- Preface
-
- Configuring Authentication
- RADIUS Change of Authorization
- Message Banners for AAA Authentication
- AAA-Domain Stripping at Server Group Level
- AAA Double Authentication Secured by Absolute Timeout
- Throttling of AAA RADIUS Records
- RADIUS Packet of Disconnect
- AAA Authorization and Authentication Cache
- Configuring Authorization
- Configuring Accounting
- AAA-SERVER-MIB Set Operation
- Per VRF AAA
- AAA Support for IPv6
- TACACS+ over IPv6
- AAA Dead-Server Detection
- Login Password Retry Lockout
- MSCHAP Version 2
- AAA Broadcast Accounting-Mandatory Response Support
- Password Strength and Management for Common Criteria
- Secure Reversible Passwords for AAA
-
- IP Access List Overview
- Creating an IP Access List and Applying It to an Interface
- Creating an IP Access List to Filter IP Options, TCP Flags, Noncontiguous Ports
- Configuring an FQDN ACL
- Refining an IP Access List
- IP Named Access Control Lists
- Commented IP Access List Entries
- Standard IP Access List Logging
- IP Access List Entry Sequence Numbering
- Configuring Lock-and-Key Security (Dynamic Access Lists)
- ACL IP Options Selective Drop
- Displaying and Clearing IP Access List Data Using ACL Manageability
- ACL Syslog Correlation
- IPv6 Access Control Lists
- IPv6 ACL Undetermined-Transport Support
- Configuring Template ACLs
- IPv6 Template ACL
- IPv4 ACL Chaining Support
- IPv6 ACL Chaining with a Common ACL
- IPv6 ACL Extensions for Hop by Hop Filtering
- Security (ACL) Enhancements
- IPv6 Object Groups for ACLs
-
- Configuring RADIUS
- RADIUS for Multiple UDP Ports
- AAA DNIS Map for Authorization
- AAA Server Groups
- Framed-Route in RADIUS Accounting
- RFC-2867 RADIUS Tunnel Accounting
- RADIUS Logical Line ID
- RADIUS Route Download
- RADIUS Server Load Balancing
- RADIUS Server Reorder on Failure
- RADIUS Separate Retransmit Counter for Accounting
- RADIUS VC Logging
- RADIUS Centralized Filter Management
- RADIUS EAP Support
- RADIUS Interim Update at Call Connect
- RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
- RADIUS Attributes Overview and RADIUS IETF Attributes
- RADIUS Vendor-Proprietary Attributes
- RADIUS Vendor-Specific Attributes and RADIUS Disconnect-Cause Attribute Values
- Connect-Info RADIUS Attribute 77
- Encrypted Vendor-Specific Attributes
- RADIUS Attribute 8 Framed-IP-Address in Access Requests
- RADIUS Attribute 82 Tunnel Assignment ID
- RADIUS Tunnel Attribute Extensions
- RADIUS Attribute 66 Tunnel-Client-Endpoint Enhancements
- RADIUS Attribute Value Screening
- RADIUS Attribute 55 Event-Timestamp
- RADIUS Attribute 104
- RADIUS NAS-IP-Address Attribute Configurability
- RADIUS Attribute 5 NAS-Port Format Specified on a Per-Server Group Level
-
- Overview of Cisco TrustSec
- Cisco TrustSec SGT Exchange Protocol IPv4
- TrustSec SGT Handling: L2 SGT Imposition and Forwarding
- Prerequisites for Cisco TrustSec SGT Exchange Protocol IPv4
- Enabling Bidirectional SXP Support
- Cisco TrustSec Interface-to-SGT Mapping
- Cisco TrustSec Subnet to SGT Mapping
- Flexible NetFlow Export of Cisco TrustSec Fields
- Cisco TrustSec SGT Caching
- CTS SGACL Support
- Accessing TrustSec Operational Data Externally
-
- Cisco IOS XE PKI Overview
- Deploying RSA Keys Within a PKI
- Configuring Authorization and Revocation of Certificates in a PKI
- Configuring Certificate Enrollment for a PKI
- Setting Up Secure Device Provisioning for Enrollment in a PKI
- PKI Credentials Expiry Alerts
