Friday, June 27, 2014

Cisco ASA Debug Commands for Log Collection

In Site to Site VPNs, it is necessary to do debugging in order to get some idea about tunnels, which are not coming UP.
If you use debugging, memory and CPU will be highly utilized, so that there's a workaround, which is you can set up a crypto condition only for a peer for debigging. Below are the CLI commands

SETUP (CLI)
===========



login as: admin
admin@10.10.48.100's password:
Type help or '?' for a list of available commands.
ciscoASA-act> enable
Password: **********
ciscoASA-act# configure terminal
ciscoASA-act(config)#
ciscoASA-act(config)# logging buffer-size 1048576
ciscoASA-act(config)#
ciscoASA-act(config)# logging buffered 7
ciscoASA-act(config)#
ciscoASA-act(config)# debug crypto condition peer 10.10.10.10
ciscoASA-act(config)#
ciscoASA-act(config)# debug crypto ipsec 127
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
ciscoASA-act(config)#
ciscoASA-act(config)# debug crypto isakmp 127
INFO: 'logging debug-trace' is enabled. All debug messages are currently being redirected to syslog:711001 and will not appear in any monitor session
ciscoASA-act(config)#
ciscoASA-act(config)# end
ciscoASA-act#
ciscoASA-act# show debug
debug crypto ipsec enabled at level 127
debug crypto isakmp enabled at level 127


COLLECTION (FROM GUI)
=====================
Login into ASDM, click:

  1. File -> Save Internal Log Buffer to Flash
  2. Tools -> File Management
  3. In the dialog click on File Transfer -> Between Local PC and Flash
  4. In the right box, disk0: -> syslog, click on the file in the left box, pick a local folder
  5. Press the left arrow button "<----" in the middle of the dialog
     NOTE: if an error pops up regarding not being able to write the file, select a different
           folder on your local system
  6. Close
  7. Verify that the file has been transfered correctly and is not empty.
  8. Send us that file.


CLEANUP (CLI)
=============
login as: admin
admin@10.10.48.100's password:
Type help or '?' for a list of available commands.
ciscoASA-act> enable
Password: **********
ciscoASA-act# configure terminal
ciscoASA-act(config)#
ciscoASA-act(config)# no debug crypto condition peer 10.10.10.10
ciscoASA-act(config)#
ciscoASA-act(config)# no logging buffered 7
ciscoASA-act(config)#
ciscoASA-act(config)# no debug crypto ipsec
ciscoASA-act(config)#
ciscoASA-act(config)# no debug crypto isakmp
ciscoASA-act(config)#
ciscoASA-act(config)# end
ciscoASA-act(config)#
ciscoASA-act# show debug