <exec-cmd-event>00:12:05: Registering tag <identifier-exec>00:12:05: Registering tag <event-response>00:12:05: Registering tag <reply-subject>00:12:05: Registering tag <server-response>00:12:05: Registering tag <ip-address-exec>00:12:05: Registering tag <port-number>00:12:05: Registering tag <url>00:12:05: Registering tag <cli-exec>00:12:05: Registering tag <config-pwd>00:12:06: Pushing tag <config-data> on to stack00:12:06: open tag is <config-data>00:12:06: Pushing tag <config-id> on to stack00:12:06: open tag is <config-id>00:12:06: Popping tag <config-id> off stack00:12:06: close tag is </config-id>00:12:06: Pushing tag <cli> on to stack00:12:06: open tag is <cli>00:12:06: Popping tag <cli> off stack00:12:06: close tag is </cli>00:12:06: Popping tag <config-data> off stack00:12:06: close tag is </config-data>00:12:06: %CNS-4-NOTE: SUCCESSFUL_COMPLETION-Process= "CNS Initial Configuration Agent", ipl= 0, pid= 96Related Commands
cns event
Configures the CNS Event Gateway.
show cns event
Displays information about the CNS Event Agent.
debug compress
To debug compression, enter the debug compress command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug compress
no debug compress
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display output from the compression and decompression configuration you made. Live traffic must be configured through the Cisco 2600 access router with a data compression Advanced Interface Module (AIM) installed for this command to work.
Examples
The following example is output from the debug compress command, which shows that compression is taking place on a Cisco 2600 access router using data compression AIM hardware compression is configured correctly:
Router# debug compressCOMPRESS debugging is onRouter#compr-in:pak:0x810C6B10 npart:0 size:103pak:0x810C6B10 start:0x02406BD4 size:103 npart:0compr-out:pak:0x8118C8B8 stat:0x00000000 npart:1 size:71 lcb:0xEDpak:0x8118C8B8 start:0x0259CD3E size:71 npart:1mp:0x8118A980 start:0x0259CD3E size:71decmp-in:pak:0x81128B78 start:0x0255AF44 size:42 npart:1 hdr:0xC035pak:0x81128B78 start:0x0255AF44 size:42 npart:1mp:0x81174480 start:0x0255AF44 size:42decmp-out:pak:0x8118C8B8 start:0x025B2C42 size:55 npart:1 stat:0pak:0x8118C8B8 start:0x025B2C42 size:55 npart:1mp:0x8118B700 start:0x025B2C42 size:55Table 56 describes the significant fields shown in the display.
Related Commands
debug condition
To filter debugging output for certain debug commands on the basis of specified conditions, use the debug condition command in privileged EXEC mode. To remove the specified condition, use the no form of this command.
debug condition {called dial-string | caller dial-string | calling tid/imsi string | domain domain-name | ip ip-address | mac-address hexadecimal-MAC-address | portbundle ip ip-address bundle bundle-number | session-id session-number | username username | vcid vc-id}
no debug condition {condition-id | all}
Syntax Description
Defaults
All debugging messages for enabled protocol-specific debug commands are generated.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug condition command to restrict the debug output for some commands. If any debug condition commands are enabled, output is generated only for interfaces associated with the specified keyword. In addition, this command enables debugging output for conditional debugging events. Messages are displayed as different interfaces meet specific conditions.
If multiple debug condition commands are enabled, output is displayed if at least one condition matches. All the conditions do not need to match.
The no form of this command removes the debug condition specified by the condition identifier. The condition identifier is displayed after you use a debug condition command or in the output of the show debug condition command. If the last condition is removed, debugging output resumes for all interfaces. You will be asked for confirmation before removing the last condition or all conditions.
Not all debugging output is affected by the debug condition command. Some commands generate output whenever they are enabled, regardless of whether they meet any conditions.
The following components are supported for Intelligent Service Architecture (ISA) distributed conditional debugging:
•
•
•
•
•
•
•
•
Ensure that you enable TID/IMSI-based conditional debugging by entering debug condition calling before configuring debug gprs gtp and debug gprs charging. In addition, ensure that you disable the debug gprs gtp and debug gprs charging commands using the no debug all command before disabling conditional debugging using the no debug condition command. This will prevent a flood of debugging messages when you disable conditional debugging.
Examples
Example 1
In the following example, the router displays debugging messages only for interfaces that use a username of "user1". The condition identifier displayed after the command is entered identifies this particular condition.
Router# debug condition username user1Condition 1 setExample 2
The following example specifies that the router should display debugging messages only for VC 1000:
Router# debug condition vcid 1000Condition 1 set01:12:32: 1000 Debug: Condition 1, vcid 1000 triggered, count 101:12:32: 1000 Debug: Condition 1, vcid 1000 triggered, count 1The following example enables other debugging commands. These debugging commands will only display information for VC 1000.
Router# debug mpls l2transport vc eventAToM vc event debugging is onRouter# debug mpls l2transport vc fsmAToM vc fsm debugging is onThe following commands shut down the interface on which VC 1000 is established.
Router(config)# interface s3/1/0Router(config-if)# shutThe debugging output shows the change to the interface where VC 1000 is established.
01:15:59: AToM MGR [13.13.13.13, 1000]: Event local down, state changed from established to remote ready01:15:59: AToM MGR [13.13.13.13, 1000]: Local end down, vc is down01:15:59: AToM SMGR [13.13.13.13, 1000]: Processing imposition update, vc_handle 6227BCF0, update_action 0, remote_vc_label 1801:15:59: AToM SMGR [13.13.13.13, 1000]: Imposition Disabled01:15:59: AToM SMGR [13.13.13.13, 1000]: Processing disposition update, vc_handle 6227BCF0, update_action 0, local_vc_label 75501:16:01:%LINK-5-CHANGED: Interface Serial3/1/0, changed state to administratively down01:16:02:%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial3/1/0, changed state to downRelated Commands
debug condition interface
Limits output for some debugging commands based on the interfaces.
debug condition application voice
To display debugging messages for only the specified VoiceXML application, use the debug condition application voice command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug condition application voice application-name
no debug condition application voice application-name
Syntax Description
application-name
Name of the VoiceXML application for which you want to display all enabled debugging messages.
Defaults
If this command is not configured, debugging messages are enabled for all VoiceXML applications.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
•
•
•
•
•
•
Examples
The following example disables debugging output for all applications except the myapp1 application, if the <cisco-debug> element is enabled in the VoiceXML documents that are executed by myapp1:
Router# debug condition application voice myapp1Related Commands
debug condition glbp
To display debugging messages about Gateway Load Balancing Protocol (GLBP) conditions, use the debug condition glbp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug condition glbp interface-type interface-number group [forwarder]
no debug condition glbp interface-type interface-number group [forwarder]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the debug condition glbp command:
Router# debug condition glbp fastethernet 0/0 10 1Condition 1 set5d23h: Fa0/0 GLBP10.1 Debug: Condition 1, glbp Fa0/0 GLBP10.1 triggered, count 1Related Commands
debug condition interface
To limit output for some debug commands on the basis of the interface, virtual circuit (VC), or VLAN, use the debug condition interface command in privileged EXEC mode. To remove the interface condition and reset the interface so that it must be triggered by a condition, use the no form of this command.
debug condition interface interface-type interface-number [dlci dlci] [vc {vci | vpi/vci}] [vlan-id vlan-id]
no debug condition interface interface-type interface-number [dlci dlci] [vc {vci | vpi/vci}] [vlan-id vlan-id]
Syntax Description
Command Default
All debugging messages for enabled debug commands are displayed.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to restrict the debugging output for some commands on the basis of an interface or virtual circuit. When you enter this command, debugging output is disbaled for all interfaces except the specified interface or virtual circuit. In addition, this command enables conditional debugging to limit output for specific debugging events. Messages are displayed as different interfaces meet specific conditions.
The no form of this command performs the following functions:
•
•
Not all debugging output is affected by the debug condition command. Some commands generate output whenever they are enabled, regardless of whether they meet any conditions. The commands that are affected by the debug condition commands are generally related to dial access functions, where a large amount of output is expected. Output from the following commands is controlled by the debug condition command:
•
•
•
•
•
•
•
One or more ATM-encapsulated interfaces must be enabled, and one or more of the following debug commands must be enabled to use conditional debugging with ATM:
•
•
•
•
•
•
•
One or more of the following debug commands must be enabled to use conditional debugging with Frame Relay:
•
•
•
•
•
Examples
In the following example, only debug command output related to serial interface 1 is displayed. The condition identifier for this command is 1.
Router# debug condition interface serial 1Condition 1 setThe following example shows how to enable an ATM interface, specifies an IP address for the interface, turns on conditional debugging for that interface with a VPI/VCI pair of 255/62610, and verifies that debugging has been enabled:
Router> enablePassword:Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface atm 2/0Router(config-if)# ip address 209.165.201.2 255.255.255.0Router(config-if)# pvc 255/62610Router(config-if-atm-vc)# no shutdownRouter(config-if)# exitRouter(config)# exit2w3d: %SYS-5-CONFIG_I: Configured from console by consoleRouter# debug condition interface atm 2/0 vc 255/62610Condition 1 set2w3d: ATM VC Debug: Condition 1, atm-vc 255/62610 AT2/0 triggered, count 1Router# show debug conditionCondition 1: atm-vc 255/62610 AT2/0 (1 flags triggered)Flags: ATM VCThe following example shows how to enable Frame Relay conditional debugging on Frame Relay DLCI 105:
Router# debug condition interface serial 4/3 dlci 105Router# debug frame-relay packetThe following example shows how to disable the conditional debugging on VC. A warning message is displayed when the last condition is removed.
Router> enableRouter# no debug condition interface atm 1/0 vc 4335This condition is the last interface condition set.Removing all conditions may cause a flood of debuggingmessages to result, unless specific debugging flagsare first removed.Proceed with removal? [yes/no]: yCondition 1 has been removedRelated Commands
debug condition match-list
To run a filtered debug on a voice call, use the debug condition match-list command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug condition match-list number {exact-match | partial-match}
no debug condition match-list number {exact-match | partial-match}
Syntax Description
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
In this output example, the following configuration was used:
call filter match-list 1 voiceincoming calling-number 8288807incoming called-number 6560729incoming port 7/0:DThe following is sample output for the debug condition match-list 1 command. The next several lines match the above conditions.
Router# debug condition match-list 107:22:19://-1/3C0B9468-15C8-11D4-8013-000A8A389BA8/VTSP:(7/0:D):0:0:0/vtsp_gcfm_incoming_c ond_notify: add incoming port cond success: 7/0:D07:22:19://-1/3C0B9468-15C8-11D4-8013-000A8A389BA8/VTSP:(7/0:D):0:0:0/vtsp_gcfm_incoming_c ond_notify: add incoming dialpeer tag success:107:22:19://-1/3C0B9468-15C8-11D4-8013-000A8A389BA8/VTSP:(7/0:D):0:0:0/vtsp_update_dsm_stre am_mgr_filter_flag: cannot find dsp_stream_mgr_t07:22:19://-1/3C0B9468-15C8-11D4-8013-000A8A389BA8/VTSP:(7/0:D):0:0:0/vtsp_update_dsm_stre am_mgr_filter_flag: update dsp_stream_mgr_t debug flag07:22:19: //49/3C0B9468-15C8-11D4-8013-000A8A389BA8/VTSP:(7/0:D):0:0:0/vtsp_insert_cdb: ,cdb 0x6482C518, CallID=4907:22:19://49/3C0B9468-15C8-11D4-8013-000A8A389BA8/VTSP:(7/0:D):0:0:0/vtsp_do_call_setup_i nd: Call ID=98357, guid=3C0B9468-15C8-11D4-8013-000A8A389BA8Table 57 describes the significant fields shown in the display.
Related Commands
debug condition standby
To filter the output of the debug standby command on the basis of interface and Hot Standby Router Protocol (HSRP) group number, use the debug condition standby command in privileged EXEC mode. To remove the specified filter condition, use the no form of this command.
debug condition standby interface group-number
no debug condition standby interface group-number
Syntax Description
interface
Filters output on the basis of the interface.
group-number
Filters output on the basis of HSRP group number. The range is 0 to 255 for HSRP Version 1 and 0 to 4095 for HSRP Version 2.
Defaults
All debugging messages for the debug standby command aregenerated.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug condition standby command to restrict the debug output for the debug standby command. If the debug condition standby command is enabled, output is generated only for the interfaces and HSRP group numbers specified. The interface you specify must be a valid interface capable of supporting HSRP. The group can be any group (0 to 255 for HSRPv1 and 0 to 4095 for HSRPv2).
Use the no form of this command to remove the HSRP debug condition. If the last condition is removed, debugging output resumes for all interfaces. You will be asked for confirmation before removing the last condition or all conditions.
You can set debug conditions for groups that do not exist, which allows you to capture debug information during the initialization of a new group.
You must enable the debug standby command in order for any HSRP debug output to be produced. If you do not configure the debug condition standby command after entering the debug standby command, then debug output is produced for all groups on all interfaces.
Examples
In the following example, the router displays debugging messages only for Ethernet interface 0/0 that are part of HSRP group 23:
Router# debug standbyHSRP debugging is onRouter# debug condition standby ethernet0/0 23Condition 1 set00:27:39: HSRP: Et0/0 Grp 23 Hello out 10.0.0.1 Active pri 100 vIP 172.16.6.500:27:42: HSRP: Et0/0 Grp 23 Hello out 10.0.0.1 Active pri 100 vIP 172.16.6.500:27:45: HSRP: Et0/0 Grp 23 Hello out 10.0.0.1 Active pri 100 vIP 172.16.6.500:27:48: HSRP: Et0/0 Grp 23 Hello out 10.0.0.1 Active pri 100 vIP 172.16.6.500:27:51: HSRP: Et0/0 Grp 23 Hello out 10.0.0.1 Active pri 100 vIP 172.16.6.5The following example shows how to remove an HSRP debug condition:
Router# no debug condition standby ethernet0/0 23This condition is the last hsrp condition set.Removing all conditions may cause a flood of debuggingmessages to result, unless specific debugging flagsare first removed.Proceed with removal? [yes/no]: YCondition 1 has been removed.Related Commands
debug condition voice-port
To limit output for debug commands based on the voice port, use the debug condition voice-port command in privileged EXEC mode. To disable the condition, use the no form of this command.
debug condition voice-port port
no debug condition voice-port port
Syntax Description
port
Voice port for which you want to display all enabled debugging messages.
Note
Command Default
Debugging messages are enabled for all voice ports.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
•
•
•
•
•
Examples
The following example filters debugging output so that only output for ports 2/1 and 2/3 is displayed:
Router# debug condition voice-port 2/1Condition 1 set*Mar 1 22:24:15.102: Debug: Condition 1, voice-port 2/1 triggered, count 1Router# debug condition voice-port 2/3Condition 2 set*Mar 1 22:24:24.794: Debug: Condition 2, voice-port 2/3 triggered, count 2Router# show debugCondition 1: voice-port 2/1 (1 flags triggered)Flags: voice-port conditionCondition 2: voice-port 2/3 (1 flags triggered)Flags: voice-port conditionRelated Commands
debug condition vrf
To limit debug output to a specific Virtual Routing and Forwarding (VRF) instance, use the debug condition vrf command in privileged EXEC mode. To remove the debug condition, use the undebug version of the command .
debug condition vrf vrf-name
undebug condition vrf vrf-name
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to limit debug output to a single VRF.
Note
Examples
The following example shows how to limit debugging output to VRF red:
Router# debug condition vrf redRelated Commands
debug condition xconnect
To conditionally filter debug messages related to xconnect configurations, use the debug condition xconnect command in privileged EXEC configuration mode. To disable the filtering of xconnect debug messages, use the no form of this command.
debug condition xconnect {fib type | interface type number [dlci | vp number | vc number] | peer ip-address vcid vcid | segment segment-id}
no debug condition xconnect {fib type | interface type number [dlci | vp number | vc number] | peer ip-address vcid vcid | segment segment-id}
Syntax Description
Command Default
Debug messages are not filtered.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug condition xconnect command to specify conditions for filtering the debug messages displayed by related subscriber service switch (SSS), xconnect, and attachment circuit debug commands.
Examples
The following example sets filter conditions that allow related debug commands to display debug messages for only the xconnect segment pair specified by the remote peer IP address and the pseudowire VCID:
debug condition xconnect peer 10.0.0.1 vcid 100The following example sets filter conditions that allow related debug commands to display debug messages for only the xconnect segment pair specified by the serial interface number and DLCI:
debug condition xconnect interface serial 0/0 100The following example sets filter conditions that allow related debug commands to display debug messages for only the xconnect segment pair specified by the port mode ATM interface number:
debug condition xconnect interface atm 0/0The following example sets filter conditions that allow related debug commands to display debug messages for only the xconnect segment pair specified by the VP mode ATM interface number:
debug condition xconnect interface atm 0/0 vp 1The following example sets filter conditions that allow related debug commands to display debug messages for only the xconnect segment pair specified by the VC mode ATM interface number:
debug condition xconnect interface atm 0/0 vc 1/40The following example finds the segment ID associated with an L2TPv3 xconnect segment pair and sets filter conditions that allow related debug commands to display debug messages for only that xconnect segment pair:
Router# show ssm id!Segment-ID: 8193 Type: L2TPv3[8]!Router# debug conditional xconnect segment 8193Related Commands
debug configuration lock
To enable debugging of the Cisco IOS configuration lock, use the debug configuration lock command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug configuration lock
no debug command lock
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output with debug configuration lock enabled (assuming that the feature is enabled using the configuration mode exclusive manual command in global configuration mode):
Router# debug configuration lockSession1 from console==========================Router# configure terminal lockConfiguration mode locked exclusively. The lock will be cleared once you exit out of configuration mode using end/exitEnter configuration commands, one per line. End with CNTL/Z.Router(config)#Parser : LOCK REQUEST in EXCLUSIVE modeParser: <configure terminal lock> - Config. Lock requested by process <3> client <PARSER Client>Parser: <configure terminal lock> - Config. Lock acquired successfully !Router(config)#Session2 VTY (User from session2 is trying to enter single user config (exclusive) config mode)=================================Router# configure terminal lockConfiguration mode locked exclusively by user 'unknown' process '3' from terminal '0'. Please try later.Router#Session1 from console=======================Router(config)#Parser : LOCK REQUEST in EXCLUSIVE modeParser: <configure terminal lock> - Config. Lock requested by process <104> client <PARSER Client>Parser: <configure terminal lock> - NON_BLOCKING : Config mode locked <EXCLUSIVE> owner <3>Router(config)#Router(config)# endRouter#%SYS-5-CONFIG_I: Configured from console by consoleParser: <Configure terminal> - Config. EXC UnLock requested by user<3>Parser: <Configure terminal> - Config UNLOCKED !Router#Related Commands
debug confmodem
To display information associated with the discovery and configuration of the modem attached to the router, use the debug confmodem command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug confmodem
no debug confmodem
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
The debug confmodem command is used in debugging configurations that use the modem autoconfig command.
Examples
The following is sample output from the debug confmodem command. In the first three lines, the router is searching for a speed at which it can communicate with the modem. The remaining lines show the actual sending of the modem command.