- Configuring and Managing a Certificate Server for PKI Deployment
- Storing PKI Credentials
- Source Interface Selection for Outgoing Traffic with Certificate Authority
- PKI Trustpool Management
- PKI Split VRF in Trustpoint
- EST Client Support
- Configuring Route Processor Redundancy for PKI
-
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Firewall Stateful Inspection of ICMP
- LISP and Zone-Based Firewalls Integration and Interoperability
- Application Aware Firewall
- Firewall Support of Skinny Client Control Protocol
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Configuring the VRF-Aware Software Infrastructure
- FTP66 ALG Support for IPv6 Firewalls
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
-
- IPsec Anti-Replay Window Expanding and Disabling
- Pre-Fragmentation for IPsec VPNs
- Invalid Security Parameter Index Recovery
- IPsec Dead Peer Detection Periodic Message Option
- IPsec NAT Transparency
- IPsec Extended Sequence Number
- DF Bit Override Functionality with IPsec Tunnels
- IPsec Security Association Idle Timers
- IPv6 IPsec Quality of Service
- IPv6 Virtual Tunnel Interface
-
- Dynamic Multipoint VPN
- IPv6 over DMVPN
- DMVPN Configuration Using FQDN
- DMVPN-Tunnel Health Monitoring and Recovery Backup NHS
- DMVPN Tunnel Health Monitoring and Recovery
- DMVPN Event Tracing
- NHRP MIB
- DMVPN Dynamic Tunnels Between Spokes Behind a NAT Device
- Sharing IPsec with Tunnel Protection
- Per-Tunnel QoS for DMVPN
- Configuring TrustSec DMVPN Inline Tagging Support
- Spoke-to-Spoke NHRP Summary Maps
- BFD Support on DMVPN
- DMVPN Support for IWAN
- Configuring MPLS over DMVPN
- DHCP Tunnels Support
- Per-Tunnel QoS Support for Multiple Policy Maps (MPOL)
-
- Introduction to FlexVPN
- Configuring Internet Key Exchange Version 2
- Configuring Quantum-Safe Encryption Using Postquantum Preshared Keys
- Configuring the FlexVPN Server
- Configuring the FlexVPN Client
- Configuring FlexVPN Spoke to Spoke
- Configuring IKEv2 Load Balancer
- Configuring IKEv2 Fragmentation
- Configuring IKEv2 Reconnect
- Configuring MPLS over FlexVPN
- Configuring IKEv2 Packet of Disconnect
- Configuring IKEv2 Change of Authorization Support
- Configuring Aggregate Authentication
- Appendix: FlexVPN RADIUS Attributes
- Appendix: IKEv2 and Legacy VPNs
-
- Cisco Group Encrypted Transport VPN
- GET VPN GM Removal and Policy Trigger
- GDOI MIB Support for GET VPN
- GET VPN Resiliency
- GETVPN Resiliency GM - Error Detection
- GETVPN CRL Checking
- GET VPN Support with Suite B
- GET VPN Support of IPsec Inline Tagging for Cisco TrustSec
- GETVPN GDOI Bypass
- GETVPN G-IKEv2
- 8K GM Scale Improvement
- GET VPN Interoperability
- Perfect Forward Secrecy for GETVPN
- Index
- Crypto Conditional Debug Support
- Prerequisites for Crypto Conditional Debug Support
- Restrictions for Crypto Conditional Debug Support
- Information About Crypto Conditional Debug Support
- How to Enable Crypto Conditional Debug Support
Crypto Conditional Debug Support
The Crypto Conditional Debug Support feature introduces new debug commands that allow users to debug an IP Security (IPsec) tunnel on the basis of predefined crypto conditions such as the peer IP address, connection-ID of a crypto engine, and security parameter index (SPI). By limiting debug messages to specific IPsec operations and reducing the amount of debug output, users can better troubleshoot a router with a large number of tunnels.
