Category Archives: Networking

Filter VPN debug messages on Cisco ASA

One of the key feature for troubleshooting VPN’s on ASA’s are debugging commands:

  • debug crypto isakmp 10
  • debug crypto ipsec 10

Though the above commands are very useful but the amount of information generated can be overwhelming. If you have 100’s of L2L and remote access VPN tunnels it is very difficult to look for messages specifically from the one you want to troubleshoot.

Couple of options exists though to narrow the specific messages you are interested in- 2 of them being, logging your session to a file and searching through it or may be to external syslog server and filter. Since v8.0 Cisco has added a new feature to filter the vpn debug logs to certain IP. This I think is an excellent feature to quickly monitor/troubleshoot the VPN tunnel without resorting to external methods.

To use this first create a debug condition:

debug crypto condition peer 8.8.8.8

where “8.8.8.8” is the ip address you need to filter the debug logs on.

After this command just issue the debug commands as normal:

  • debug crypto isakmp 10
  • debug crypto ipsec 10

The subsequent output will only display information from the specified peer.

This command can also be used on a Cisco router:

debug crypto condition peer ipv4 8.8.8.8

You can see which “condition” is currently active by:

sh crypto debug-condition

Cisco ASA authentication with SecurEnvoy (RADIUS) for Remote Access VPN

Below is the Cisco ASA and SecurEnvoy Configuration I did at one of my customer site.

Requirement

One of my customer currently uses ACS servers for VPN authentication. They also had a SecurEnvoy server which is used to assign One Time Passcodes (OTP) to authenticating users. The VPN user authenticates to ASA which passes authentication to ACS which in turn send authentication request to SecurEnvoy boxes. Once the SecurEnvoy confirms authentication as Success or failure the ACS servers will put the user in the desired group.

To authenticate external vendors they had local accounts created on ACS.

As can be seen from above the only reason the customer used ACS servers was to add the users to a particular group and to allow access for external vendors. As ACS didn’t add much value to our VPN deployment we decided to replace ACS.

Following were the key goals of the project:

  • Remove Cisco ACS servers for VPN authentication in order to simplify VPN authentication.
  • Move external vendor accounts to ADAM instance which is integrated with SecurEnvoy.
  • Use Active Directory Groups for granting user access to Corporate VPN.

Hardware & Software Used

  • Cisco ASA 5520 v8.2.3
  • Windows Server 2003 Standard R2 with SecurEnvoy 5.3 installed on VMware

SecurEnvoy Configuration:

A single SecurEnvoy server can be used for multiple domains. Read More →