Router# debug confmodemTTY4:detection speed(115200) response ------TTY4:detection speed(57600) response ------TTY4:detection speed(38400) response ---OK---TTY4:Modem command: --AT&F&C1&D2S180=3S190=1S0=1--TTY4: Modem configuration succeededTTY4: Done with modem configurationdebug conn
To display information from the connection manager, time-division multiplexing (TDM) and digital signal processor (DSP) clients, use the debug conn command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug conn
no debug conn
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Examples
The following example shows connection manager debugging output:
Router# debug connConnection Manager debugging is onRouter# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# connect conn1 t1 3/0 1 t1 4/0 1Router(config-tdm-conn)# exit*Mar 6 18:30:59:%CONN TDM:Segment attached to dsx1*Mar 6 18:30:59:%CONN TDM:Parsed segment 1*Mar 6 18:30:59:%CONN TDM:Segment attached to dsx1*Mar 6 18:30:59:%CONN TDM:Parsed segment 2*Mar 6 18:30:59:%CONN:Creating new connectionRouter(config)#*Mar 6 18:31:01:%CONN TDM:Interwork Segments*Mar 6 18:31:01:CONN TDM:Init Segment @ 61C26980*Mar 6 18:31:01:CONN TDM:Init Segment @ 61C26A44*Mar 6 18:31:01:%CONN TDM:Activating Segment @ 61C26980*Mar 6 18:31:01:%CONN:Segment alarms for conn conn1 are 2*Mar 6 18:31:01:%CONN TDM:Activating Segment @ 61C26A44*Mar 6 18:31:01:%CONN:Segment alarms for conn conn1 are 0*Mar 6 18:31:01:%CONN TDM:Connecting Segments*Mar 6 18:31:01:%CONN TDM:MAKING CONNECTION*Mar 6 18:31:01:%CONN:cm_activate_connection, stat = 5Router(config)#debug control-plane
To display debugging output from the control-plane routines, use the debug control plane command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug control-plane [all | host | port-filtering | queue-thresholding | log]
no debug control-plane [all | host | port-filtering | queue-thresholding | log]
Syntax Description
Command Default
The default is debugging off.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug control plane command if you want to display the debugging output from the control-plane routines.
Examples
The following example show a display from the debug control-plane command:
Router# debug control-planeControl-plane infrastructure events debugging is onRouter# cp_receive_classify - marking pak hostingress pak marked cef-exceptionThe following example shows a display from the debug control-plane command using the port-filtering option:
Router# debug control-plane port-filteringTCP/IP Port filtering events debugging is onDropped UDP dport 1243 sport 62134 saddr 209.165.200.225Table 58 describes the significant fields shown in the display.
Table 58 debug control plane field descriptions
dport
UPD destination port.
sport
UPD source port.
saddr
Source address of the IP packets.
Related Commands
debug cops
To display a one-line summary of each Common Open Policy Service (COPS) message sent from and received by the router, use the debug cops command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cops [detail]
no debug cops [detail]
Syntax Description
detail
(Optional) Displays additional debug information, including the contents of COPS and Resource Reservation Protocol (RSVP) messages.
Defaults
COPS process debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
To generate a complete record of the policy process, enter this command and, after entering a carriage return, enter the additional command debug ip rsvp policy.
Examples
This first example displays the one-line COPS message summaries, as the router goes through six different events.
Router# debug copsCOPS debugging is onEvent 1
The router becomes configured to communicate with a policy server:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip rsvp policy cops servers 2.0.0.1Router(config)#15:13:45:COPS: Opened TCP connection to 2.0.0.1/328815:13:45:COPS: ** SENDING MESSAGE **15:13:45:COPS OPN message, Client-type:1, Length:28. Handle:[NONE]15:13:45:COPS: ** RECEIVED MESSAGE **15:13:45:COPS CAT message, Client-type:1, Length:16. Handle:[NONE]Router(config)#Event 2
The router receives a Path message:
15:13:53:COPS:** SENDING MESSAGE **15:13:53:COPS REQ message, Client-type:1, Length:216. Handle:[ 00 00 04 01]15:13:53:COPS:** RECEIVED MESSAGE **15:13:53:COPS DEC message, Client-type:1, Length:104. Handle:[ 00 00 04 01]Router(config)#Event 3
The router receives a unicast FF Resv message:
15:14:00:COPS:** SENDING MESSAGE **15:14:00:COPS REQ message, Client-type:1, Length:148. Handle:[ 00 00 05 01]15:14:00:COPS:** RECEIVED MESSAGE **15:14:00:COPS DEC message, Client-type:1, Length:64. Handle:[ 00 00 05 01]15:14:00:COPS:** SENDING MESSAGE **15:14:00:COPS RPT message, Client-type:1, Length:24. Handle:[ 00 00 05 01]Router(config)#Event 4
The router receives a Resv tear:
15:14:06:COPS:** SENDING MESSAGE **15:14:06:COPS DRQ message, Client-type:1, Length:24. Handle:[ 00 00 05 01]Router(config)#Event 5
The router receives a Path tear:
15:14:11:COPS:** SENDING MESSAGE **15:14:11:COPS DRQ message, Client-type:1, Length:24. Handle:[ 00 00 04 01]Router(config)#Event 6
The router gets configured to cease communicating with the policy server:
Router(config)# no ip rsvp policy cops servers15:14:23:COPS:** SENDING MESSAGE **15:14:23:COPS CC message, Client-type:1, Length:16. Handle:[NONE]15:14:23:COPS:Closed TCP connection to 2.0.0.1/3288Router(config)#This second example uses the detail keyword to display the contents of the COPS and RSVP messages, and additional debugging information:
Router# debug cops detailCOPS debugging is on02:13:29:COPS:** SENDING MESSAGE **COPS HEADER:Version 1, Flags 0, Opcode 1 (REQ), Client-type:1, Length:216HANDLE (1/1) object. Length:8. 00 00 21 01CONTEXT (2/1) object. Length:8. R-type:5. M-type:1IN_IF (3/1) object. Length:12. Address:10.1.2.1. If_index:4OUT_IF (4/1) object. Length:12. Address:10.33.0.1. If_index:3CLIENT SI (9/1) object. Length:168. CSI data:02:13:29: SESSION type 1 length 12:02:13:29: Destination 10.33.0.1, Protocol_Id 17, Don't Police , DstPort 4402:13:29: HOP type 1 length 12:0A01020102:13:29: :0000000002:13:29: TIME_VALUES type 1 length 8 :0000753002:13:29: SENDER_TEMPLATE type 1 length 12:02:13:29: Source 10.31.0.1, udp_source_port 4402:13:29: SENDER_TSPEC type 2 length 36:02:13:29: version=0, length in words=702:13:29: Token bucket fragment (service_id=1, length=6 words02:13:29: parameter id=127, flags=0, parameter length=502:13:29: average rate=1250 bytes/sec, burst depth=10000 bytes02:13:29: peak rate =1250000 bytes/sec02:13:29: min unit=0 bytes, max unit=1514 bytes02:13:29: ADSPEC type 2 length 84:02:13:29: version=0 length in words=1902:13:29: General Parameters break bit=0 service length=802:13:29: IS Hops:102:13:29: Minimum Path Bandwidth (bytes/sec):125000002:13:29: Path Latency (microseconds):002:13:29: Path MTU:150002:13:29: Guaranteed Service break bit=0 service length=802:13:29: Path Delay (microseconds):19200002:13:29: Path Jitter (microseconds):120002:13:29: Path delay since shaping (microseconds):19200002:13:29: Path Jitter since shaping (microseconds):120002:13:29: Controlled Load Service break bit=0 service length=002:13:29:COPS:Sent 216 bytes on socket,02:13:29:COPS:Message event!02:13:29:COPS:State of TCP is 402:13:29:In read function02:13:29:COPS:Read block of 96 bytes, num=104 (len=104)02:13:29:COPS:** RECEIVED MESSAGE **COPS HEADER:Version 1, Flags 1, Opcode 2 (DEC), Client-type:1, Length:104HANDLE (1/1) object. Length:8. 00 00 21 01CONTEXT (2/1) object. Length:8. R-type:1. M-type:1DECISION (6/1) object. Length:8. COMMAND cmd:1, flags:0DECISION (6/3) object. Length:56. REPLACEMENT 00 10 0E 01 61 62 63 64 65 66 6768 69 6A 6B 6C 00 24 0C 02 0000 00 07 01 00 00 06 7F 00 00 05 44 9C 40 00 46 1C 40 00 49 9896 80 00 00 00 C8 00 00 01 C8CONTEXT (2/1) object. Length:8. R-type:4. M-type:1DECISION (6/1) object. Length:8. COMMAND cmd:1, flags:002:13:29:Notifying client (callback code 2)02:13:29:COPS:** SENDING MESSAGE **COPS HEADER:Version 1, Flags 1, Opcode 3 (RPT), Client-type:1, Length:24HANDLE (1/1) object. Length:8. 00 00 21 01REPORT (12/1) object. Length:8. REPORT type COMMIT (1)02:13:29:COPS:Sent 24 bytes on socket,02:13:29:Timer for connection entry is zeroTo see an example where the debug cops command is used along with the debug ip rsvp policy command, refer to the second example of the debug ip rsvp policy command.
Related Commands
debug cot
To display information about the Continuity Test (COT) functionality, use the debug cot command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug cot {api | dsp | queue | detail}
no debug cot {api | dsp | queue | detail}
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the debug cot api command:
Router# debug cot apiCOT API debugging is on08:29:55: cot_request_handler(): CDB@0x60DEDE14, req(COT_CHECK_TONE_ON):08:29:55: shelf 0 slot 0 appl_no 1 ds0 108:29:55: freqTX 2010 freqRX 1780 key 0xFFF1 duration 60000Table 59 describes the significant fields shown in the display.
The following is sample output from the debug cot dsp command:
Router# debug cot dspRouter#00:10:42:COT:DSP (1/1) Allocated00:10:43:In cot_callback00:10:43: returned key 0xFFF1, status = 000:10:43:COT:Received DSP Q Event00:10:43:COT:DSP (1/1) Done00:10:43:COT:DSP (1/1) De-allocatedTable 60 describes the significant fields shown in the display.
The following is sample output from the debug cot queue command:
Router# debug cot queueRouter#00:11:26:COT(0x60EBB48C):Adding new request (0x61123DBC) to InProgress Q00:11:26:COT(0x60EBB48C):Adding COT(0x61123DBC) to the Q head00:11:27:In cot_callback00:11:27: returned key 0xFFF1, status = 0Table 61 describes the significant fields shown in the display.
Table 61 debug cot api Field Descriptions
COT
Internal COT operation request.
Adding new request
Internal COT operation request queue.
The following is sample output from the debug cot detail command.
Router# debug cot detailRouter#00:04:57:cot_request_handler():CDB@0x60EBB48C, req(COT_CHECK_TONE_ON):00:04:57: shelf 0 slot 0 appl_no 1 ds0 100:04:57: freqTX 1780 freqRX 2010 key 0xFFF1 duration 100000:04:57:COT:DSP (1/0) Allocated00:04:57:COT:Request Transition to COT_WAIT_TD_ON00:04:57:COT(0x60EBB48C):Adding new request (0x61123DBC) to InProgress Q00:04:57:COT(0x60EBB48C):Adding COT(0x61123DBC) to the Q head00:04:57:COT:Start Duration Timer for Check Tone Request00:04:58:COT:Received Timer Event00:04:58:COT:T24 Timer Expired00:04:58:COT Request@ 0x61123DBC, CDB@ 0x60EBB48C, Params@0x61123E0800:04:58: request type = COT_CHECK_TONE_ON00:04:58: shelf 0 slot 0 appl_no 1 ds0 100:04:58: duration 1000 key FFF1 freqTx 1780 freqRx 201000:04:58: state COT_WAIT_TD_ON_CT00:04:58: event_proc(0x6093B55C)00:04:58:Invoke NI2 callback to inform COT request status00:04:58:In cot_callback00:04:58: returned key 0xFFF1, status = 000:04:58:Return from NI2 callback00:04:58:COT:Request Transition to IDLE00:04:58:COT:Received DSP Q Event00:04:58:COT:DSP (1/0) Done00:04:58:COT:DSP (1/0) De-allocatedBecause the debug cot detail command is a summary of the debug cot api, debug cot dsp, and debug cot queue commands, the field descriptions are the same.
debug cpp event
Note
To display general Combinet Proprietary Protocol (CPP) events, use the debug cpp event command in privileged EXEC mode. The no form of this command disables debugging output.
debug cpp event
no debug cpp event
Syntax Description
This command has no arguments or keywords.
Command History
Usage Guidelines
CPP allows a router to engage in negotiation over an ISDN B channel to establish connections with a Combinet bridge.
The debug cpp event command displays events such as CPP sequencing, group creation, and keepalives.
Examples
One or more of the messages in Table 62 appear when you use the debug cpp event command. Each message begins with the short name of the interface the event occurred on (for example, SERIAL0:1 or BRI0:1) and might contain one or more packet sequence numbers or remote site names.
Related Commands
debug cpp negotiation
Displays CPP negotiation events.
debug cpp packet
Displays CPP packets.
debug cpp negotiation
Note
To display Combinet Proprietary Protocol (CPP) negotiation events, use the debug cpp negotiation command in privileged EXEC mode. The no form of this command disables debugging output.
debug cpp negotiation
no debug cpp negotiation
Syntax Description
This command has no arguments or keywords.
Command History
Usage Guidelines
CPP allows a router to engage in negotiation over an ISDN B channel to establish connections with a Combinet bridge.
The debug cpp negotiation command displays events such as the type of packet and packet size being sent.
Examples
The following is sample output from the debug cpp negotiation command. In this example, a sample connection is shown.
Router# debug cpp negotiation%LINK-3-UPDOWN: Interface BRI0: B-Channel 2, changed state to down%LINK-3-UPDOWN: Interface BRI0, changed state to up%SYS-5-CONFIG_I: Configured from console by console%LINK-3-UPDOWN: Interface BRI0: B-Channel 1, changed state to upBR0:1:(I) NEG packet - len 77attempting proto:2ether id:0040.f902.c7b4port 1 number:5559876port 2 number:5559876origination port:1remote name:berl9password is correctTable 63 describes the significant fields in the display.
Related Commands
debug cot
Displays information about the COT functionality.
debug cpp packet
Displays CPP packets.
debug cpp packet
Note
To display Combinet Proprietary Protocol (CPP) packets, use the debug cpp packet command in privileged EXEC mode. The no form of this command disables debugging output.
debug cpp packet
no debug cpp packet
Syntax Description
This command has no arguments or keywords.
Command History
Usage Guidelines
CPP allows a router to engage in negotiation over an ISDN B channel to establish connections with a Combinet bridge.
The debug cpp packet command displays the hexadecimal values of the packets.
Examples
The following is sample output from the debug cpp packet command. This example shows the interface name, packet type, packet size, and the hexadecimal values of the packet.
Router# debug cpp packetBR0:1:input packet - len 6000 00 00 00 00 00 00 40 F9 02 C7 B4 08 0.!6 00 0108 00 06 04 00 02 00 40 F9 02 C7 B4 83 6C A1 02!!!Success rate is 80 percent (4/5), round-trip min/avg/max = 64/66/68 msBR0:1 output packet - len 11606 00 00 40 F9 02 C7 B4 00 00 0C 3E 12 3A 08 0045 00 00 64 00 01 00 00 FF 01 72 BB 83 6C A1 01Related Commands
debug cot
Displays information about the COT functionality.
debug cpp negotiation
Displays CPP negotiation events.
debug credentials
To set debugging on the credentials service that runs between the Cisco Unified CME CTL provider and CTL client or between the Cisco Unified SRST router and Cisco Unified CallManager, use the debug credentials command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug credentials
no debug credentials
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Cisco Unified CME
Use this command with Cisco Unified CME phone authentication to monitor a CTL provider as it provides credentials to the CTL client.
Cisco Unified SRST
Use this command to monitor Cisco Unified CallManager while it requests certificates from the Cisco Unified SRST router. It sets debugging on the credentials service that runs between the SRST router and Cisco Unified CallManager
Examples
Cisco Unified CME
The following sample output displays the CTL provider establishing a TLS session with the CTL client and providing all the relevant credentials for the services that are running on this router to the CTL client.
Router# debug credentialsCredentials server debugging is enabledMay 25 12:08:17.944: Credentials service: Start TLS Handshake 1 10.5.43.174 4374May 25 12:08:17.948: Credentials service: TLS Handshake returns OPSSLReadWouldBlockErrMay 25 12:08:18.948: Credentials service: TLS Handshake returns OPSSLReadWouldBlockErrMay 25 12:08:19.948: Credentials service: TLS Handshake returns OPSSLReadWouldBlockErrMay 25 12:08:20.964: Credentials service: TLS Handshake completesCisco Unified SRST
The following is sample output showing the credentials service that runs between the Cisco Unified SRST router and Cisco Unified CallManager. The credentials service provides Cisco Unified CallManager with the certificate from the SRST router.
Router# debug credentialsCredentials server debugging is enabledRouter#May 25 12:08:17.944: Credentials service: Start TLS Handshake 1 10.5.43.174 4374May 25 12:08:17.948: Credentials service: TLS Handshake returns OPSSLReadWouldBlockErrMay 25 12:08:18.948: Credentials service: TLS Handshake returns OPSSLReadWouldBlockErrMay 25 12:08:19.948: Credentials service: TLS Handshake returns OPSSLReadWouldBlockErrMay 25 12:08:20.964: Credentials service: TLS Handshake completesTable 64 describes the significant fields shown in the display.
Related Commands
debug crm
To troubleshoot the Carrier Resource Manager (CRM), use the debug crm command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crm [all | default | detail | error [call [informational] | software [informational]] | function | inout]
no debug crm
Syntax Description
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Disable console logging and use buffered logging before using the debug crm command. Using the debug crm command generates a large volume of debugs, which can affect router performance.
Examples
The following is sample output from the debug crm all command for an incoming ISDN call on a trunk group:
Router# debug crm all01:21:23: //-1/xxxxxxxxxxxx/CRM/crm_send_periodic_update:01:21:23: //-1/xxxxxxxxxxxx/CRM/print_event:RouteLabel=2023, CarrierType=TDM, EventType=Single RouteLabel Update, EventReason=Both Capacity Update,Max Capacity mask 0x0000001F, Current Capacity Mask 0x0000001F01:21:23: //-1/xxxxxxxxxxxx/CRM/crm_call_update:Increment the call countCarrierID=2023, TrunkGroupLabel=2023Update is for TrunkGroupLabel, Mask=0x0000000101:21:23: //-1/xxxxxxxxxxxx/CRM/crm_call_update:IncomingVoiceCalls=1Router#01:21:48: //-1/xxxxxxxxxxxx/CRM/crm_send_periodic_update:01:21:48: //-1/xxxxxxxxxxxx/CRM/print_event:RouteLabel=2023, CarrierType=TDM, EventType=Single RouteLabel Update, EventReason=Both Capacity Update,Max Capacity mask 0x0000001F, Current Capacity Mask 0x0000001F01:22:13: //-1/xxxxxxxxxxxx/CRM/crm_send_periodic_update:01:22:13: //-1/xxxxxxxxxxxx/CRM/print_event:RouteLabel=2023, CarrierType=TDM, EventType=Single RouteLabel Update, EventReason=Both Capacity Update,Max Capacity mask 0x0000001F, Current Capacity Mask 0x0000001FRouter#01:22:18: //-1/xxxxxxxxxxxx/CRM/crm_call_update:Decrement the call countCarrierID=2023, TrunkGroupLabel=2023Update is for TrunkGroupLabel, Mask=0x0000000101:22:18: //-1/xxxxxxxxxxxx/CRM/crm_call_update:IncomingVoiceCalls=0Table 65 describes the significant fields shown in the display.