Restrictions for Crypto Conditional Debug Support
-
Although conditional debugging is useful for troubleshooting peer-specific or functionality related Internet Key Exchange (IKE) and IPSec problems, conditional debugging may not be able to define and check large numbers of debug conditions. Because extra space is needed to store the debug condition values, additional processing overhead is added to the CPU and memory usage is increased. Thus, enabling crypto conditional debugging on a router with heavy traffic should be used with caution.
Information About Crypto Conditional Debug Support
Supported Condition Types
 Note |
The debug crypto condition peer command with the ipv4 or ipv6 keyword can provide the hardware platform specific debugging output. The rest of the condition filters do not provide platform specific debugging output. |
|
Condition Type (Keyword) |
Description |
|---|---|
|
connid 1 |
An integer between 1-32766. Relevant debug messages will be shown if the current IPSec operation uses this value as the connection ID to interface with the crypto engine. |
|
FVRF |
The name string of a virtual private network (VPN) routing and forwarding (VRF) instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its front-door VRF (FVRF). |
|
ikev2 |
The name string for an IKEv2 profile. Relevant debug messages will be shown if the IKEv2 profile name is specified. |
|
isakmp |
The name string for an ISAKMP profile. Relevant debug messages will be shown if the ISAKMP profile name is specified. |
|
IVRF |
The name string of a VRF instance. Relevant debug messages will be shown if the current IPSec operation uses this VRF instance as its inside VRF (IVRF). |
|
local |
The name string of an IPv4 or IPv6 local address. |
|
peer group |
A Unity group-name string. Relevant debug messages will be shown if the peer is using this group name as its identity. |
|
peer hostname |
A fully qualified domain name (FQDN) string. Relevant debug messages will be shown if the peer is using this string as its identity; for example, if the peer is enabling IKE Xauth with this FQDN string. |
|
peer ipv4 or peer ipv6 |
A single IP address. Relevant debug messages will be shown if the current IPsec operation is related to the IP address of this peer. |
|
peer subnet |
A subnet and a subnet mask that specify a range of peer IP addresses. Relevant debug messages will be shown if the IP address of the current IPsec peer falls into the specified subnet range. |
|
peer username |
A username string. Relevant debug messages will be shown if the peer is using this username as its identity; for example, if the peer is enabling IKE Extended Authentication (Xauth) with this username. |
|
session |
Provides information about crypto sessions. |
|
SPI |
A 32-bit unsigned integer. Relevant debug messages will be shown if the current IPSec operation uses this value as the SPI. |
|
unmatched |
Provides debug messages when context information is unavailable. |
How to Enable Crypto Conditional Debug Support
Enabling Crypto Conditional Debug Messages
Performance Considerations
-
Before enabling crypto conditional debugging, you must decide what debug condition types (also known as debug filters) and values will be used. The volume of debug messages is dependent on the number of conditions you define.
Note |
Specifying numerous debug conditions may consume CPU cycles and negatively affect router performance. |
-
Your router will perform conditional debugging only after at least one of the global crypto debug commands--debug crypto isakmp , debug crypto ipsec , and debug crypto engine --has been enabled. This requirement helps to ensure that the performance of the router will not be impacted when conditional debugging is not being used.
Disable Crypto Debug Conditions
If you choose to disable crypto conditional debugging, you must first disable any crypto global debug CLIs you have issued ; thereafter, you can disable conditional debugging.
