• Vik Jaswal

Filter VPN debug messages on Cisco ASA

One of the key feature for troubleshooting VPN’s on ASA’s are debugging commands:

  1. debug crypto isakmp 10

  2. debug crypto ipsec 10

Though the above commands are very useful but the amount of information generated can be overwhelming. If you have 100’s of L2L and remote access VPN tunnels it is very difficult to look for messages specifically from the one you want to troubleshoot.

Couple of options exists though to narrow the specific messages you are interested in- 2 of them being, logging your session to a file and searching through it or may be to external syslog server and filter. Since v8.0 Cisco has added a new feature to filter the vpn debug logs to certain IP. This I think is an excellent feature to quickly monitor/troubleshoot the VPN tunnel without resorting to external methods.

To use this first create a debug condition:

debug crypto condition peer

where “” is the ip address you need to filter the debug logs on.

After this command just issue the debug commands as normal:

  1. debug crypto isakmp 10

  2. debug crypto ipsec 10

The subsequent output will only display information from the specified peer.

This command can also be used on a Cisco router:

debug crypto condition peer ipv4

You can see which “condition” is currently active by:

sh crypto debug-condition