Related Commands
debug crypto ace b2b
To enable IPSec VPN SPA debugging for a Blade Failure Group, use the debug crypto ace b2b command in privileged EXEC mode.
debug crypto ace b2b
Defaults
No default behavior or values.
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables IPSec VPN SPA debugging for a Blade Failure Group:
Router# debug crypto ace b2bACE B2B Failover debugging is onRelated Commands
debug crypto ace boot
To enable ACE boot API debugging, use the debug crypto ace boot command in privileged EXEC mode. To disable ACE boot API debugging, use the no form of this command.
debug crypto ace boot
no debug crypto ace boot
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE boot API debugging:
Router# debug crypto ace bootACE Boot debugging is ondebug crypto ace cfgmon
To enable ACE CFGMON transactions debugging, use the debug crypto ace cfgmon command in privileged EXEC mode. To disable ACE CFGMON transactions debugging, use the no form of this command.
debug crypto ace cfgmon
no debug crypto ace cfgmon
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE CFGMON transaction debugging:
Router# debug crypto ace cfgmonACE CFGMON Transactions debugging is ondebug crypto ace congestion-mgr
To enable ACE Crypto engine congestion manager debugging, use the debug crypto ace congestion-mgr command in privileged EXEC mode. To disable ACE Crypto engine congestion manager debugging, use the no form of this command.
debug crypto ace congestion-mgr
no debug crypto ace congestion-mgr
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE Crypto engine congestion manager debugging:
Router# debug crypto ace congestion-mgrACE Crypto Engine Congestion Manager debugging is ondebug crypto ace dpd
To enable ACE DPD debugging, use the debug crypto ace dpd command in privileged EXEC mode. To disable ACE DPD debugging, use the no form of this command.
debug crypto ace dpd
no debug crypto ace dpd
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE DPD debugging:
Router# debug crypto ace dpdACE-DPD debugging is ondebug crypto ace error
To enable error logging debugging, use the debug crypto ace error command in privileged EXEC mode. To disable ACE error logging debugging, use the no form of this command.
debug crypto ace error
no debug crypto ace error
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables error log debugging:
Router# debug crypto ace errorACE Error logging debugging is ondebug crypto ace hapi
To enable ACE HAPI transactions debugging, use the debug crypto ace hapi command in privileged EXEC mode. To disable ACE HAPI transactions debugging, use the no form of this command.
debug crypto ace hapi
no debug crypto ace hapi
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE HAPI transaction debugging:
Router# debug crypto ace hapiACE HAPI transactions debugging is ondebug crypto ace ikea
To enable ACE IKEA transactions debugging, use the debug crypto ace ikea command in privileged EXEC mode. To disable ACE IKEA transactions debugging, use the no form of this command.
debug crypto ace ikea
no debug crypto ace ikea
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE IKEA transaction debugging:
Router# debug crypto ace ikeaACE IKEA transactions debugging is ondebug crypto ace invspi
To enable ACE invalid SPI debugging, use the debug crypto ace invspi command in privileged EXEC mode. To disable ACE invalid SPI debugging, use the no form of this command.
debug crypto ace invspi
no debug crypto ace invspi
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE invalid SPI debugging:
Router# debug crypto ace invspiACE Invalid SPI debugging is ondebug crypto ace ipd
To enable ACE IPD debugging, use the debug crypto ace ipd command in privileged EXEC mode. To disable ACE IPD debugging, use the no form of this command.
debug crypto ace ipd
no debug crypto ace ipd
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE IPD debugging:
Router# debug crypto ace ipdACE IPD debugging is ondebug crypto ace mace
To enable multi-ACE messages debugging, use the debug crypto ace mace command in privileged EXEC mode. To disable multi-ACE messages debugging, use the no form of this command.
debug crypto ace mace
no debug crypto ace mace
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables multi-ACE debugging:
Router# debug crypto ace maceMULTI-ACE messages debugging is ondebug crypto ace pcp
To enable ACE PCP transactions debugging, use the debug crypto ace pcp command in privileged EXEC mode. To disable ACE PCP transaction debugging, use the no form of this command.
debug crypto ace pcp
no debug crypto ace pcp
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE PCP transactions debugging:
Router# debug crypto ace pcpACE PCP Transactions debugging is ondebug crypto ace polo
To enable ACE policy loader debugging, use the debug crypto ace polo command in privileged EXEC mode. To disable ACE policy loader debugging, use the no form of this command.
debug crypto ace polo
no debug crypto ace polo
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE policy loader debugging:
Router# debug crypto ace poloACE Policy Loader debugging is ondebug crypto ace propcfg
To enable ACE propagate configuration debugging, use the debug crypto ace propcfg command in privileged EXEC mode. To disable ACE propagate configuration debugging, use the no form of this command.
debug crypto ace propcfg
no debug crypto ace propcfg
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE propagate configuration debugging:
Router# debug crypto ace propcfgACE Propagate Config debugging is ondebug crypto ace qos
To enable ACE QoS debugging, use the debug crypto ace qos command in privileged EXEC mode. To disable ACE QoS debugging, use the no form of this command.
debug crypto ace qos
no debug crypto ace qos
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE QoS debugging:
Router# debug crypto ace qosACE QoS debugging is ondebug crypto ace rcon
To enable ACE RCON messages debugging, use the debug crypto ace rcon command in privileged EXEC mode. To disable ACE RCON messages debugging, use the no form of this command.
debug crypto ace rcon
no debug crypto ace rcon
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE RCON messages debugging:
Router# debug crypto ace rconACE RCON messages debugging is ondebug crypto ace redundancy
To enable ACE HA debugging, use the debug crypto ace redundancy command in privileged EXEC mode. To disable ACE HA debugging, use the no form of this command.
debug crypto ace redundancy
no debug crypto ace redundancy
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE HA debugging:
Router# debug crypto ace redundancyACE HA debugging is ondebug crypto ace spi
To enable ACE SPI debugging, use the debug crypto ace spi command in privileged EXEC mode. To disable ACE SPI debugging, use the no form of this command.
debug crypto ace spi
no debug crypto ace spi
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE SPI debugging:
Router# debug crypto ace spiACE SPI debugging is ondebug crypto ace stats
To enable ACE stats module debugging, use the debug crypto ace stats command in privileged EXEC mode. To disable ACE stats module debugging, use the no form of this command.
debug crypto ace stats
no debug crypto ace stats
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE stats module debugging:
Router# debug crypto ace statsACE Stats Module debugging is ondebug crypto ace syslog
To enable ACE syslog messages debugging, use the debug crypto ace syslog command in privileged EXEC mode. To disable ACE syslog messages debugging, use the no form of this command.
debug crypto ace syslog
no debug crypto ace syslog
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE syslog messages debugging:
Router# debug crypto ace syslogACE Syslog messages debugging is ondebug crypto ace tftp
To enable ACE TFTP boot debugging, use the debug crypto ace tftp command in privileged EXEC mode. To disable ACE TFTP boot debugging, use the no form of this command.
debug crypto ace tftp
no debug crypto ace tftp
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE TFTP boot debugging:
Router# debug crypto ace tftpACE TFTP Boot debugging is ondebug crypto ace topn
To enable ACE-TOPN-HELPER debugging, use the debug crypto ace topn command in privileged EXEC mode. To disable ACE-TOPN-HELPER debugging, use the no form of this command.
debug crypto ace topn
no debug crypto ace topn
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE-TOPN-HELPER debugging:
Router# debug crypto ace topnACE-TOPN-HELPER debugging is ondebug crypto ace warning
To enable ACE warning log debugging, use the debug crypto ace warning command in privileged EXEC mode. To disable ACE warning logging debugging, use the no form of this command.
debug crypto ace warning
no debug crypto ace warning
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Privileged EXEC (#)
Command History
Examples
The following example enables ACE warning log debugging:
Router# debug crypto ace warningACE Warning logging debugging is ondebug crypto condition
To define conditional debug filters, use the debug crypto condition command in privileged EXEC mode. To disable conditional debugging, use the no form of this command.
debug crypto condition [connid integer engine-id integer] [flowid integer engine-id integer] [gdoi-group groupname] [isakmp profile profile-name] [fvrf string] [ivrf string]
[local ipv4 ip-address] [peer [group string] [hostname string] [ipv4 ipaddress] [subnet subnet mask] [username string]] [spi integer] [reset] [unmatched [engine] [gdoi-group] [ipsec] [isakmp] [username string]]no debug crypto condition [connid integer engine-id integer] [flowid integer engine-id integer] [gdoi-group groupname] [isakmp profile profile-name] [fvrf string] [ivrf string]
[local ipv4 ip-address] [peer [group string] [hostname string] [ipv4 ipaddress] [subnet subnet mask] [username string]] [spi integer] [reset] [unmatched [engine] [gdoi-group] [ipsec] [isakmp] [username string]]Syntax Description
connid integer1
(Optional) Internet Key Exchange (IKE) and IP Security (IPSec) connection ID filter. Valid values range from 1 to 32766.
engine-id integer
(Optional) Crypto engine ID value, which can be retrieved via the show crypto isakmp sa detail command. Valid values are 1, which represents software engines, and 2, which represents hardware engines.
flowid integer
(Optional) IPSec flow-ID filter. Valid values range from 1 to 32766.
gdoi-group groupname
(Optional) Group Domain of Interpretation (GDOI) group filter.
•
isakmp profile profile-name
(Optional) Filter for Internet Security Association Key Management Protocol (ISAKMP) profile.
•
fvrf string1
(Optional) Front-door virtual private network (VPN) routing and forwarding (FVRF) filter. The string argument must be the name string of an FVRF instance.
ivrf string1
(Optional) Inside VRF (IVRF) filter. The string argument must be the name string of an IVRF instance.
local ipv4 ip-address
(Optional) IKE local address filter.
•
peer1
(Optional) IKE peer filter. At least one of the following keywords and arguments must be used:
•
•
•
•
•
spi integer1
(Optional) Security policy index (SPI) filter. The integer must be a 32-bit unsigned integer.
reset
(Optional) Deletes all crypto debug filters.
Note
unmatched
(Optional) Filters all debug messages or only specified debug messages by choosing any of the following keywords:
•
•
•
•
username string
(Optional) XAUTH or PKI-aaa username filter.
1 Additional conditional filters (ipv4 address, subnet mask, username, hostname, group, connection-ID, flow-ID, SPI, FVRF, and IVRF) can be specified more than once by repeating the debug crypto condition command with any of the available filters.
Defaults
Crypto conditional debugging is not enabled.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Before enabling the debug crypto condition command, you must decide what debug condition types (also known as debug filters) and values will be used. The volume of debug messages is dependent on the number of conditions you define.
Note
To begin crypto conditional debugging, you must also enable at least one global crypto debug command—debug crypto isakmp, debug crypto ipsec, and debug crypto engine; otherwise, conditional debugging will not occur. This requirement helps to ensure that the performance of the router will not be impacted when conditional debugging is not being used.
Note
Examples
The following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2, or 10.1.1.3 and when the connection-ID 2000 of crypto engine 0 is used. This example also shows how to enable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditional settings.
Router# debug crypto condition connid 2000 engine-id 1Router# debug crypto condition peer ipv4 10.1.1.1Router# debug crypto condition peer ipv4 10.1.1.2Router# debug crypto condition peer ipv4 10.1.1.3Router# debug crypto condition unmatched! Verify crypto conditional settings.Router# show crypto debug-conditionCrypto conditional debug currently is turned ONIKE debug context unmatched flag:ONIPsec debug context unmatched flag:ONCrypto Engine debug context unmatched flag:ONIKE peer IP address filters:10.1.1.1 10.1.1.2 10.1.1.3Connection-id filters:[connid:engine_id]2000:1,! Enable global crypto CLIs to start conditional debugging.Router# debug crypto isakmpRouter# debug crypto ipsecRouter# debug crypto engineThe following example shows how to disable all crypto conditional settings via the reset keyword:
Router# no debug crypto isakmpRouter# no debug crypto ipsecRouter# no debug crypto engineRouter# debug crypto condition reset! Verify that all crypto conditional settings have been disabled.Router# show crypto debug-conditionCrypto conditional debug currently is turned OFFIKE debug context unmatched flag:OFFIPsec debug context unmatched flag:OFFCrypto Engine debug context unmatched flag:OFFRelated Commands
debug crypto condition unmatched
To display crypto conditional debug messages when context information is unavailable to check against debug conditions, use the debug crypto condition unmatched command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug crypto condition unmatched [isakmp | ipsec | engine | gdoi-group]
no debug crypto condition unmatched [isakmp | ipsec | engine | gdoi-group]
Syntax Description
Defaults
Debug messages that do not have context information to match any debug conditions (filters) will not be printed.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
After the debug crypto condition command has been enabled, you can use the debug crypto condition unmatched command to define whether the debug output is being printed when no context information is available in the code to check against the debug filters. For example, if the crypto engine's connection-ID is the filter that the debug conditions are being checked against, the debug crypto condition unmatched command displays debug messages in the early negotiation phase when a connection-ID is unavailable to check against debug conditions.
Examples
The following example shows how to enable debug messages for all crypto-related areas:
Router# debug crypto condition unmatchedRelated Commands
debug crypto ctcp
To display information about a Cisco Tunnel Control Protocol (cTCP) session, use the debug crypto ctcp command in privileged EXEC mode. To turn off debugging, use the no form of this command.
debug crypto ctcp
no debug crypto ctcp
Syntax Description
This command has no arguments or keywords.
Command Default
Debugging is turned off.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
You can use this command if a cTCP session fails to come up.
Examples
The following example shows that debugging has been turned on for a cTCP session:
Router# debug crypto ctcpRelated Commands
debug crypto engine
To display debugging messages about crypto engines, which perform encryption and decryption, use the debug crypto engine command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto engine
no debug crypto engine
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug crypto engine command to display information pertaining to the crypto engine, such as when Cisco IOS software is performing encryption or decryption operations.
The crypto engine is the actual mechanism that performs encryption and decryption. A crypto engine can be software or a hardware accelerator. Some platforms can have multiple crypto engines; therefore, the router will have multiple hardware accelerators.
Examples
The following is sample output from the debug crypto engine command. The first sample output shows messages from a router that successfully generates Rivest, Shamir, and Adelma (RSA) keys. The second sample output shows messages from a router that decrypts the RSA key during Internet Key Exchange (IKE) negotiation.
Router# debug crypto engine00:25:13:CryptoEngine0:generate key pair00:25:13:CryptoEngine0:CRYPTO_GEN_KEY_PAIR00:25:13:CRYPTO_ENGINE:key process suspended and continued00:25:14:CRYPTO_ENGINE:key process suspended and continuedcrRouter# debug crypto engine00:27:45:%SYS-5-CONFIG_I:Configured from console by console00:27:51:CryptoEngine0:generate alg parameter00:27:51:CRYPTO_ENGINE:Dh phase 1 status:000:27:51:CRYPTO_ENGINE:Dh phase 1 status:000:27:51:CryptoEngine0:generate alg parameter00:27:52:CryptoEngine0:calculate pkey hmac for conn id 000:27:52:CryptoEngine0:create ISAKMP SKEYID for conn id 100:27:52:Crypto engine 0:RSA decrypt with public key00:27:52:CryptoEngine0:CRYPTO_RSA_PUB_DECRYPT00:27:52:CryptoEngine0:generate hmac context for conn id 100:27:52:CryptoEngine0:generate hmac context for conn id 100:27:52:Crypto engine 0:RSA encrypt with private key00:27:52:CryptoEngine0:CRYPTO_RSA_PRIV_ENCRYPT00:27:53:CryptoEngine0:clear dh number for conn id 100:27:53:CryptoEngine0:generate hmac context for conn id 100:27:53:validate proposal 000:27:53:validate proposal request 000:27:54:CryptoEngine0:generate hmac context for conn id 100:27:54:CryptoEngine0:generate hmac context for conn id 100:27:54:ipsec allocate flow 000:27:54:ipsec allocate flow 0Related Commands
debug crypto engine accelerator logs
To enable logging of commands and associated parameters sent from the virtual private network (VPN) module driver to the VPN module hardware using a debug flag, use the debug crypto engine accelerator logs command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto engine accelerator logs
no debug crypto engine accelerator logs
Syntax Description
This command has no arguments or keywords.
Defaults
The logging of commands sent from the VPN module driver to the VPN module hardware is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug crypto engine accelerator logs command when encryption traffic is sent to the router and a problem with the encryption module is suspected.
This command is intended only for Cisco TAC personnel to collect debugging information.
Examples
The debug crypto engine accelerator logs command uses a debug flag to log commands and associated parameters sent from the VPN module driver to the VPN module hardware as follows:
Router# debug crypto engine accelerator logsencryption module logs debugging is onRelated Commands
debug crypto error
To enable error debugging for a crypto area, use the debug crypto error command in privileged EXEC mode. To disable crypto error debugging, use the no form of this command.
debug crypto {isakmp | ipsec | engine} error
no debug crypto {isakmp | ipsec | engine} error
Syntax Description
Defaults
Crypto error debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug crypto error command will display only error-related debug messages; that is, an error debug will not be shown if the operation is functioning properly.
This command should be used when debug conditions cannot be determined; for example, enable this command when a random, small subset of IKE peers is failing negotiation.
Note
Note
Examples
The following example shows how to enable IPSec-related error messages:
Router# debug crypto error ipsec errordebug crypto gdoi
To display information about a Group Domain of Interpretation (GDOI) configuration, use the debug crypto gdoi command in privileged EXEC mode. To disable crypto GDOI debugging, use the no form of this command.
debug crypto gdoi [all-features [all-levels] | detail | error | event | gm | infrastructure | ks [acls | coop] | packet | replay | terse]
no debug crypto gdoi [all-features [all-levels] | detail | error | event | gm | infrastructure | ks [acls | coop] | packet | replay | terse]
Syntax Description
Command Default
Debugging is turned off.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Using this command displays various GDOI debugs. For debugging information for cooperative key servers, use the debug crypto gdoi ks coop command.
If you do not specify a feature (using the all-features, registration, rekey, replay, coop, or infrastructure keywords), then messages for all features are displayed. If you do not specify a level (using the detail, error, event, packet, and terse keywords), then the terse level (which also includes the error level) is used.
You can use this command in conjunction with the debug crypto gdoi condition command. When these two commands are used together, only those messages that pass through any debug level or feature (specified by the debug crypto gdoi command) and pass through any condition (specified by the debug crypto gdoi condition command) are displayed.