Note |
The reset keyword can be used to disable all configured conditions at one time. |
SUMMARY STEPS
- enable
- debug crypto condition [connid integer engine-id integer ] [flowid integer engine-id integer ] [fvrf string ] [ivrf string ] [peer [group string ] [hostname string ] [ipv4 ipaddress ] [subnet subnet mask ] [username string ]] [spi integer ] [reset ]
- show crypto debug-condition {[peer ] [connid ] [spi ] [fvrf ] [ivrf ] [unmatched ]}
- debug crypto isakmp
- debug crypto ipsec
- debug crypto engine
- debug crypto condition unmatched [isakmp | ipsec | engine ]
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
debug crypto condition [connid integer engine-id integer ] [flowid integer engine-id integer ] [fvrf string ] [ivrf string ] [peer [group string ] [hostname string ] [ipv4 ipaddress ] [subnet subnet mask ] [username string ]] [spi integer ] [reset ] Example: |
Defines conditional debug filters. |
|
Step 3 |
show crypto debug-condition {[peer ] [connid ] [spi ] [fvrf ] [ivrf ] [unmatched ]} Example: |
Displays crypto debug conditions that have already been enabled in the router. |
|
Step 4 |
debug crypto isakmp Example: |
Enables global IKE debugging. |
|
Step 5 |
debug crypto ipsec Example: |
Enables global IPSec debugging. |
|
Step 6 |
debug crypto engine Example: |
Enables global crypto engine debugging. |
|
Step 7 |
debug crypto condition unmatched [isakmp | ipsec | engine ] Example: |
(Optional) Displays debug conditional crypto messages when no context information is available to check against debug conditions. If none of the optional keywords are specified, all crypto-related information will be shown. |
Enabling Crypto Error Debug Messages
To enable crypto error debug messages, you must perform the following tasks.
debug crypto error CLI
Enabling the debug crypto error command displays only error-related debug messages, thereby, allowing you to easily determine why a crypto operation, such as an IKE negotiation, has failed within your system.
Note |
When enabling this command, ensure that global crypto debug commands are not enabled; otherwise, the global commands will override any possible error-related debug messages. |
SUMMARY STEPS
- enable
- debug crypto isakmp | ipsec | engine } error
DETAILED STEPS
| Command or Action | Purpose | |
|---|---|---|
|
Step 1 |
enable Example: |
Enables privileged EXEC mode.
|
|
Step 2 |
debug crypto isakmp | ipsec | engine } error Example: |
Enables only error debugging messages for a crypto area. |
Configuration Examples for the Crypto Conditional Debug CLIs
Enabling Crypto Conditional Debugging Example
The following example shows how to display debug messages when the peer IP address is 10.1.1.1, 10.1.1.2, or 10.1.1.3, and when the connection-ID 2000 of crypto engine 0 is used. This example also shows how to enable global debug crypto CLIs and enable the show crypto debug-condition command to verify conditional settings.
Router#
debug crypto condition connid 2000 engine-id 1
Router#
debug crypto condition peer ipv4 10.1.1.1
Router#
debug crypto condition peer ipv4 10.1.1.2
Router#
debug crypto condition peer ipv4 10.1.1.3
Router#
debug crypto condition unmatched
! Verify crypto conditional settings.
Router#
show crypto debug-condition
Crypto conditional debug currently is turned ON
IKE debug context unmatched flag:ON
IPsec debug context unmatched flag:ON
Crypto Engine debug context unmatched flag:ON
IKE peer IP address filters:
10.1.1.1 10.1.1.2 10.1.1.3
Connection-id filters:[connid:engine_id]2000:1,
! Enable global crypto CLIs to start conditional debugging.
Router#
debug crypto isakmp
Router#
debug crypto ipsec
Router#
debug crypto engine
Disabling Crypto Conditional Debugging Example
The following example shows how to disable all crypto conditional settings and verify that those settings have been disabled:
Router#
debug crypto condition reset
! Verify that all crypto conditional settings have been disabled.
Router#
show crypto debug-condition
Crypto conditional debug currently is turned OFF
IKE debug context unmatched flag:OFF
IPsec debug context unmatched flag:OFF
Crypto Engine debug context unmatched flag:OFF
Additional References
The following sections provide references to the Crypto Conditional Debug Support feature.
Related Documents
|
Related Topic |
Document Title |
|---|---|
|
IPSec and IKE configuration tasks |
“ Internet Key Exchange for IPsec VPNs “ module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity |
|
IPSec and IKE commands |
Cisco IOS Security Command Reference |
Standards
|
Standards |
Title |
|---|---|
|
None |
-- |
MIBs
|
MIBs |
MIBs Link |
|---|---|
|
None |
To locate and download MIBs for selected platforms, Cisco IOS XE releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
|
RFCs |
Title |
|---|---|
|
None |
-- |
Technical Assistance
|
Description |
Link |
|---|---|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
Feature Information for Crypto Conditional Debug Support
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Feedback