Use Cases for SD-WAN Capabilities in Cisco Secure Firewall

Troubleshoot Route-based VPN Tunnels

Updated: February 5, 2026

Overview

Troubleshoot route-based VPN tunnels, using debug commands to identify connectivity,or routing, issues in Threat Defense (FTD) devices.

After the deployment, use the following CLI to debug issues related to route-based VPN tunnels on Firewall Threat Defense devices.

Caution

Proceed with caution when you run debug commands on the threat defense device in production environments.You can set various debug levels on the device that may have verbose outputs.

How to...	CLI Command
Enable conditional debugging for a particular peer	debug crypto condition peer <peer-IP>
Debug the Virtual Tunnel Interface information	debug vti 255
Debug the IKEv2 protocol related transactions	debug crypto ikev2 protocol 255
Debug the IKEv2 platform related transactions	debug crypto ikev2 platform 255
Debug the common IKE related transactions	debug crypto ike-common 255
Debug the IPSec related transactions	debug crypto ipsec 255

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.