Examples
The following example shows group member registration debug output:
Router# debug crypto gdoi00:00:40: GDOI:(0:0:N/A:0):GDOI group diffint00:00:40: %CRYPTO-5-GM_REGSTER: Start registration for group diffint using address 10.0.3.100:00:40: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON00:00:40: GDOI:(0:1001:HW:0:3333):beginning GDOI exchange, M-ID of 116714507500:00:40: GDOI: Group Number is 333300:00:40: GDOI:(0:1001:HW:0:3333):GDOI: GDOI ID sent successfully00:00:40: GDOI:(0:1001:HW:0:3333):processing GDOI SA Payload, message ID + 116714507500:00:40: GDOI:(0:1001:HW:0):processing GDOI SA KEK Payload00:00:40: GDOI:(0:0:N/A:0): KEK_ALGORITHM 500:00:40: GDOI:(0:0:N/A:0): KEY_LENGTH 2400:00:40: GDOI:(0:0:N/A:0): KEY_LIFETIME 29900:00:40: GDOI:(0:0:N/A:0): SIG_HASH_ALG 200:00:40: GDOI:(0:0:N/A:0): SIG_ALG 100:00:40: GDOI:(0:0:N/A:0): SIG_KEY_LEN 9400:00:40: GDOI:(0:0:N/A:0): Completed KEK Processing00:00:40: GDOI:(0:1001:HW:0):processing GDOI SA TEK Payload00:00:40: GDOI:(0:1001:HW:0:3333): Completed TEK Processing00:00:40: GDOI:(0:1001:HW:0):processing GDOI SA TEK Payload00:00:40: GDOI:(0:1001:HW:0:3333): Completed TEK Processing00:00:40: GDOI:(0:1001:HW:0:3333):GDOI ACK sent successfully by GM00:00:40: GDOI:received payload type 1800:00:40: GDOI:(0:1001:HW:0:3333):processing GDOI Seq Payload, message_id 116714507500:00:40: GDOI:(0:1001:HW:0:3333):Completed SEQ Processing for seq 000:00:40: GDOI:received payload type 1700:00:40: GDOI:(0:1001:HW:0:3333):processing GDOI KD Payload, message_id 116714507500:00:40: GDOI:(0:1001:HW:0:3333):processing GDOI Key Packet, message_id 3864933600:00:40: GDOI:(0:1001:HW:0:3333):procesing TEK KD: spi is 56165461, spi00:00:40: GDOI:(0:1001:HW:0:3333):TEK Integrity Key 20 bytes00:00:40: GDOI:(0:1001:HW:0:3333):Completed KeyPkt Processing00:00:40: GDOI:(0:1001:HW:0:3333):processing GDOI Key Packet, message_id 3864933600:00:40: GDOI:(0:1001:HW:0:3333):procesing TEK KD: spi is 56165522, spi00:00:40: GDOI:(0:1001:HW:0:3333):TEK Integrity Key 20 bytes00:00:40: GDOI:(0:1001:HW:0:3333):Completed KeyPkt Processing00:00:40: GDOI:(0:1001:HW:0:3333):processing GDOI Key Packet, message_id 3864933600:00:40: GDOI:(0:1001:HW:0:3333): Processing KEK KD00:00:40: GDOI:(0:1001:HW:0:3333):KEK Alg Key 32 bytes00:00:40: GDOI:(0:1001:HW:0:3333):KEK Sig Key 94 bytes00:00:40: GDOI:(0:1001:HW:0:3333):Completed KeyPkt Processing00:00:40: %GDOI-5-GM_REGS_COMPL: Registration complete for group diffint using address 10.0.3.1enc(config-if)#00:00:40: GDOI:(0:0:N/A:0):Registration installed 2 new ipsec SA(s) for group diffint.
The following output example shows key server registration debugs:
Router# debug crypto gdoi00:00:40: GDOI:(0:1001:HW:0):processing GDOI ID payload, message ID = 116714507500:00:40: GDOI:(0:1001:HW:0):The GDOI ID is a Number: 333300:00:40: GDOI:(0:0:N/A:0): Adding KEK Policy to the current ks_group00:00:40: GDOI:(0:0:N/A:0):Setting MULTICAST TEK rekey lifetime 3000:00:40: GDOI:(0:0:N/A:0):Setting MULTICAST TEK rekey lifetime 3000:00:40: GDOI:(0:1001:HW:0:3333):GDOI SA sent successfully by KS00:00:40: GDOI:(0:1001:HW:0:3333):GDOI KD sent successfully by KSThe following output example shows group member rekey debugs:
Router# debug crypto gdoi00:02:00: GDOI:(0:1002:HW:0):Received Rekey Message!00:02:00: GDOI:(0:1002:HW:0):Signature Valid!00:02:00: GDOI:received payload type 1800:02:00: GDOI:(0:1002:HW:0):processing GDOI Seq Payload, message_id 000:02:00: GDOI:(0:1002:HW:0):Completed SEQ Processing for seq 800:02:00: GDOI:(0:1002:HW:0):processing GDOI SA Payload, message ID + 000:02:00: GDOI:(0:1002:HW:0):processing GDOI SA KEK Payload00:02:00: GDOI:(0:1002:HW:0): KEK_ALGORITHM 500:02:00: GDOI:(0:1002:HW:0): KEY_LENGTH 2400:02:00: GDOI:(0:1002:HW:0): KEY_LIFETIME 21900:02:00: GDOI:(0:1002:HW:0): SIG_HASH_ALG 200:02:00: GDOI:(0:1002:HW:0): SIG_ALG 100:02:00: GDOI:(0:1002:HW:0): Completed KEK Processing00:02:00: GDOI:(0:1002:HW:0):processing GDOI SA TEK Payload00:02:00: GDOI:(0:1002:HW:0): Completed TEK Processing00:02:00: GDOI:(0:1002:HW:0):processing GDOI SA TEK Payload00:02:00: GDOI:(0:1002:HW:0): Completed TEK Processing00:02:00: GDOI:received payload type 1700:02:00: GDOI:(0:1002:HW:0):processing GDOI KD Payload, message_id 000:02:00: GDOI:(0:1002:HW:0):processing GDOI Key Packet, message_id 3864933600:02:00: GDOI:(0:1002:HW:0):procesing TEK KD: spi is 49193284, spi00:02:00: GDOI:(0:1002:HW:0):TEK Integrity Key 20 bytes00:02:00: GDOI:(0:1002:HW:0):Completed KeyPkt Processingenc(config-if)#00:02:00: GDOI:(0:1002:HW:0):processing GDOI Key Packet, message_id 3864933600:02:00: GDOI:(0:1002:HW:0):procesing TEK KD: spi is 49193345, spi00:02:00: GDOI:(0:1002:HW:0):TEK Integrity Key 20 bytes00:02:00: GDOI:(0:1002:HW:0):Completed KeyPkt Processing00:02:00: GDOI:(0:1002:HW:0):processing GDOI Key Packet, message_id 3864933600:02:00: GDOI:(0:1002:HW:0): Processing KEK KD00:02:00: GDOI:(0:1002:HW:0):Completed KeyPkt Processingdebug crypto gdoi condition
To configure conditional filters (based on groups and peers) for GDOI debugging, use the debug crypto gdoi condition command in privileged EXEC mode. To disable conditional filters, use the no form of this command.
debug crypto gdoi condition {[group group-name] [peer {address ipv4 ipv4-address-of-peer | hostname ipv4 ipv4-hostname}] | reset | unmatched}
no debug crypto gdoi condition {[group group-name] [peer {address ipv4 ipv4-address-of-peer | hostname ipv4 ipv4-hostname}] | reset | unmatched}
Syntax Description
Command Default
Conditional bugging is turned off.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
This command lets you filter the number of debug messages to make it easier to identify the problem of a particular group member (GM). This command is useful when many (such as thousands of) GMs are registered to a key server on which debugging is enabled.
You can use this command in conjunction with the debug crypto gdoi command. When these two commands are used together, only those messages that pass through any debug level or feature (specified by the debug crypto gdoi command) and pass through any condition (specified by the debug crypto gdoi condition command) are displayed.
You can use this command multiple times to configure conditional debugging for any number of GMs. You can have more than one group configured and more than one GM registered to each group.
If no GM is specified, debug messages will appear for all GMs (this occurs automatically when all conditional filtering is removed).
Also, this command lets you filter per cooperative key server on each key server. This command is useful when there are many key servers in a system.
The unmatched keyword displays messages when there is insufficient information to perform conditional debugging. The unmatched keyword is enabled for the error, terse, and event debug levels.
To remove the debug messages for a GM or a key server, use the no form of the same command.
Examples
The following example shows how to configure a conditional filter for a GDOI group named group1:
Router# debug crypto gdoi condition group group1The following output example shows how to configure a conditional filter for IPv4 peers:
Router# debug crypto gdoi condition peerRelated Commands
debug crypto condition
Defines conditional debug filters for IP Security (IPSec) tunnels.
debug crypto ha
To display crypto high availability debugging information, use the debug crypto ha command in privileged EXEC mode. To disable debugging messages, use the no form of this command.
debug crypto ha
no debug crypto ha
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example is sample output from the debug crypto ha command:
Router# debug crypto haActive router:Router# show debugCryptographic Subsystem:Crypto High Availability Manager debugging is onvrf-lite-R1#*Sep 28 21:27:50.899:Sending IKE Add SA Message*Sep 28 21:27:50.899:HA Message 0:flags=0x01 len=394 HA_IKE_MSG_ADD_SA (2)*Sep 28 21:27:50.899: ID:04000003*Sep 28 21:27:50.899: attr HA_IKE_ATT_MY_COOKIE (2) len 8*Sep 28 21:27:50.899: 9B 1A 76 AA 99 11 1A 1F*Sep 28 21:27:50.899: attr HA_IKE_ATT_HIS_COOKIE (3) len 8*Sep 28 21:27:50.899: E2 A2 A3 5F 53 1D EA 15*Sep 28 21:27:50.899: attr HA_IKE_ATT_SRC (4) len 4*Sep 28 21:27:50.899: 04 00 00 05*Sep 28 21:27:50.899: attr HA_IKE_ATT_DST (5) len 4*Sep 28 21:27:50.899: 04 00 00 03*Sep 28 21:27:50.899: attr HA_IKE_ATT_PEER_PORT (6) len 2*Sep 28 21:27:50.899: 01 F4*Sep 28 21:27:50.899: attr HA_IKE_ATT_F_VRF (7) len 1*Sep 28 21:27:50.899: 00*Sep 28 21:27:50.899: attr HA_IKE_ATT_INIT_OR_RESP (8) len 1*Sep 28 21:27:50.899: 00*Sep 28 21:27:50.899: attr HA_IKE_ATT_NAT_DISCOVERY (9) len 1*Sep 28 21:27:50.899: 02*Sep 28 21:27:50.899: attr HA_IKE_ATT_IDTYPE (38) len 1*Sep 28 21:27:50.899: 01*Sep 28 21:27:50.899: attr HA_IKE_ATT_PROTOCOL (39) len 1*Sep 28 21:27:50.899: 11*Sep 28 21:27:50.899: attr HA_IKE_ATT_PORT (40) len 2*Sep 28 21:27:50.899: 01 F4*Sep 28 21:27:50.899: attr HA_IKE_ATT_ADDR (41) len 4*Sep 28 21:27:50.899: 04 00 00 05*Sep 28 21:27:50.899: attr HA_IKE_ATT_MASK (42) len 4*Sep 28 21:27:50.899: 00 00 00 00*Sep 28 21:27:50.899: attr HA_IKE_ATT_ID_STR (44) len 4*Sep 28 21:27:50.899: 00 00 00 00*Sep 28 21:27:50.899: attr HA_IKE_ATT_PEERS_CAPABILITIES (11) len 4*Sep 28 21:27:50.899: 00 00 07 7F*Sep 28 21:27:50.899: attr HA_IKE_ATT_MY_CAPABILITIES (12) len 4*Sep 28 21:27:50.899: 00 00 07 7F*Sep 28 21:27:50.899: attr HA_IKE_ATT_STATE_MASK (13) len 4*Sep 28 21:27:50.899: 00 00 27 FF...Related Commands
debug crypto ipsec ha
Enables debugging messages for IPSec high availability.
debug crypto isakmp ha
Enables debugging messages for ISAKMP high availability.
debug crypto ikev2
To enable Internet Key Exchange Version 2(IKEv2) debug messages, use the debug crypto ikev2 command in privileged EXEC mode.
debug crypto ikev2 [error | terse | event | packet | detail]
no debug crypto ikev2 [error | terse | event | packet | detail]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use this command to enable IKEv2 debug messages.
Examples
The following example shows that the IKEv2 debugging is enabled:
Router# debug crypto ikev2debugging is ondebug crypto ipsec
To display IP security (IPsec) events, use the debug crypto ipsec command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto ipsec
no debug crypto ipsec
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC (#)
Examples
The following is sample output from the debug crypto ipsec command. In this example, security associations (SAs) have been successfully established.
Router# debug crypto ipsecIPsec requests SAs between 172.21.114.123 and 172.21.114.67, on behalf of the permit ip host 172.21.114.123 host 172.21.114.67 command. IPsec is configured to first use the set esp-des w/esp-md5-hmac, but it will also use ah-sha-hmac on a secondary basis.
00:24:30: IPSEC(sa_request): ,(key eng. msg.) src= 172.21.114.123, dest= 172.21.114.67,src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac ,lifedur= 120s and 4608000kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x400:24:30: IPSEC(sa_request): ,(key eng. msg.) src= 172.21.114.123, dest= 172.21.114.67,src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1).,protocol= AH, transform= ah-sha-hmac ,lifedur= 120s and 4608000kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0.Internet Key Exchange (IKE) prompts for Service Provider Interfaces (SPIs) from IPsec. For inbound security associations, IPsec controls its own SPI space.
00:24:34: IPSEC(key_engine): got a queue event...00:24:34: IPSEC(spi_response): getting spi 302974012ld for SAfrom 172.21.114.67 to 172.21.114.123 for prot 300:24:34: IPSEC(spi_response): getting spi 525075940ld for SAfrom 172.21.114.67 to 172.21.114.123 for prot 2IKE will verify whether IPsec accepts the SA proposal. In this example, it is the SA proposal sent by the local IPsec that is accepted first.
00:24:34: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) dest= 172.21.114.67, src= 172.21.114.123,dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac ,lifedur= 0s and 0kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4After the proposal is accepted, IKE finishes the negotiations, generates the keying material, and then notifies IPsec of the new security associations (one security association for each direction).
00:24:35: IPSEC(key_engine): got a queue event...The following output pertains to the inbound SA. The conn_id value references an entry in the crypto engine connection table.
00:24:35: IPSEC(initialize_sas): ,(key eng. msg.) dest= 172.21.114.123, src= 172.21.114.67,dest_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),src_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac ,lifedur= 120s and 4608000 kb,spi= 0x120F043C(302974012), conn_id= 29, keysize= 0, flags= 0x4The following output pertains to the outbound SA:
00:24:35: IPSEC(initialize_sas): ,(key eng. msg.) src= 172.21.114.123, dest= 172.21.114.67,src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac ,lifedur= 120s and 4608000kb,spi= 0x38914A4(59315364), conn_id= 30, keysize= 0, flags= 0x4IPsec then installs the SA information into its SA database.
00:24:35: IPSEC(create_sa): sa created,(sa) sa_dest= 172.21.114.123, sa_prot= 50,sa_spi= 0x120F043C(302974012),sa_trans= esp-des esp-md5-hmac , sa_conn_id= 29sa_lifetime(k/sec)= (4445923/500)00:24:35: IPSEC(create_sa): sa created,(sa) sa_dest= 172.21.114.67, sa_prot= 50,sa_spi= 0x38914A4(59315364),sa_trans= esp-des esp-md5-hmac , sa_conn_id= 30sa_lifetime(k/sec)= (4445923/500)The following is sample output from the debug crypto ipsec command as seen on the peer router. In this example, IKE verifies whether IPsec will accept an SA proposal. Although the peer sent two proposals, IPsec accepted the first proposal.
00:26:15: IPSEC(validate_proposal_request): proposal part #1,(key eng. msg.) dest= 172.21.114.67, src= 172.21.114.123,dest_proxy= 172.21.114.67/255.255.255.255/0/0 (type=1),src_proxy= 172.21.114.123/255.255.255.255/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac ,lifedur= 0s and 0kb,spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4IKE prompts for SPIs.
00:26:15: IPSEC(key_engine): got a queue event...00:26:15: IPSEC(spi_response): getting spi 59315364ld for SAfrom 172.21.114.123 to 172.21.114.67 for prot 3IKE does the remaining processing, completing the negotiation and generating keys. IKE then notifies IPsec about the new SAs.
00:26:15: IPSEC(key_engine): got a queue event...The following output pertains to the inbound SA:
00:26:15: IPSEC(initialize_sas): ,(key eng. msg.) dest= 172.21.114.67, src= 172.21.114.123,dest_proxy= 172.21.114.67/0.0.0.0/0/0 (type=1),src_proxy= 172.21.114.123/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac ,lifedur= 120s and 4608000kb,spi= 0x38914A4(59315364), conn_id= 25, keysize= 0, flags= 0x4The following output pertains to the outbound SA:
00:26:15: IPSEC(initialize_sas): ,(key eng. msg.) src= 172.21.114.67, dest= 172.21.114.123,src_proxy= 172.21.114.67/0.0.0.0/0/0 (type=1),dest_proxy= 172.21.114.123/0.0.0.0/0/0 (type=1),protocol= ESP, transform= esp-des esp-md5-hmac ,lifedur= 120s and 4608000kb,spi= 0x120F043C(302974012), conn_id= 26, keysize= 0, flags= 0x4IPsec then installs the SA information into its SA database:
00:26:15: IPSEC(create_sa): sa created,(sa) sa_dest= 172.21.114.67, sa_prot= 50,sa_spi= 0x38914A4(59315364),sa_trans= esp-des esp-md5-hmac , sa_conn_id= 25sa_lifetime(k/sec)= (4445923/500)00:26:15: IPSEC(create_sa): sa created,(sa) sa_dest= 172.21.114.123, sa_prot= 50,sa_spi= 0x120F043C(302974012),sa_trans= esp-des esp-md5-hmac , sa_conn_id= 26sa_lifetime(k/sec)= (4445923/500)debug crypto ipsec client ezvpn
To display information about voice control messages that have been captured by the Voice DSP Control Message Logger and about Cisco Easy VPN remote connections, use the debug crypto ipsec client ezvpn command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto ipsec client ezvpn
no debug crypto ipsec client ezvpn
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
To force the Voice DSP Contol Message Logger to reestablish the virtual private network (VPN) connections, use the clear crypto sa and clear crypto isakmp commands to delete the IPSec security associations and Internet Key Exchange (IKE) connections, respectively.
Examples
The following example shows debugging messages when the Voice DSP Contol Message Logger is turned on and typical debugging messages that appear when the VPN tunnel is created:
Router# debug crypto ipsec client ezvpnEzVPN debugging is onrouter#00:02:28: EZVPN(hw1): Current State: IPSEC_ACTIVE00:02:28: EZVPN(hw1): Event: RESET00:02:28: EZVPN(hw1): ezvpn_close00:02:28: EZVPN(hw1): New State: CONNECT_REQUIRED00:02:28: EZVPN(hw1): Current State: CONNECT_REQUIRED00:02:28: EZVPN(hw1): Event: CONNECT00:02:28: EZVPN(hw1): ezvpn_connect_request00:02:28: EZVPN(hw1): New State: READY00:02:29: EZVPN(hw1): Current State: READY00:02:29: EZVPN(hw1): Event: MODE_CONFIG_REPLY00:02:29: EZVPN(hw1): ezvpn_mode_config00:02:29: EZVPN(hw1): ezvpn_parse_mode_config_msg00:02:29: EZVPN: Attributes sent in message:00:02:29: Address: 10.0.0.500:02:29: Default Domain: cisco.com00:02:29: EZVPN(hw1): ezvpn_nat_config00:02:29: EZVPN(hw1): New State: SS_OPEN00:02:29: EZVPN(hw1): Current State: SS_OPEN00:02:29: EZVPN(hw1): Event: SOCKET_READY00:02:29: EZVPN(hw1): No state change00:02:30: EZVPN(hw1): Current State: SS_OPEN00:02:30: EZVPN(hw1): Event: MTU_CHANGED00:02:30: EZVPN(hw1): No state change00:02:30: EZVPN(hw1): Current State: SS_OPEN00:02:30: EZVPN(hw1): Event: SOCKET_UP00:02:30: ezvpn_socket_up00:02:30: EZVPN(hw1): New State: IPSEC_ACTIVEThe following example shows the typical display for a VPN tunnel that is reset with the clear crypto ipsec client ezvpn command:
3d17h: EZVPN: Current State: READY3d17h: EZVPN: Event: RESET3d17h: ezvpn_reconnect_request3d17h: ezvpn_close3d17h: ezvpn_connect_request3d17h: EZVPN: New State: READY3d17h: EZVPN: Current State: READY3d17h: EZVPN: Event: MODE_CONFIG_REPLY3d17h: ezvpn_mode_config3d17h: ezvpn_parse_mode_config_msg3d17h: EZVPN: Attributes sent in message:3d17h: DNS Primary: 172.16.0.2503d17h: DNS Secondary: 172.16.0.2513d17h: NBMS/WINS Primary: 172.16.0.2523d17h: NBMS/WINS Secondary: 172.16.0.2533d17h: Split Tunnel List: 13d17h: Address : 172.16.0.1283d17h: Mask : 255.255.255.1283d17h: Protocol : 0x03d17h: Source Port: 03d17h: Dest Port : 03d17h: Split Tunnel List: 23d17h: Address : 172.16.1.1283d17h: Mask : 255.255.255.1283d17h: Protocol : 0x03d17h: Source Port: 03d17h: Dest Port : 03d17h: Default Domain: cisco.com3d17h: ezvpn_nat_config3d17h: EZVPN: New State: SS_OPEN3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: SOCKET_READY3d17h: EZVPN: No state change3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: SOCKET_READY3d17h: EZVPN: No state change3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: MTU_CHANGED3d17h: EZVPN: No state change3d17h: EZVPN: Current State: SS_OPEN3d17h: EZVPN: Event: SOCKET_UP3d17h: EZVPN: New State: IPSEC_ACTIVE3d17h: EZVPN: Current State: IPSEC_ACTIVE3d17h: EZVPN: Event: MTU_CHANGED3d17h: EZVPN: No state change3d17h: EZVPN: Current State: IPSEC_ACTIVE3d17h: EZVPN: Event: SOCKET_UPThe following example shows the typical display for a VPN tunnel that is removed from the interface with the no crypto ipsec client ezvpn command:
4d16h: EZVPN: Current State: IPSEC ACTIVE4d16h: EZVPN: Event: REMOVE INTERFACE CFG4d16h: ezvpn_close_and_remove4d16h: ezvpn_close4d16h: ezvpn_remove4d16h: EZVPN: New State: IDLERelated Commands
debug crypto ipsec
Displays debugging messages for generic IPSec events.
debug crypto isakmp
Displays debugging messages for IKE events.
debug crypto ipsec ha
To enable debugging messages for IP Security (IPSec) high availability, use the debug crypto ipsec ha command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto ipsec ha [detail] [update]
no debug crypto ipsec ha [detail] [update]
Syntax Description
detail
(Optional) Displays detailed debug information.
update
(Optional) Displays updates for inbound and outbound related data.
Command Modes
Privileged EXEC
Command History
Examples
The following example is sample output of the debug crypto ipsec ha command for both the active and stanby router:
Active RouterRouter# debug crypto ipsec haCrypto IPSEC High Availability debugging is on*Sep 29 17:03:01.851:IPSec HA (crypto_ha_ipsec_notify_add_sa):called*Sep 29 17:03:01.851:IPSec HA (crypto_ha_ipsec_notify_add_sa):New IPsec SA added... notifying HA MgrStandby RouterRouter# debug crypto ipsec haCrypto IPSEC High Availability debugging is onvrf-lite-R1#*Sep 29 17:03:01.031:IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas):HA mgr wants to insert the following bundle*Sep 29 17:03:01.031:IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas):This SA Supports DPD*Sep 29 17:03:01.031:IPSec HA (crypto_ha_ipsec_gen_sa):Sending Kei to IPSec num_kei 2*Sep 29 17:03:01.039:IPSec HA (crypto_ha_ipsec_notify_add_sa):called*Sep 29 17:03:01.039:IPSec HA (crypto_ha_ipsec_notify_add_sa):operation not performed as standby ip 4.0.0.3The following example is sample debug output with the detail keyword:
Active Router*Sep 29 17:05:48.803:IPSec HA (crypto_ha_ipsec_mgr_set_state_common):called for vip 4.0.0.3*Sep 29 17:06:11.655:IPSec HA (crypto_ha_ipsec_mgr_bulk_sync_sas):Bulk sync request from standby for local addr 4.0.0.3*Sep 29 17:06:44.059:IPSec HA (crypto_ha_ipsec_notify_add_sa):called*Sep 29 17:06:44.059:IPSec HA (crypto_ha_ipsec_notify_add_sa):New IPsec SA added... notifying HA MgrStandby RouterRouter# debug crypto ipsec ha detailCrypto IPSEC High Availability Detail debugging is onvrf-lite-R1#*Sep 29 17:06:44.063:IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas):HA mgr wants to insert the following bundle*Sep 29 17:06:44.063:IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas):This SA Supports DPD*Sep 29 17:06:44.063:IPSec HA (crypto_ha_ipsec_gen_sa):Sending Kei to IPSec num_kei 2*Sep 29 17:06:44.071:IPSec HA (crypto_ha_ipsec_notify_add_sa):called*Sep 29 17:06:44.071:IPSec HA (crypto_ha_ipsec_notify_add_sa):operation not performed as standby ip 4.0.0.3The following example is sample debug output with the update keyword:
Active Router*Sep 29 17:27:30.839:IPSec HA(check_and_send_replay_update):Replay triggered update seq_num 1000 last-sent 0 dir inbound*Sep 29 17:27:30.839:IPSec HA(create_update_struct):Sending inbound update*Sep 29 17:27:30.839:IPSec HA(send_update_struct):Outbound - New KB 0, New replay 0Inbound - New KB 3998772, New replay 1000*Sep 29 17:29:30.883:IPSec HA(check_and_send_replay_update):Replay triggered update seq_num 2000 last-sent 1000 dir inbound*Sep 29 17:29:30.883:IPSec HA(create_update_struct):Sending inbound update*Sep 29 17:29:30.883:IPSec HA(send_update_struct):Outbound - New KB 0, New replay 0Inbound - New KB 3998624, New replay 2000*Sep 29 17:30:30.899:IPSec HA(check_and_send_replay_update):Replay triggered update seq_num 3000 last-sent 2000 dir inbound*Sep 29 17:30:30.899:IPSec HA(create_update_struct):Sending inbound update*Sep 29 17:30:30.899:IPSec HA(send_update_struct):Outbound - New KB 0, New replay 0Inbound - New KB 3998476, New replay 3000*Sep 29 17:32:30.943:IPSec HA(check_and_send_replay_update):Replay triggered update seq_num 4000 last-sent 3000 dir inbound*Sep 29 17:32:30.943:IPSec HA(create_update_struct):Sending inbound update*Sep 29 17:32:30.943:IPSec HA(send_update_struct):Outbound - New KB 0, New replay 0Inbound - New KB 3998327, New replay 4000Standby Router*Sep 29 17:27:28.887:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):called*Sep 29 17:27:28.887:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):UPDATING INBOUND SA:ip = 4.0.0.3, protocol = 50, spi = B8A47EC9,NEW KB LIFE = 3998772,NEW REPLAY WINDOW START = 1000,*Sep 29 17:29:28.915:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):called*Sep 29 17:29:28.915:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):UPDATING INBOUND SA:ip = 4.0.0.3, protocol = 50, spi = B8A47EC9,NEW KB LIFE = 3998624,NEW REPLAY WINDOW START = 2000,*Sep 29 17:30:28.939:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):called*Sep 29 17:30:28.939:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):UPDATING INBOUND SA:ip = 4.0.0.3, protocol = 50, spi = B8A47EC9,NEW KB LIFE = 3998476,NEW REPLAY WINDOW START = 3000,*Sep 29 17:32:28.955:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):called*Sep 29 17:32:28.955:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):UPDATING INBOUND SA:ip = 4.0.0.3, protocol = 50, spi = B8A47EC9,NEW KB LIFE = 3998327,NEW REPLAY WINDOW START = 4000,Related Commands
debug crypto ha
Displays crypto high availability debugging information.
debug crypto isakmp ha
Enables debugging messages for ISAKMP high availability.
debug crypto ipv6 ipsec
To display IP Security (IPSec) events for IPv6 networks, use the debug crypto ipv6 ipsec command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto ipv6 ipsec
no debug crypto ipv6 ipsec
Syntax Description
This command has no arguments or keywords.
Command Default
Debugging for IPv6 IPSec events is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use this command to display IPSec events while setting up or removing policy definitions during OSPF configuration.
Examples
The following example enables the display of IPSec events for IPv6 networks:
Router# debug crypto ipv6 ipsecRelated Commands
debug crypto ipv6 packet
To display the contents of IPv6 packets, use the debug crypto ipv6 packet command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto ipv6 packet
no debug crypto ipv6 packet
Syntax Description
This command has no arguments or keywords.
Command Default
Debugging for IPv6 IPSec packets is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Consult Cisco Technical Support before using this command.
Use this command to display the contents of IPv6 packets. This command is useful when the remote node is not a Cisco device and communication between the Cisco and non-Cisco router cannot be established. This command enables you to look at the contents of the packets outbound from the Cisco router.
This command examines the content of every IPv6 packet and may slow network performance.
Examples
This example shows the ouptut of each packet when the debug crypto ipv6 packet command is enabled:
Router# debug crypto ipv6 packetCrypto IPv6 IPSEC packet debugging is onRouter#*Oct 30 16:57:06.330:IPSECv6:before Encapsulation of IPv6 packet:0E37A7C0: 6E000000 00285901 n....(Y.0E37A7D0:FE800000 00000000 020A8BFF FED42C1D ~...........~T,.0E37A7E0:FF020000 00000000 00000000 00000005 ................0E37A7F0:03010028 01010104 00000001 8AD80000 ...(.........X..0E37A800:00000006 01000013 000A0028 0A0250CF ...........(..PO0E37A810:01010104 0A0250CF ......PO*Oct 30 16:57:06.330:IPSECv6:Encapsulated IPv6 packet:0E37A7B0:6E000000 00403301 FE800000 00000000 n....@3.~.......0E37A7C0:020A8BFF FED42C1D FF020000 00000000 ....~T,.........0E37A7D0:00000000 00000005 59040000 000022B8 ........Y....."80E37A7E0:0000001A 38AB1ED8 04C1C6FB FF1248CF ....8+.X.AF{..HO0E37A7F0:03010028 01010104 00000001 8AD80000 ...(.........X..0E37A800:00000006 01000013 000A0028 0A0250CF ...........(..PO0E37A810:01010104 0A0250CF ......PO*Oct 30 16:57:11.914:IPSECv6:Before Decapsulation of IPv6 packet:0E004A50: 6E000000 00403301 n....@3.0E004A60:FE800000 00000000 023071FF FE7FE81D ~........0q.~.h.0E004A70:FF020000 00000000 00000000 00000005 ................0E004A80:59040000 000022B8 00001D88 F5AC68EE Y....."8....u,hn0E004A90:1AC00088 947C6BF2 03010028 0A0250CF .@...|kr...(..PO0E004AA0:00000001 E9080000 00000004 01000013 ....i...........0E004AB0:000A0028 0A0250CF 01010104 01010104 ...(..PO........0E004AC0:*Oct 30 16:57:11.914:IPSECv6:Decapsulated IPv6 packet:0E004A70:6E000000 00285901 FE800000 00000000 n....(Y.~.......0E004A80:023071FF FE7FE81D FF020000 00000000 .0q.~.h.........0E004A90:00000000 00000005 03010028 0A0250CF ...........(..PO0E004AA0:00000001 E9080000 00000004 01000013 ....i...........0E004AB0:000A0028 0A0250CF 01010104 01010104 ...(..PO........0E004AC0:*Oct 30 16:57:16.330:IPSECv6:before Encapsulation of IPv6 packet:0E003DC0: 6E000000 00285901 n....(Y.0E003DD0:FE800000 00000000 020A8BFF FED42C1D ~...........~T,.0E003DE0:FF020000 00000000 00000000 00000005 ................0E003DF0:03010028 01010104 00000001 8AD80000 ...(.........X..0E003E00:00000006 01000013 000A0028 0A0250CF ...........(..PO0E003E10:01010104 0A0250CF ......PO*Oct 30 16:57:16.330:IPSECv6:Encapsulated IPv6 packet:0E003DB0:6E000000 00403301 FE800000 00000000 n....@3.~.......0E003DC0:020A8BFF FED42C1D FF020000 00000000 ....~T,.........0E003DD0:00000000 00000005 59040000 000022B8 ........Y....."80E003DE0:0000001B F8E3C4E2 4CC4B690 DDF32B5C ....xcDbLD6.]s+\0E003DF0:03010028 01010104 00000001 8AD80000 ...(.........X..0E003E00:00000006 01000013 000A0028 0A0250CF ...........(..PO0E003E10:01010104 0A0250CF ......PORelated Commands
debug crypto isakmp
To display messages about Internet Key Exchange (IKE) events, use the debug crypto isakmp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto isakmp [aaa]
no debug crypto isakmp [aaa]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the debug crypto isakmp command for an IKE peer that initiates an IKE negotiation.
First, IKE negotiates its own security association (SA), checking for a matching IKE policy.
Router# debug crypto isakmp20:26:58: ISAKMP (8): beginning Main Mode exchange20:26:58: ISAKMP (8): processing SA payload. message ID = 020:26:58: ISAKMP (8): Checking ISAKMP transform 1 against priority 10 policy20:26:58: ISAKMP: encryption DES-CBC20:26:58: ISAKMP: hash SHA20:26:58: ISAKMP: default group 120:26:58: ISAKMP: auth pre-share20:26:58: ISAKMP (8): atts are acceptable. Next payload is 0IKE has found a matching policy. Next, the IKE SA is used by each peer to authenticate the other peer.
20:26:58: ISAKMP (8): SA is doing pre-shared key authentication20:26:59: ISAKMP (8): processing KE payload. message ID = 020:26:59: ISAKMP (8): processing NONCE payload. message ID = 020:26:59: ISAKMP (8): SKEYID state generated20:26:59: ISAKMP (8): processing ID payload. message ID = 020:26:59: ISAKMP (8): processing HASH payload. message ID = 020:26:59: ISAKMP (8): SA has been authenticatedNext, IKE negotiates to set up the IP Security (IPSec) SA by searching for a matching transform set.
20:26:59: ISAKMP (8): beginning Quick Mode exchange, M-ID of 76716284520:26:59: ISAKMP (8): processing SA payload. message ID = 76716284520:26:59: ISAKMP (8): Checking IPSec proposal 120:26:59: ISAKMP: transform 1, ESP_DES20:26:59: ISAKMP: attributes in transform:20:26:59: ISAKMP: encaps is 120:26:59: ISAKMP: SA life type in seconds20:26:59: ISAKMP: SA life duration (basic) of 60020:26:59: ISAKMP: SA life type in kilobytes20:26:59: ISAKMP: SA life duration (VPI) of0x0 0x46 0x50 0x020:26:59: ISAKMP: authenticator is HMAC-MD520:26:59: ISAKMP (8): atts are acceptable.A matching IPSec transform set has been found at the two peers. Now the IPSec SA can be created (one SA is created for each direction).
20:26:59: ISAKMP (8): processing NONCE payload. message ID = 76716284520:26:59: ISAKMP (8): processing ID payload. message ID = 76716284520:26:59: ISAKMP (8): processing ID payload. message ID = 76716284520:26:59: ISAKMP (8): Creating IPSec SAs20:26:59: inbound SA from 155.0.0.2 to 155.0.0.1 (proxy 155.0.0.2 to 155.0.0.1 )20:26:59: has spi 454886490 and conn_id 9 and flags 420:26:59: lifetime of 600 seconds20:26:59: lifetime of 4608000 kilobytes20:26:59: outbound SA from 155.0.0.1 to 155.0.0.2 (proxy 155.0.0.1 to 155.0.0.2 )20:26:59: has spi 75506225 and conn_id 10 and flags 420:26:59: lifetime of 600 seconds20:26:59: lifetime of 4608000 kilobytesThe following is sample output from the debug crypto isakmp command using the aaa keyword:
Router# debug crypto isakmp aaaStart Example01:38:55: ISAKMP AAA: Sent Accounting Message01:38:55: ISAKMP AAA: Accounting message successful01:38:55: ISAKMP AAA: Rx Accounting Message01:38:55: ISAKMP AAA: Adding Client Attributes to Accounting Record01:38:55: ISAKMP AAA: Accounting StartedUpdate Example01:09:55: ISAKMP AAA: Accounting received kei with flags 0x104201:09:55: ISAKMP AAA: Updating Stats01:09:55: Previous in acc (PKTS) IN: 10 OUT: 1001:09:55: Traffic on sa (PKTS) IN: 176 OUT: 176Related Commands
debug crypto isakmp ha
To enable debugging messages for Internet Security Association and Key Management Protocol (ISAKMP) high availability, use the debug crypto isakmp ha command in privileged EXEC mode. To disable debugging messages, use the no form of this command.
debug crypto isakmp ha [detail]
no debug crypto isakmp ha [detail]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output for a standby router from the debug crypto isakmp ha command:
Active Routerno debug messageStandby RouterRouter# debug crypto isakmp haCrypto ISAKMP High Availability debugging is onvrf-lite-R1#*Sep 28 21:54:41.815:IKE HA:(4.0.0.3) Adding STANDBY IKE SA*Sep 28 21:54:41.843:IKE HA:Create peer struct for local 4.0.0.3 remote 4.0.0.5 & locked*Sep 28 21:54:41.843:IKE HA:IKE SA inserted on standby with src = 4.0.0.5, dst = 4.0.0.3The following sample output is displayed when the detail keyword is issued. (Note that debug output without issuing the detail keyword is the same as the debug output with the detail keyword.)
Active RouterRouter# debug crypto isakmp ha detailCrypto ISAKMP High Availability detailed debugging is onvrf-lite-R1#*Sep 29 16:59:15.035:IKE HA:IKE SA is already failed overStandby RouterRouter# debug crypto isakmp ha detailCrypto ISAKMP High Availability detailed debugging is onvrf-lite-R2#*Sep 29 16:59:14.371:IKE HA:(4.0.0.3) Adding STANDBY IKE SA*Sep 29 16:59:14.411:IKE HA:Create peer struct for local 4.0.0.3 remote 4.0.0.5 & locked*Sep 29 16:59:14.411:IKE HA:IKE SA inserted on standby with src = 4.0.0.5, dst = 4.0.0.3Related Commands
debug crypto ha
Displays crypto high availability debugging information.
debug crypto ipsec ha
Enables debugging messages for IPSec high availability.
debug crypto key-exchange
To show Digital Signature Standard (DSS) public key exchange messages, use the debug crypto key-exchange command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto key-exchange
no debug crypto key-exchange
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
Encryption and authentication are provided by a software service on the router called a crypto engine. The crypto engine performs authentication through DSS public and private keys when a connection is set up. DSS is a means of sending a "signature" at the end of a message that positively identifies the author of the message. The signature cannot be forged or duplicated by others, so whoever received a message with a DSS signature knows exactly who sent the message.
If the process of exchanging DSS public keys with a peer router by means of the config crypto key-exchange command is not successful, try to exchange DSS public keys again after enabling the debug crypto key-exchange command to help you diagnose the problem.
Examples
The following is sample output from the debug crypto key-exchange command. The first shows output from the initiating router in a key exchange. The second shows output from the passive router in a key exchange. The number of bytes received should match the number of bytes sent from the initiating side, although the number of messages can be different.
Router# debug crypto key-exchangeCRYPTO-KE: Sent 4 bytes.CRYPTO-KE: Sent 2 bytes.CRYPTO-KE: Sent 2 bytes.CRYPTO-KE: Sent 2 bytes.CRYPTO-KE: Sent 64 bytes.Router# debug crypto key-exchangeCRYPTO-KE: Received 4 bytes.CRYPTO-KE: Received 2 bytes.CRYPTO-KE: Received 2 bytes.CRYPTO-KE: Received 2 bytes.CRYPTO-KE: Received 49 bytes.CRYPTO-KE: Received 15 bytes.Related Commands
debug crypto sesmgmt
Displays connection setup messages and their flow through the router.
debug crypto mib
To display debug messages for the IP Security (IPsec) MIB subsystem, use the debug crypto mib command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto mib [detail | error]
no debug crypto mib [detail | error]
Syntax Description
Defaults
Message notification debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows IPsec MIB debug message notification being enabled:
Router# debug crypto mibCrypto IPSec Mgmt Entity debugging is onThe following example shows that detailed information about events that are occurring in the subsystem has been requested:
Router# debug crypto mib detailThe following example shows that information has been requested about error events in the MIB agent:
Router# debug crypto mib errorRelated Commands
debug crypto pki messages
To display debugging messages for the details of the interaction (message dump) between the certification authority (CA) and the router, use the debug crypto pki messages command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto pki messages
no debug crypto pki messages
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The debug crypto pki messages command displays messages about the actual data being sent and received during public key infrastructure (PKI) transactions. This command is internal for use by Cisco support personnel.
You can use the show crypto ca certificates command to display information about your certificate.
Examples
The following is sample output from the debug crypto pki messages command:
Router# debug crypto pki messagesFingerprint: 2CFC6265 77BA6496 3AEFCB50 29BC2BF200:48:23:Write out pkcs#10 content:27400:48:23:30 82 01 0E 30 81 B9 02 01 00 30 22 31 20 30 1E 06 09 2A 8600:48:23:48 86 F7 0D 01 09 02 16 11 70 6B 69 2D 33 36 61 2E 63 69 7300:48:23:63 6F 2E 63 6F 6D 30 5C 30 0D 06 09 2A 86 48 86 F7 0D 01 0100:48:23:01 05 00 03 4B 00 30 48 02 41 00 DD 2C C6 35 A5 3F 0F 97 6C00:48:23:11 E2 81 95 01 6A 80 34 25 10 C4 5F 3D 8B 33 1C 19 50 FD 9100:48:23:6C 2D 65 4C B6 A6 B0 02 1C B2 84 C1 C8 AC A4 28 6E EF 9D 3B00:48:23:30 98 CB 36 A2 47 4E 7E 6F C9 3E B8 26 BE 15 02 03 01 00 0100:48:23:A0 32 30 10 06 09 2A 86 48 86 F7 0D 01 09 07 31 03 13 01 6300:48:23:30 1E 06 09 2A 86 48 86 F7 0D 01 09 0E 31 11 14 0F 30 0D 3000:48:23:0B 06 03 55 1D 0F 04 04 03 02 05 A0 30 0D 06 09 2A 86 48 8600:48:23:F7 0D 01 01 04 05 00 03 41 00 2C FD 88 2C 8A 13 B6 81 88 EA00:48:23:5C FD AE 52 8F 2C 13 95 9E 9D 8B A4 C9 48 32 84 BF 05 03 4900:48:23:63 27 A3 AC 6D 74 EB 69 E3 06 E9 E4 9F 0A A8 FB 20 F0 02 0300:48:23:BE 90 57 02 F2 75 8E 0F 16 60 10 6F BE 2B00:48:23:Enveloped Data ...00:48:23:30 80 06 09 2A 86 48 86 F7 0D 01 07 03 A0 80 30 80 02 01 0000:48:23:31 80 30 82 01 0F 02 01 00 30 78 30 6A 31 0B 30 09 06 03 5500:48:23:04 06 13 02 55 53 31 0B 30 09 06 03 55 04 08 13 02 43 41 3100:48:23:13 30 11 06 03 55 04 07 13 0A 53 61 6E 74 61 20 43 72 75 7A00:48:23:31 15 30 13 06 03 55 04 0A 13 0C 43 69 73 63 6F 20 53 79 7300:48:23:74 65 6D 31 0E 30 0C 06 03 55 04 0B 13 05 49 50 49 53 55 3100:48:23:Signed Data 1382 bytes00:48:23:30 80 06 09 2A 86 48 86 F7 0D 01 07 02 A0 80 30 80 02 01 0100:48:23:31 0E 30 0C 06 08 2A 86 48 86 F7 0D 02 05 05 00 30 80 06 0900:48:23:2A 86 48 86 F7 0D 01 07 01 A0 80 24 80 04 82 02 75 30 80 0600:48:23:02 55 53 31 0B 30 09 06 03 55 04 08 13 02 43 41 31 13 30 1100:48:23:33 34 5A 17 0D 31 30 31 31 31 35 31 38 35 34 33 34 5A 30 2200:48:23:31 20 30 1E 06 09 2A 86 48 86 F7 0D 01 09 02 16 11 70 6B 6900:48:23:2D 33 36 61 2E 63 69 73 63 6F 2E 63 6F 6D 30 5C 30 0D 06 0900:48:23:2A 86 48 86 F7 0D 01 01 01 05 00 03 4B 00 30 48 02 41 00 DD00:48:23:2C C6 35 A5 3F 0F 97 6C 11 E2 81 95 01 6A 80 34 25 10 C4 5F00:48:23:3D 8B 33 1C 19 50 FD 91 6C 2D 65 4C B6 A6 B0 02 1C B2 84 C100:48:23:86 F7 0D 01 01 01 05 00 04 40 C6 24 36 D6 D5 A6 92 80 5D E500:48:23:15 F7 3E 15 6D 71 E1 D0 13 2B 14 64 1B 0C 0F 96 BF F9 2E 0500:48:23:EF C2 D6 CB 91 39 19 F8 44 68 0E C5 B5 84 18 8B 2D A4 B1 CD00:48:23:3F EC C6 04 A5 D9 7C B1 56 47 3F 5B D4 93 00 00 00 00 00 0000:48:23:00 0000:48:24:Received pki message:1778 types...Related Commands
debug crypto pki server
To enable debugging for a crypto public key infrastructure (PKI) certificate server, use the debug crypto pki server command in privileged EXEC mode. To disable debugging, use the no form of this command.
debug crypto pki server
no debug crypto pki server
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example shows how to enable debugging for a certificate server. This example also contains sample debug messages, which allow users to troubleshoot the various certificate-request-related stages and tasks that are handled by the certificate server.
Router# debug crypto pki serverCrypto PKI Certificate Server debugging is onOct 15 19:50:41.003:CRYPTO_CS:old RA cert flag 0x4Oct 15 19:50:41.003:CRYPTO_CS:new RA cert flag 0x1000COct 15 19:50:41.003:CRYPTO_CS:nvram filesystemOct 15 19:50:41.279:CRYPTO_CS:serial number 0x1 written.Oct 15 19:50:53.383:CRYPTO_CS:created a new serial file.Oct 15 19:50:53.383:CRYPTO_CS:SCEP server startedOct 15 19:50:53.419:%SYS-5-CONFIG_I:Configured from console by consoleOct 15 19:50:53.731:CRYPTO_CS:received a SCEP GetCACert requestOct 15 19:50:53.739:CRYPTO_CS:CA certificate sentOct 15 19:50:54.355:CRYPTO_CS:received a SCEP GetCACert requestOct 15 19:50:54.363:CRYPTO_CS:CA certificate sentOct 15 19:50:57.791:CRYPTO_CS:received a SCEP requestOct 15 19:50:57.795:CRYPTO_CS:read SCEP:registered and bound serviceSCEP_READ_DB_8Oct 15 19:50:57.947:CRYPTO_CS:scep msg type - 19Oct 15 19:50:57.947:CRYPTO_CS:trans id -3673CE2FF0235A4AE6F26242B00A4BB4Oct 15 19:50:58.679:CRYPTO_CS:read SCEP:unregistered and unboundservice SCEP_READ_DB_8Oct 15 19:50:58.683:CRYPTO_CS:received an enrollment requestOct 15 19:50:58.691:CRYPTO_CS:request has been authorized, transactionid=3673CE2FF0235A4AE6F26242B00A4BB4Oct 15 19:50:58.699:CRYPTO_CS:byte 2 in key usage in PKCS#10 is 0x7Oct 15 19:50:58.699:CRYPTO_CS:signatureOct 15 19:50:58.699:CRYPTO_CS:key_usage is 1Oct 15 19:50:58.703:CRYPTO_CS:enrollment request with pendingID 1 sentto the CAOct 15 19:50:58.707:CRYPTO_CS:write SCEP:registered and bound serviceSCEP_WRTE_DB_8Oct 15 19:50:59.531:CRYPTO_CS:write SCEP:unregistered and unboundservice SCEP_WRTE_DB_8.....Oct 15 19:53:08.403:CRYPTO_CS:CS_RA_REQUEST:save cert in dbase,pending id = 2Oct 15 19:53:08.403:CRYPTO_CS:enrollment request 2 grantedOct 15 19:53:08.403:CRYPTO_PKI:All enrollment requests completed fortrustpoint ra.Oct 15 19:53:08.403:%CRYPTO-6-CERTRET:Certificate received fromCertificate AuthorityOct 15 19:53:08.403:CRYPTO_PKI:All enrollment requests completed fortrustpoint ra.Oct 15 19:53:08.403:CRYPTO_PKI:All enrollment requests completed fortrustpoint ra.Oct 15 19:53:08.407:CRYPTO_PKI:All enrollment requests completed fortrustpoint ra.Oct 15 19:53:19.623:IPSEC(key_engine):major = 1Oct 15 19:53:19.623:IPSEC(key_engine):expired_timer:skip ...Oct 15 19:53:35.707:CRYPTO_CS:received a SCEP requestOct 15 19:53:35.711:CRYPTO_CS:read SCEP:registered and bound serviceSCEP_READ_DB_14Oct 15 19:53:35.859:CRYPTO_CS:scep msg type - 20Oct 15 19:53:35.859:CRYPTO_CS:trans id -4D774FFE2F7CA9991A7F6A785E803E77Oct 15 19:53:36.591:CRYPTO_CS:read SCEP:unregistered and unboundservice SCEP_READ_DB_14Oct 15 19:53:36.595:CRYPTO_CS:received an enrollment requestOct 15 19:53:36.595:CRYPTO_CS:write SCEP:registered and bound serviceSCEP_WRTE_DB_14Oct 15 19:53:37.623:CRYPTO_CS:write SCEP:unregistered and unboundservice SCEP_WRTE_DB_14Oct 15 19:53:37.631:CRYPTO_CS:Certificate sent to requestorRelated Commands
crypto pki server
Enables a Cisco IOS certificate server and enters certificate server configuration mode.
debug crypto pki transactions
To display debugging messages for the trace of interaction (message type) between the certification authority (CA) and the router, use the debug crypto pki transactions command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto pki transactions
no debug crypto pki transactions
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Use the debug crypto pki transactions command to display debugging messages pertaining to public key infrastructure (PKI) certificates. The messages will show status information during certificate enrollment and verification.
You can also use the show crypto ca certificates command to display information about your certificate.
Examples
The following example, which authenticates and enrolls a CA, contains sample output for the debug crypto pki transactions command:
Router(config)# crypto ca authenticate mscaCertificate has the following attributes:Fingerprint:A5DE3C51 AD8B0207 B60BED6D 9356FB00% Do you accept this certificate? [yes/no]:yRouter# debug crypto pki transactions00:44:00:CRYPTO_PKI:Sending CA Certificate Request:GET /certsrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=msca HTTP/1.000:44:00:CRYPTO_PKI:http connection opened00:44:01:CRYPTO_PKI:HTTP response header:HTTP/1.1 200 OKServer:Microsoft-IIS/5.0Date:Fri, 17 Nov 2000 18:50:59 GMTContent-Length:2693Content-Type:application/x-x509-ca-ra-certContent-Type indicates we have received CA and RA certificates.00:44:01:CRYPTO_PKI:WARNING:A certificate chain could not be constructed while selecting certificate status00:44:01:CRYPTO_PKI:WARNING:A certificate chain could not be constructed while selecting certificate status00:44:01:CRYPTO_PKI:Name:CN = msca-rootRA, O = Cisco System, C = US00:44:01:CRYPTO_PKI:Name:CN = msca-rootRA, O = Cisco System, C = US00:44:01:CRYPTO_PKI:transaction GetCACert completed00:44:01:CRYPTO_PKI:CA certificate received.00:44:01:CRYPTO_PKI:CA certificate received.Router(config)# crypto ca enroll msca%% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:Re-enter password:% The subject name in the certificate will be:Router.cisco.com% Include the router serial number in the subject name? [yes/no]:n% Include an IP address in the subject name? [yes/no]:nRequest certificate from CA? [yes/no]:y% Certificate request sent to Certificate Authority% The certificate request fingerprint will be displayed.% The 'show crypto ca certificate' command will also show the fingerprint.Router(config)#00:44:29:CRYPTO_PKI:transaction PKCSReq completed00:44:29:CRYPTO_PKI:status:00:44:29:CRYPTO_PKI:http connection opened00:44:29:CRYPTO_PKI: received msg of 1924 bytes00:44:29:CRYPTO_PKI:HTTP response header:HTTP/1.1 200 OKServer:Microsoft-IIS/5.0Date:Fri, 17 Nov 2000 18:51:28 GMTContent-Length:1778Content-Type:application/x-pki-message00:44:29:CRYPTO_PKI:signed attr:pki-message-type:00:44:29:13 01 3300:44:29:CRYPTO_PKI:signed attr:pki-status:00:44:29:13 01 3000:44:29:CRYPTO_PKI:signed attr:pki-recipient-nonce:00:44:29:04 10 B4 C8 2A 12 9C 8A 2A 4A E1 E5 15 DE 22 C2 B4 FD00:44:29:CRYPTO_PKI:signed attr:pki-transaction-id:00:44:29:13 20 34 45 45 41 44 42 36 33 38 43 33 42 42 45 44 45 39 4600:44:29:34 38 44 33 45 36 39 33 45 33 43 37 45 3900:44:29:CRYPTO_PKI:status = 100:certificate is granted00:44:29:CRYPTO__PKI:All enrollment requests completed.00:44:29:%CRYPTO-6-CERTRET:Certificate received from Certificate AuthorityRelated Commands
debug crypto provisioning
To display information about an easy secure device provisioning (SDP) operation, use the debug crypto provisioning command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto provisioning
no debug crypto provisioning
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
For more detailed information about authentication, authorization, and accounting (AAA), use the debug aaa authorization command.
Examples
The following is sample output from the debug crypto provisioning command. The output includes explanations of the process.
Router# debug crypto provisioningPetitioner device! The user starts the Welcome phase.Nov 7 03:15:48.171: CRYPTO_WUI_TTI: received welcome get request.! The router generates a Rivest, Shamir, and Adelman (RSA) keypair for future enrollment.Nov 7 03:15:48.279: CRYPTO_WUI_TTI: keyhash 'A506BE3B83C6F4B4A6EFCEB3D584AACA'! The TTI transaction is completed.Nov 7 03:16:10.607: CRYPTO_WUI_TTI: received completion post request.Registrar device!. During the introduction phase, the browser prompts for login information.06:39:18: CRYPTO_WUI_TTI: received introduction post request.06:39:18: CRYPTO_WUI_TTI: checking AAA authentication (ipsecca_script_aaalist, ttiuser)! This happens if the user types in the wrong username or password.06:39:19: CRYPTO_WUI_TTI: authentication declined by AAA, or AAA server not found - 0x306:39:19: CRYPTO_WUI_TTI: aaa query fails!! The user re-enters login information.06:39:19: CRYPTO_WUI_TTI: received introduction post request.06:39:19: CRYPTO_WUI_TTI: checking AAA authentication (ipsecca_script_aaalist, ttiuser)06:39:20: CRYPTO_WUI_TTI: checking AAA authorization (ipsecca_script_aaalist, ttiuser)! The login attempt succeeds and authorization information is retrieved from the AAA database.06:39:21: CRYPTO_WUI_TTI: aaa query ok!! These attributes are inserted into the configuration template.06:39:21: CRYPTO_WUI_TTI: building TTI av pairs from AAA attributes06:39:21: CRYPTO_WUI_TTI: "subjectname" = "CN=user, O=company, C=country"06:39:21: CRYPTO_WUI_TTI: "$1" = "ntp server 192.0.2.1"06:39:21: CRYPTO_WUI_TTI: "$2" = "hostname user-vpn"! The registrar stores this subject name and overrides the subject name in the subsequent enrollment request.06:39:21: CRYPTO_WUI_TTI: subjectname=CN=user, O=company, C=country! The registrar stores this key information so that it may be used to automatically grant the subsequent enrollment request.06:39:21: CRYPTO_WUI_TTI: key_hash=A506BE3B83C6F4B4A6EFCEB3D584AACARelated Commands
debug crypto sesmgmt
To show connection setup messages and their flow through the router, use the debug crypto sesmgmt command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug crypto sesmgmt
no debug crypto sesmgmt
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
Encryption and authentication are provided by a software service on the router called a crypto engine. The crypto engine performs authentication through Digital Signature Standard (DSS) public and private keys when a connection is set up. DSS is a means of sending a "signature" at the end of a message that positively identifies the author of the message. The signature cannot be forged or duplicated by others, so whoever receives a message with a DSS signature knows exactly who sent the message.
When connections are not completing, use the debug crypto sesmgmt command to follow the progress of connection messages as a first step in diagnosing the problem. You see a record of each connection message as the router discovers it, and can track its progress through the necessary signing, verifying, and encryption session setup operations. Other significant connection setup events, such as the pregeneration of Diffie-Hellman public numbers, are also shown. For information on Diffie-Hellman public numbers, refer to the Cisco IOS Security Configuration Guide.
Also use the show crypto connections command to display additional information on connections.
Examples
The following is sample output from the debug crypto sesmgmt command. The first shows messages from a router that initiates a successful connection. The second shows messages from a router that receives a connection.
Router# debug crypto sesmgmtCRYPTO: Dequeued a message: Inititate_ConnectionCRYPTO: DH gen phase 1 status for conn_id 2 slot 0:OKCRYPTO: Signing done. Status:OKCRYPTO: ICMP message sent: s=172.21.114.163, d=172.21.114.162CRYPTO-SDU: send_nnc_req: NNC Echo Request sentCRYPTO: Dequeued a message: CRMCRYPTO: DH gen phase 2 status for conn_id 2 slot 0:OKCRYPTO: Verify done. Status=OKCRYPTO: Signing done. Status:OKCRYPTO: ICMP message sent: s=172.21.114.163, d=172.21.114.162CRYPTO-SDU: recv_nnc_rpy: NNC Echo Confirm sentCRYPTO: Create encryption key for conn_id 2 slot 0:OKCRYPTO: Replacing -2 in crypto maps with 2 (slot 0)Router# debug crypto sesmgmtCRYPTO: Dequeued a message: CIMCRYPTO: Verify done. Status=OKCRYPTO: DH gen phase 1 status for conn_id 1 slot 0:OKCRYPTO: DH gen phase 2 status for conn_id 1 slot 0:OKCRYPTO: Signing done. Status:OKCRYPTO: ICMP message sent: s=172.21.114.162, d=172.21.114.163CRYPTO-SDU: act_on_nnc_req: NNC Echo Reply sentCRYPTO: Create encryption key for conn_id 1 slot 0:OKCRYPTO: Replacing -2 in crypto maps with 1 (slot 0)CRYPTO: Dequeued a message: CCMCRYPTO: Verify done. Status=OKRelated Commands
debug csm neat
To turn on debugging for all Call Switching Module (CSM) Voice over IP (VoIP) calls, use the debug csm neat command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug csm neat [slot | dspm | dsp | dsp-channel]
no debug csm neat [slot | dspm | dsp | dsp-channel]
Syntax Description
slot | dspm | dsp | dsp-channel
(Optional) Identifies the location of a particular digital signal processor (DSP) channel.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The debug csm neat command turns on debugging for all CSM VoIP calls. If no arguments are specified, debugging is enabled for all voice calls.
Note
The no debug cms neat command turns off debugging information for all voice calls.
If the slot, dspm, dsp, or dsp-channel arguments are specified (if the specified DSP channel is engaged in a CSM call), CSM call-related debugging information is turned on for this channel. The no form of this command turns off debugging for that particular channel.
Examples
The following examples show sample output from the debug csm neat command. The following shows that CSM has received an event from ISDN.
Router# debug csm neatMarch 18 04:05:07.052: EVENT_FROM_ISDN::dchan_idb=0x60D7B6B8, call_id=0xCF, ces=0x1bchan=0x0, event=0x1, cause=0x0Table 66 describes the significant fields shown in the display.
The following example shows that CSM has allocated the CSM voice control block for the DSP device on slot 1 port 10 for this call.
March 18 04:05:07.052: VDEV_ALLOCATE: slot 1 and port 10 is allocated.In this example, CSM must first allocate the CSM voice control block to initiate the state machine. After the voice control block has been allocated, CSM obtains from the DSP Resource Manager the actual DSP channel that will be used for the call. At that point, CSM will switch to the actual logical port number. The slot number in this example refers to the physical slot on the Cisco AS5400 access server. The port number is the logical DSP number interpreted as listed in Table 67.
The following example shows that the function csm_vtsp_init_tdm() has been called with a voice control block of address 0x60B8562C. This function will be called only when the call is treated as a voice call.
March 18 04:05:07.052: csm_vtsp_init_tdm (voice_vdev=0x60B8562C)The following example shows that CSM has obtained a DSP channel from the DSP Resource Manager:
March 18 04:05:07.052: csm_vtsp_init_tdm: dsprm_tdm_allocate: tdm slot 1, dspm 2, dsp 5, dsp_channel 1csm_vtsp_init_tdm: dsprm_tdm_allocate: tdm stream 5, channel 9, bank 0, bp_channel 10Table 68 describes the significant fields shown in the DSP channel initialized TDM display.
The following shows that CSM received an incoming call event from ISDN:
March 18 04:05:07.052: EVENT_FROM_ISDN:(00CF): DEV_INCALL at slot 1 and port 20Slot 1, port 20 means the logical DSP channel 20 (mapped to DSPRM 2, DSP 5, DSP channel 1).
The following shows that the DEV_INCALL message been translated into a CSM_EVENT_ISDN_CALL message:
March 18 04:05:07.052: CSM_PROC_IDLE: CSM_EVENT_ISDN_CALL at slot 1, port 20This message is passed to the CSM central state machine while it is in the CSM_IDLE state and is in the CSM_PROC_IDLE procedure. The logical DSP channel port 20 on slot 1 is used to handle this call.
The following shows that CSM has invoked the vtsp_ic_notify() function with a CSM voice call control block 0x60B8562C.
March 18 04:05:07.052: vtsp_ic_notify : (voice_vdev= 0x60B8562C)Inside this function, CSM will send a SETUP INDICATION message to the VTSP. This function will be invoked only if the call is a voice call.
The following shows that CSM received a SETUP INDICATION RESPONSE message from the VTSP as an acknowledgment.
March 18 04:05:07.056: csm_vtsp_call_setup_resp (vdev_info=0x60B8562C, vtsp_cdb=0x60FCA114)This means that the VTSP received the CALL SETUP INDICATION message previously sent and has proceeded to process the call.
•
•
The following shows that CSM received a CALL CONNECT message from the VTSP:
March 18 04:05:07.596: csm_vtsp_call_connect (vtsp_cdb=0x60FCA114, voice_vdev=0x60B8562C)This indicates that the VTSP received a CONNECT message for the call leg initiated to the Internet side.
•
•
The following shows that while CSM is in the CSM_IC2_RING state, it receives a SETUP INDICATION RESPONSE from the VTSP. This message is translated into CSM_EVENT_MODEM_OFFHOOK and passed to the CSM central state machine.
March 18 04:05:07.596: CSM_PROC_IC2_RING: CSM_EVENT_MODEM_OFFHOOK at slot 1, port 20The following shows that CSM received a CONNECT message from ISDN for the call using the logical DSP channel on slot 1 and port 20:
March 18 04:05:07.616: EVENT_FROM_ISDN:(00CF): DEV_CONNECTED at slot 1 and port 20The following shows that CSM translated the CONNECT event from ISDN into the CSM_EVENT_ISDN_CONNECTED message, which is then passed to the CSM central state machine:
March 18 04:05:07.616: CSM_PROC_IC4_WAIT_FOR_CARRIER: CSM_EVENT_ISDN_CONNECTED at slot 1, port 20The following shows that CSM received a CALL SETUP REQUEST from the VTSP:
May 16 12:22:27.580: csm_vtsp_call_setup_request (vtsp_cdb=0x60FCFA20, vtsp_sdb=0x60DFB608)This represents a request to make an outgoing call to the PSTN.
•
•
The following shows that the physical DSP channel has been allocated for this outgoing call:
May 16 12:22:27.580: csm_vtsp_call_setup_request: tdm slot 1, dspm 5, dsp 4, dsp_channel 1The following shows the on-chip and backplane TDM channel assigned to this DSP channel:
May 16 12:22:27.580: csm_vtsp_call_setup_request: tdm stream 5, channel 25, bank 0, bp_channel 27In this sample output, tdm stream 5, channel 25, bank 0, bp_channel 27 indicates the on-chip and backplane TDM channel assigned to this DSP channel. Stream 5, channel 25 gives the on-chip TDM channel mapped to the DSP; bank 0, bp_channel 27 means that the backplane stream 0 and backplane channel 1 are assigned to this DSP.
The following shows the calling number and the called number for this call.
May 16 12:22:27.580: csm_vtsp_call_setup_request: calling number: 10001, called number: 30001The following shows that the CALL SETUP REQUEST from the VTSP has been translated into the ' CSM_EVENT_MODEM_OFFHOOK message and is passed to the CSM central state machine:
May 16 12:22:27.580: CSM_PROC_IDLE: CSM_EVENT_MODEM_OFFHOOK at slot 1, port 54The logical DSP channel number for the DSP (slot 1, port 54) is now displayed, which maps to the physical DSP channel slot 1, dspm 5, dsp 4, dsp_channel 1.
The following shows that CSM collected all the digits for dialing out:
May 16 12:22:27.580: CSM_PROC_OC3_COLLECT_ALL_DIGIT: CSM_EVENT_GET_ALL_DIGITS at slot 1, port 54For PRI and for applications that do not require digit collection of outdialing digits (for example, voice calls), the intermediate digit collection states are omitted and the CSM state machine moves to this state directly, pretending that the digit collection has been done.
The following shows an information message:
March 16 12:22:27.580: CSM_PROC_OC3_COLLECT_ALL_DIGIT: called party num: (30001) at slot 1, port 54The following shows that CSM attempts to find a free signalling D channel to direct the outgoing call:
March 16 12:22:27.580: csm_vtsp_check_dchan (voice_vdev=0x60B8562C)March 16 12:22:27.580: csm_vtsp_check_dchan (vtsp requested dchan=0x60D7ACB0, dchan_idb=0x60E8ACF0)March 16 12:22:27.580: csm_vtsp_check_dchan (voice_vdev=0x60B8562C)March 16 12:22:27.580: csm_vtsp_check_dchan (vtsp requested dchan=0x60D7ACB0, dchan_idb=0x60D7ACB0)In the case of voice calls, the free signaling D channel must match the voice interface specified inside the signalling data block (vtsp_sdb) passed from the VTSP.
The following shows that CSM has received an event from ISDN:
March 16 12:22:27.624: EVENT_FROM_ISDN::dchan_idb=0x60D7ACB0, call_id=0xA121, ces=0x1 bchan=0x1E, event=0x3, cause=0x0In this sample output:
•
•
•
•
The following shows that CSM has received a CALL PROCEEDING message from ISDN.
March 16 12:22:27.624: EVENT_FROM_ISDN:(A121): DEV_CALL_PROC at slot 1 and port 54The following shows that the CALL PROCEEDING event received from ISDN has been interpreted as a CSM_EVENT_ISDN_BCHAN_ASSIGNED message:
March 16 12:22:27.624: CSM_PROC_OC4_DIALING: CSM_EVENT_ISDN_BCHAN_ASSIGNED at slot 1, port 54ISDN has assigned a B channel for this outgoing call. This B channel must be on the same PRI span as the signalling D channel allocated previously.
The following shows that the csm_vtsp_setup_for_oc function is called:
March 16 12:22:27.624: csm_vtsp_setup_for_oc (voice_vdev=0x60B8562C)This is invoked when an outgoing call initiated by the VTSP receives a response from the ISDN stack.
The following shows that ISDN has sent a CONNECT message to CSM indicating that the call leg to the PSTN side has been established:
March 16 12:22:28.084: EVENT_FROM_ISDN::dchan_idb=0x60D7ACB0, call_id=0xA121, ces=0x1bchan=0x1E, event=0x4, cause=0x0March 16 12:22:28.084: EVENT_FROM_ISDN:(A121): DEV_CONNECTED at slot 1 and port 54The following shows that while CSM is in the OC5_WAIT_FOR_CARRIER state, it has received the 'CONNECT' message from ISDN and has translated it into the CSM_EVENT_ISDN_CONNECTED message, which is passed to the CSM central state machine:
March 16 12:22:28.084: CSM_PROC_OC5_WAIT_FOR_CARRIER: CSM_EVENT_ISDN_CONNECTED at slot 1, port 54The following shows that the function vtsp_confirm_oc() has been called:
March 16 12:22:28.084: vtsp_confirm_oc : (voice_vdev= 0x60B8562C)This is invoked after CSM received the CONNECT message from ISDN. CSM sends a confirmation of the CONNECT to the VTSP.
debug csm tgrm
To view Call Switching Module (CSM) trunk group resource manager information, use the debug csm tgrm command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug csm tgrm
no debug csm tgrm
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Disable console logging and use buffered logging before using the debug csm tgrm command. Using the debug csm tgrm command generates a large volume of debugs, which can affect router performance.
Examples
The following is sample output from the debug csm tgrm command. The output shows that the call type is voice, the direction is incoming, and the call is accepted by the CSM.
Router# debug csm tgrmRouter#00:02:25:CSM-TGRM:csm_rx_cas_event_from_neat(EVENT_DIAL_IN) - c(T1 7/1:1:3) call_type=VOICE, dir=INCOMINGRouter#00:02:30:CSM-TGRM:csm_proc_ic3_wait_for_res_resp() c(T1 7/1:1:3) VOICE <ACCEPTED !!>Table 69 describes the significant fields shown in the display.
Table 69 debug csm tgrm Field Descriptions
call_type
Type of call: VOICE or MODEM.
dir
Direction of the call: INCOMING or OUTGOING.
debug csm voice
To turn on debugging for all Call Switching Module (CSM) Voice over IP (VoIP) calls, use the debug csm voice command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug csm voice [slot | dspm | dsp | dsp-channel]
no debug csm voice [slot | dspm | dsp | dsp-channel]
Syntax Description
slot | dspm | dsp | dsp-channel
(Optional) Identifies the location of a particular digital signal processor (DSP) channel.
Command Modes
Privileged EXEC
Usage Guidelines
The debug csm voice command turns on debugging for all CSM VoIP calls. If this command has no keyword specified, then debugging is enabled for all voice calls.
Note
The no debug cms voice command turns off debugging information for all voice calls.
If the slot | dspm | dsp | dsp-channel argument is specified, then (if the specified DSP channel is engaged in a CSM call) CSM call-related debugging information will be turned on for this channel. The no form of this command turns off debugging for that particular channel.
Examples
The following examples show sample output from the debug csm voice command. The following shows that CSM has received an event from ISDN.
Router# debug csm voiceOct 18 04:05:07.052: EVENT_FROM_ISDN::dchan_idb=0x60D7B6B8, call_id=0xCF, ces=0x1bchan=0x0, event=0x1, cause=0x0In this example, terms are explained as follows:
•
•
•
•
The following shows that CSM has allocated the CSM voice control block for the DSP device on slot 1 port 10 for this call.
Oct 18 04:05:07.052: VDEV_ALLOCATE: slot 1 and port 10 is allocated.This AS5300 access server might not be actually used to handle this call. CSM must first allocate the CSM voice control block to initiate the state machine. After the voice control block has been allocated, CSM obtains from the DSP Resource Manager the actual DSP channel that will be used for the call. At that point, CSM will switch to the actual logical port number. The slot number refers to the physical slot on the AS5300 access server. The port number is the logical DSP number interpreted as listed in Table 70.
The following shows that the function csm_vtsp_init_tdm() has been called with a voice control block of address 0x60B8562C. This function will be called only when the call is treated as a voice call.
Oct 18 04:05:07.052: csm_vtsp_init_tdm (voice_vdev=0x60B8562C)The following shows that CSM has obtained a DSP channel from the DSP Resource Manager:
Oct 18 04:05:07.052: csm_vtsp_init_tdm: dsprm_tdm_allocate: tdm slot 1, dspm 2, dsp 5, dsp_channel 1csm_vtsp_init_tdm: dsprm_tdm_allocate: tdm stream 5, channel 9, bank 0, bp_channel 10The DSP channel has the following initialized TDM channel information:
•
•
The following shows that CSM has received an incoming call event from ISDN:
Oct 18 04:05:07.052: EVENT_FROM_ISDN:(00CF): DEV_INCALL at slot 1 and port 20Slot 1, port 20 means the logical DSP channel 20 (mapped to DSPRM 2, DSP 5, DSP channel 1).
The following shows that the DEV_INCALL message has been translated into a CSM_EVENT_ISDN_CALL message:
Oct 18 04:05:07.052: CSM_PROC_IDLE: CSM_EVENT_ISDN_CALL at slot 1, port 20This message is passed to the CSM central state machine while it is in the CSM_IDLE state and is in the CSM_PROC_IDLE procedure. The logical DSP channel port 20 on slot 1 is used to handle this call.
The following shows that CSM has invoked the vtsp_ic_notify() function with a CSM voice call control block 0x60B8562C.
Oct 18 04:05:07.052: vtsp_ic_notify : (voice_vdev= 0x60B8562C)Inside this function, CSM will send a SETUP INDICATION message to the VTSP. This function will be invoked only if the call is a voice call.
The following shows that CSM has received a SETUP INDICATION RESPONSE message from the VTSP as an acknowledgment.
Oct 18 04:05:07.056: csm_vtsp_call_setup_resp (vdev_info=0x60B8562C, vtsp_cdb=0x60FCA114)This means that the VTSP has received the CALL SETUP INDICATION message previously sent and has proceeded to process the call.
•
•
The following shows that CSM has received a CALL CONNECT message from the VTSP:
Oct 18 04:05:07.596: csm_vtsp_call_connect (vtsp_cdb=0x60FCA114, voice_vdev=0x60B8562C)This indicates that the VTSP has received a CONNECT message for the call leg initiated to the Internet side.
•
•
The following shows that while CSM is in the CSM_IC2_RING state, it receives a SETUP INDICATION RESPONSE from the VTSP. This message is translated into CSM_EVENT_MODEM_OFFHOOK and passed to the CSM central state machine.
Oct 18 04:05:07.596: CSM_PROC_IC2_RING: CSM_EVENT_MODEM_OFFHOOK at slot 1, port 20The following shows that CSM has received a CONNECT message from ISDN for the call using the logical DSP channel on slot 1 and port 20:
Oct 18 04:05:07.616: EVENT_FROM_ISDN:(00CF): DEV_CONNECTED at slot 1 and port 20The following shows that CSM has translated the CONNECT event from ISDN into the CSM_EVENT_ISDN_CONNECTED message, which is then passed to the CSM central state machine:
Oct 18 04:05:07.616: CSM_PROC_IC4_WAIT_FOR_CARRIER: CSM_EVENT_ISDN_CONNECTED at slot 1, port 20The following shows that CSM has received a CALL SETUP REQUEST from the VTSP:
May 16 12:22:27.580: csm_vtsp_call_setup_request (vtsp_cdb=0x60FCFA20, vtsp_sdb=0x60DFB608)This represents a request to make an outgoing call to the PSTN.
•
•
The following shows that the physical DSP channel has been allocated for this outgoing call:
May 16 12:22:27.580: csm_vtsp_call_setup_request: tdm slot 1, dspm 5, dsp 4, dsp_channel 1The following shows the on-chip and backplane TDM channel assigned to this DSP channel:
May 16 12:22:27.580: csm_vtsp_call_setup_request: tdm stream 5, channel 25, bank 0, bp_channel 27In this sample output, tdm stream 5, channel 25, bank 0, bp_channel 27 indicates the on-chip and backplane TDM channel assigned to this DSP channel. Stream 5, channel 25 gives the on-chip TDM channel mapped to the DSP; bank 0, bp_channel 27 means that the backplane stream 0 and backplane channel 1 are assigned to this DSP.
The following shows the calling number and the called number for this call.
May 16 12:22:27.580: csm_vtsp_call_setup_request: calling number: 10001, called number: 30001The following shows that the CALL SETUP REQUEST from the VTSP has been translated into the ' CSM_EVENT_MODEM_OFFHOOK message and is passed to the CSM central state machine:
May 16 12:22:27.580: CSM_PROC_IDLE: CSM_EVENT_MODEM_OFFHOOK at slot 1, port 54The logical DSP channel number for the DSP (slot 1, port 54) is now displayed, which maps to the physical DSP channel slot 1, dspm 5, dsp 4, dsp_channel 1.
The following shows that CSM has collected all the digits for dialing out:
May 16 12:22:27.580: CSM_PROC_OC3_COLLECT_ALL_DIGIT: CSM_EVENT_GET_ALL_DIGITS at slot 1, port 54For PRI and for applications that do not require digit collection of outdialing digits (for example, voice calls), the intermediate digit collection states are omitted and the CSM state machine moves to this state directly, pretending that the digit collection has been done.
The following shows an information message:
May 16 12:22:27.580: CSM_PROC_OC3_COLLECT_ALL_DIGIT: called party num: (30001) at slot 1, port 54The following shows that CSM attempts to find a free signalling D channel to direct the outgoing call:
May 16 12:22:27.580: csm_vtsp_check_dchan (voice_vdev=0x60B8562C)May 16 12:22:27.580: csm_vtsp_check_dchan (vtsp requested dchan=0x60D7ACB0, dchan_idb=0x60E8ACF0)May 16 12:22:27.580: csm_vtsp_check_dchan (voice_vdev=0x60B8562C)May 16 12:22:27.580: csm_vtsp_check_dchan (vtsp requested dchan=0x60D7ACB0, dchan_idb=0x60D7ACB0)In the case of voice calls, the free signaling D channel must match the voice interface specified inside the signalling data block (vtsp_sdb) passed from the VTSP.
The following shows that CSM has received an event from ISDN:
May 16 12:22:27.624: EVENT_FROM_ISDN::dchan_idb=0x60D7ACB0, call_id=0xA121, ces=0x1 bchan=0x1E, event=0x3, cause=0x0In this sample output:
•
•
•
•
The following shows that CSM has received a CALL PROCEEDING message from ISDN.
May 16 12:22:27.624: EVENT_FROM_ISDN:(A121): DEV_CALL_PROC at slot 1 and port 54The following shows that the CALL PROCEEDING event received from ISDN has been interpreted as a CSM_EVENT_ISDN_BCHAN_ASSIGNED message:
*May 16 12:22:27.624: CSM_PROC_OC4_DIALING: CSM_EVENT_ISDN_BCHAN_ASSIGNED at slot 1, port 54ISDN has assigned a B channel for this outgoing call. This B channel must be on the same PRI span as the signalling D channel allocated previously.
The following shows that the csm_vtsp_setup_for_oc function is called:
May 16 12:22:27.624: csm_vtsp_setup_for_oc (voice_vdev=0x60B8562C)This is invoked when an outgoing call initiated by the VTSP receives a response from the ISDN stack.
The following shows that ISDN has sent a CONNECT message to CSM indicating that the call leg to the PSTN side has been established:
May 16 12:22:28.084: EVENT_FROM_ISDN::dchan_idb=0x60D7ACB0, call_id=0xA121, ces=0x1bchan=0x1E, event=0x4, cause=0x0May 16 12:22:28.084: EVENT_FROM_ISDN:(A121): DEV_CONNECTED at slot 1 and port 54The following shows that while CSM is in the OC5_WAIT_FOR_CARRIER state, it has received the 'CONNECT' message from ISDN and has translated it into the CSM_EVENT_ISDN_CONNECTED message, which is passed to the CSM central state machine:
May 16 12:22:28.084: CSM_PROC_OC5_WAIT_FOR_CARRIER: CSM_EVENT_ISDN_CONNECTED at slot 1, port 54The following shows that the function vtsp_confirm_oc() has been called:
May 16 12:22:28.084: vtsp_confirm_oc : (voice_vdev= 0x60B8562C)This is invoked after CSM received the CONNECT message from ISDN. CSM sends a confirmation of the CONNECT to the VTSP.
debug ctl-client
To collect debug information about the CTL client, use the debug ctl-client command in privileged EXEC configuration mode. To disable collection of debug information, use the no form of this command.
debug ctl-client
no debug ctl-client
Syntax Description
This command has no arguments or keywords.
Command Default
Collection of CTL client debug information is disabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command is used with Cisco Unified CME phone authentication.
Examples
The following example shows debug messages for the CTL client:
Router# debug ctl-client001954: .Jul 21 18:23:02.136: ctl_client_create_ctlfile:001955: .Jul 21 18:23:02.272: create_ctl_record: Function 0 Trustpoint cisco1001956: .Jul 21 18:23:02.276: create_ctl_record: record added for function 0001957: .Jul 21 18:23:02.276: create_ctl_record: Function 0 Trustpoint sast2001958: .Jul 21 18:23:02.280: create_ctl_record: record added for function 0001959: .Jul 21 18:23:02.280: create_ctl_record: Function 1 Trustpoint cisco1001960: .Jul 21 18:23:02.284: create_ctl_record: record added for function 1001961: .Jul 21 18:23:02.284: create_ctl_record: Function 3 Trustpoint cisco1001962: .Jul 21 18:23:02.288: create_ctl_record: record added for function 3001963: .Jul 21 18:23:02.288: create_ctl_record: Function 4 Trustpoint cisco1001964: .Jul 21 18:23:02.292: create_ctl_record: record added for function 4001965: .Jul 21 18:23:02.424: ctl_client_create_ctlfile: Signature length 128001966: .Jul 21 18:23:02.640: CTL File Created Successfullydebug ctunnel
To display debugging messages for the IP over a Connectionless Network Service (CLNS) Tunnel feature, use the debug ctunnel command in privileged EXEC mode. To disable debugging messages, use the no form of this command.
debug ctunnel
no debug ctunnel
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Examples
As packets are sent over the virtual interface, the following type of output will appear on the console when the debug ctunnel command is used:
Router# debug ctunnel4d21h: CTunnel1: IPCLNP encapsulated 49.0001.1111.1111.1111.00->49.0001.2222.2222.2222.00 (linktype=7, len=89)debug custom-queue
To enable custom queueing output, use the debug custom-queue command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug custom-queue
no debug custom-queue
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Examples
The following is an example of enabling custom queueing output:
Router# debug custom-queueCustom output queueing debugging is onThe following is sample output from the debug custom-queue command:
00:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 200:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 2 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 200:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 2 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 200:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 2 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 100:27:38: CQ: Serial0 output (Pk size/Q: 232/1) Q # was 1 now 1Related Commands
debug cwmp
To debug the TR-069 Agent, use the debug cwmp command in privileged EXEC mode. To disable, use the no form of this command.
debug cwmp {all | error | profile | trace}
no debug cwmp {all | error | profile | trace}
Syntax Description
all
Specifies all debug messages.
error
Specifies error messages.
profile
Specifies the error and trace messages in the Cisco WAN Management Protocol (CWMP) profiles.
trace
Specifies trace message.
Command Modes
Privileged EXEC (#)
Command History
Examples
The following is sample output from the debug cwmp error command:
Device# debug cwmp errorCWMP ERROR: cwmp_session_response_data -> HTTPC Response failed with httpc errorThe following is sample trace message output from the debug cwmp profile command:
Device# debug cwmp profileCWMP PROFILE: cwmp_generate_connection_request_URL -> ConnectionRequestURL = http://172.27.116.170/00000C/FTX1101A1XH/cwmpThe following is sample error message output from the debug cwmp profile command:
Device# debug cwmp profileCWMP PROFILE ERROR: validate_dhcp_pool_min_max_address -> Missing InternetGatewayDevice.LANDevice.5.LANHostConfigManagement.MaxAddressThe following is sample output from the debug cwmp trace command:
Device# debug cwmp traceCWMP: cwmp_process -> CWMP Engine starteddebug dampening
To display debug trace information messages for interface dampening, use the debug dampening command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug dampening [all | interface]
no debug dampening [all | interface]
Syntax Description
all
(Optional) Enables trace debugging for all dampening features.
interface
(Optional) Enables trace debugging for IP event dampening.
Defaults
No default behavior or values.
Command Modes
Privileged EXEC
Command History
Examples
The following sample output is similar to the output that will be displayed when the debug dampening command is entered with the interface keyword. The sample output shows the following information:
•
•
Router# debug dampening interface00:07:17:IF-EvD(Ethernet1/1):CLNS Routing reports state transition from UP to DOWN00:07:17:EvD(Ethernet1/1):charge penalty 1000, new accum. penalty 1000, flap count 100:07:17:EvD(Ethernet1/1):accum. penalty 1000, now suppressed with a reuse intervals of 3000:07:17:IF-EvD(Ethernet1/1):update CLNS Routing state to DOWN, interface is suppressed00:07:17:IF-EvD(Ethernet1/1):IP Routing reports state transition from DOWN to DOWN00:07:17:IF-EvD(Ethernet1/1):update IP Routing state to DOWN, interface is suppressed00:07:17:IF-EvD(Ethernet1/1):CLNS Routing reports state transition from DOWN to UP00:07:17:IF-EvD(Ethernet1/1):CLNS Routing reports state transition from UP to DOWN00:07:17:EvD(Ethernet1/1):accum. penalty decayed to 1000 after 0 second(s)00:07:17:EvD(Ethernet1/1):charge penalty 1000, new accum. penalty 2000, flap count 200:07:17:EvD(Ethernet1/1):accum. penalty 2000, now suppressed with a reuse intervals of 6000:07:17:IF-EvD(Ethernet1/1):CLNS Routing reports state transition from DOWN to UP00:07:17:IF-EvD(Ethernet1/1):CLNS Routing reports state transition from UP to DOWN00:07:17:EvD(Ethernet1/1):accum. penalty decayed to 2000 after 0 second(s)00:07:17:EvD(Ethernet1/1):charge penalty 1000, new accum. penalty 3000, flap count 300:07:17:EvD(Ethernet1/1):accum. penalty 3000, now suppressed with a reuse intervals of 7800:07:17:IF-EvD(Ethernet1/1):CLNS Routing reports state transition from DOWN to UP00:07:17:IF-EvD(Ethernet1/1):IP Routing reports state transition from UP to UP00:07:17:IF-EvD(Ethernet1/1):IP Routing reports state transition from UP to UP00:07:17:IF-EvD(Ethernet1/1):IP Routing reports state transition from UP to UP00:07:17:IF-EvD(Ethernet1/1):IP Routing reports state transition from UP to UP00:07:17:IF-EvD(Ethernet1/1):IP Routing reports state transition from UP to UP00:07:20:IF-EvD(Ethernet1/1):CLNS Routing reports state transition from UP to UP00:07:20:IF-EvD(Ethernet1/1):IP Routing reports state transition from UP to UP00:07:47:IF-EvD:unsuppress interfaces00:08:36:IF-EvD:unsuppress interfaces00:08:36:EvD(Ethernet1/1):accum. penalty decayed to 483 after 79 second(s)00:08:36:EvD(Ethernet1/1):accum. penalty 483, now unsuppressed00:08:36:IF-EvD(Ethernet1/1):update IP Routing state to UP, interface is not suppressed00:08:36:IF-EvD(Ethernet1/1):update CLNS Routing state to UP, interface is not suppressed00:08:36:IF-EvD(Ethernet1/1):CLNS Routing reports state transition from UP to UPTable 71 describes the significant fields shown in the display.
debug data-store
To display persistant storage device (PSD)-related debugging messages for the , use the debug data-store command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug data-store
no debug data-store
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays PSD-related debugging messages for the GGSN.
Caution
Examples
The following example configures a debugging session to check PSD-related parameters:
Router# debug data-storedebug data-store detail
To display extended details for persistent storage device (PSD)-related debugging information, use the debug data-store detail command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug data-store detail
no debug data-store detail
Defaults
No default behavior or values
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command displays PSD-related debugging messages for the GGSN.
Caution
Examples
The following example configures a detailed PSD-related debugging session:
Router# debug data-store detailsRelated Commands
debug dbconn all
To turn on all debug flags for Database Connection, use the debug dbconn all command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug dbconn all
no debug dbconn all
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging is not enabled for Database Connection.
Command Modes
Privileged EXEC
Usage Guidelines
The debug dbconn all command displays debug output for Advanced Program-to-Program Communication (APPC), Database Connection configuration, Distributed Relational Database Architecture (DRDA), error messages, event traces, and TCP. The Database Connection debug flags are appc, config, drda, event, and tcp.
Examples
See the sample output provided for the debug dbconn appc, debug dbconn config, debug dbconn drda, debug dbconn event, and debug dbconn tcp commands.
Related Commands
debug dbconn appc
To display Advanced Program-to-Program Communication (APPC)-related trace or error messages, use the debug dbconn appc command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug dbconn appc
no debug dbconn appc
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
In a router with stable Database Connection, the alias_cp_name field in the trace message should not be blank. There should be no other APPC error message. You can use Advanced Peer-to-Peer Networking (APPN) debug commands with this debug command to track APPN-related errors.
Examples
The following is sample output from the debug dbconn appc command. In a normal situation, only the following message is displayed:
DBCONN-APPC: alias_cp_name is "ASH"The following error messages are displayed if there is a network configuration error or other APPN-related problem:
DBCONN-APPC-612C2B28: APPC error: opcode 0x1, primary_rc 0x0003,secondary_rc 0x00000004DBCONN-APPC-612C2B28: Verb block =DBCONN-APPC-612C2B28: 0001 0200 0003 0000 0000 0004 0020 100CDBCONN-APPC-612C2B28: 610A 828B 0000 0000 0000 0000 0000 0000DBCONN-APPC-612C2B28: 0000 0000 8014 0003 0000 0000 0000 0000DBCONN-APPC-612C2B28: D3E4 F6F2 E2E3 C1D9 C4C2 F240 4040 4040DBCONN-APPC-612C2B28: 4040 4040 4040 4040 4040 4040 4040 4040DBCONN-APPC-612C2B28: 4040 4040 4040 4040 4040 4040 4040 4040DBCONN-APPC-612C2B28: 4040 4040 4040 4040 4040 4040 4040 4040DBCONN-APPC-612C2B28: 4040 4040 4040 4040 0200 0000 0000 0000DBCONN-APPC-612C2B28: 0000 0000 D4C5 D9D9 C9C5 4040 4040 D7C5DBCONN-APPC-612C2B28: E3C5 D940 4040 4040 0000 0000 0000 0000DBCONN-APPC-612C2B28: 00E2 E3C1 D9E6 4BE3 D6D9 C3C8 4040 4040DBCONN-APPC-612C2B28: 4040 0000 0000 0000 0000 0000DBCONN-APPC-612C2B28: ALLOCATE verb block =DBCONN-APPC-612C2B28: 0001 0200 0003 0000 0000 0004 0020 100CDBCONN-APPC-612C2B28: 610A 828B 0000 0000 0000 0000 0000 0000DBCONN-APPC-612C2B28: 0000 0000 8014 0003 0000 0000 0000 0000DBCONN-APPC-612C2B28: D3E4 F6F2 E2E3 C1D9 C4C2 F240 4040 4040DBCONN-APPC-612C2B28: 4040 4040 4040 4040 4040 4040 4040 4040DBCONN-APPC-612C2B28: 4040 4040 4040 4040 4040 4040 4040 4040DBCONN-APPC-612C2B28: 4040 4040 4040 4040 4040 4040 4040 4040DBCONN-APPC-612C2B28: 4040 4040 4040 4040 0200 0000 0000 0000You can use the debug appn command to obtain more information.
The following message is displayed if a database connection is manually cleared and an outstanding APPC verb is pending:
DBCONN-APPC-%612C2B28: Canceling pending APPC verb 0x1Related Commands
debug dbconn config
To display trace or error messages for Database Connection configuration and control blocks, use the debug dbconn config command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug dbconn config
no debug dbconn config
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Usage Guidelines
Most of the messages for Database Connection and control blocks do not report any errors. If a connection is inactive and cannot be cleared, use this command with the debug dbconn appc, debug dbconn tcp, and debug appn commands to locate the problem. The alias_cp_name field must match the configured APPN cpname.
Examples
The following is sample output from the debug dbconn config command:
Router# debug dbconn configDBCONN-CONFIG: alias_cp_name is "ASH "DBCONN-CONFIG: connection 612BDAAC matching server on 198.147.235.5:0 withrdbname=STELLADBCONN-CONFIG: APPN shutdown; clearing connection 1234abcdDBCONN-CONFIG: created server 612C2720DBCONN-CONFIG: server 612C2720 (listen 60F72E94) is activeDBCONN-CONFIG: server 612C2720 (listen 60F72E94) is activeDBCONN-CONFIG: new connection 612BDAACDBCONN-CONFIG: listen 60F72E94 accepts connection 612BDAACDBCONN-CONFIG: server 60F74614 takes connection 612BDAACDBCONN-CONFIG: listen 60F72E94 releases connection 612BDAACDBCONN-CONFIG: server 60F74614 releases connection 612BDAACDBCONN-CONFIG: deleting connection 612BDAACDBCONN-CONFIG: listen 60F72E94 abandons connection 612BDAACDBCONN-CONFIG: server 612C2720 abandons connection 612BDAACDBCONN-CONFIG: deleting server 612C2720DBCONN-CONFIG: daemon 60381738 takes zombie connection 612BDAACDBCONN-CONFIG: daemon 60381738 releases zombie connection 612BDAACRelated Commands
debug dbconn drda
To display error messages and stream traces for Distributed Relational Database Architecture (DRDA), use the debug dbconn drda command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug dbconn drda
no debug dbconn drda
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging is not enabled for the dbconn subsystem.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the debug dbconn drda command:
Router# debug dbconn drda*Jun 30 16:09:32.363: DBCONN-DRDA-62008300: DSS X'006CD0410001', length 108, in chain, REQDSS, correlator 1*Jun 30 16:09:32.363: DBCONN-DRDA-62008300: OBJECT X'00661041', length 98, code point X'1041'*Jun 30 16:09:32.363: DBCONN-DRDA-62008300: OBJECT X'0020115E' in COLLECTION X'1041', length 28, code point X'115E'*Jun 30 16:09:32.363: DBCONN-DRDA-62008300: OBJECT X'000C116D' in COLLECTION X'1041', length 8, code point X'116D'*Jun 30 16:09:32.363: DBCONN-DRDA-62008300: OBJECT X'0013115A' in COLLECTION X'1041', length 15, code point X'115A' (skipping...)Related Commands
debug dbconn event
To display trace or error messages for Cisco Transaction Connection (CTRC) events related to DATABASE2 (DB2) communications, use the debug dbconn event command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug dbconn event
no debug dbconn event
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging is not enabled for the dbconn subsystem.
Command Modes
Privileged EXEC
Command History
Examples
The following examples display output from the debug dbconn event command in a variety of situations. A normal trace for the debug dbconn event displays as follows:
Router# debug dbconn eventDBCONN-EVENT: Dispatch to 60FD6C00, from 0, msg 60F754CC, msgid 6468 'dh',buffer 0.DBCONN-EVENT: [*] Post to 61134240(cn), from 60EC5470(tc), msg 611419E4,msgid 0x6372 'cr', buffer 612BF68C.DBCONN-EVENT: Flush events called for pto 61182742, pfrom 61239837.DBCONN-EVENT: Event discarded: to 61182742 (cn), from 61239837(ap), msg61339273, msgid 0x6372 'cr' buffer 0.DBCONN-EVENT: == Send to 1234abcd, from 22938acd, msg 72618394, msgid0x6372 'cr', buffer 0.If the following messages are displayed, contact Cisco technical support personnel:
DBCONN-TCPFSM-1234abcd: Cannot occur in state 2 on input 6363 ('cc')DBCONN-APPCFSM-1234abcd: Cannot occur in state 3 on input 6363 ('cc')Related Commands
debug dbconn tcp
To display error messages and traces for TCP, use the debug dbconn tcp command in privileged EXEC mode. To disable debugging output, use the no form of this command.
debug dbconn tcp
no debug dbconn tcp
Syntax Description
This command has no arguments or keywords.
Defaults
Debugging is not enabled for the dbconn subsystem.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the debug dbconn tcp command:
Router# debug dbconn tcpDBCONN-TCP-63528473: tcpdriver_passive_open returned NULLDBCONN-TCP-63528473: (no memory) tcp_reset(63829482) returns 4DBCONN-TCP: tcp_accept(74625348,&error) returns tcb 63829482, error 4DBCONN-TCP: (no memory) tcp_reset(63829482) returns 4DBCONN-TCP-63528473: (open) tcp_create returns 63829482, error = 4DBCONN-TCP-63528473: tcb_connect(63829482,1.2.3.4,2010) returns 4DBCONN-TCP-63528473: (open error) tcp_reset(63829482) returns 4DBCONN-TCP-63528473: tcp_create returns 63829482, error = 4DBCONN-TCP-63528473: tcb_bind(63829482,0.0.0.0,2001) returns 4DBCONN-TCP-63528473: tcp_listen(63829482,,) returns 4DBCONN-TCP-63528473: (errors) Calling tcp_close (63829482)Related Commands
