CISCO problem: No debug on IPSEC/ISAKMP VPN setup?

D

Dillirium

Limp Gawd
Joined
Sep 16, 2004
Messages
439
Anyone have a clue why I wouldn't be getting debug messages. I have

debug crypto ipsec - on
debug crypto isakmp - on
debug crypto engine - on
"Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto Engine debugging is on
Crypto IPSEC debugging is on"

I did receive a message when I logged in SSH. I connected from my other network via External not internal. (received message from my console port):
crypto_engine: Create signature

So obviously some debugging is working.. I can do debug all and see tons o fun.. It's almost as if my VPN isn't even "trying" to connect.

Anyone have any ideas? Been stuck on this for a while.

crypto isakmp policy 4
encr 3des
authentication pre-share
group 2

crypto isakmp key cisco address x.x.x.x

crypto ipsec transform-set STRONG esp-3des

crypto map combined 50 ipsec-isakmp
set peer x.x.x.x
set transform-set STRONG
match address 150

interface FastEthernet4
description WEB
ip address xxx.xxx.xxx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map combined

access-list 150 permit ip 192.168.13.0 0.0.0.255 192.168.3.0 0.0.0.255

I've checked my destinations IPS 10x over.. and my remote CISCO's config's look identical (different destination ips of course)
 
Last edited:
Do you have any traffic trying to reach the remote destination via the tunnel? You aren't going to see any debug messages until something tries to reach the far site and subsequently causes the tunnel to come up.
 
Dillirium said:
Anyone have a clue why I wouldn't be getting debug messages. I have

debug crypto ipsec - on
debug crypto isakmp - on
debug crypto engine - on
"Cryptographic Subsystem:
Crypto ISAKMP debugging is on
Crypto Engine debugging is on
Crypto IPSEC debugging is on"
Click to expand...
do you have a valid SA on each router?(proper show commands, not debugs). Make sure there is traffic from each destination to match your interesting traffic ACL obviously to create said SA.
Those debugs should flood the console, or line if you have it configured properly with your IKE negotiations, and IPsec negotiations.

Dillirium said:
I did receive a message when I logged in SSH. I connected from my other network via External not internal. (received message from my console port):
crypto_engine: Create signature


So obviously some debugging is working.. I can do debug all and see tons o fun.. It's almost as if my VPN isn't even "trying" to connect.
Click to expand...
Not sure what you mean here? You can see debug messages when ssh'd in but from the console you see nothing? You did "term mon" , when you SSH'd in? Make sure that you're logging everything "logging con 7" as well.

Your config looks cookie cutter, so it looks like it should work. Again, verify that you have a valid isakmp SA and IPsec SA's on each router.

sh cry isa sa
sh cry ipse sa
 
ok weird... after i posted this topic.. i went back to check on something.. because I setup SSH right after I did the VPN tunnel. I went back to did a crypto key generate rsa and set it to same bits as my other routers... came back.. 1 hr 30 min .. later... and it just connected ... still looking over it to make sure everything is fine but .. wth? It wasn't working for over an hour straight.. I went picked up a cheeseburger (bk) sorry wendy's fans.... and my VPN light was on......

wth?
 
xphil3 said:
Not sure what you mean here? You can see debug messages when ssh'd in but from the console you see nothing? You did "term mon" , when you SSH'd in? Make sure that you're logging everything "logging con 7" as well.

Your config looks cookie cutter, so it looks like it should work. Again, verify that you have a valid isakmp SA and IPsec SA's on each router.

sh cry isa sa
sh cry ipse sa
Click to expand...

What I meant was.. after enabling the debugs.. I was connected via console port... and I connected via the WAN port with SSH. I saw the CRYPTO ENGINE message come up when it gave me a login prompt... that CRYPTO message displayed in my CONSOLE window.

Make more sense? Doesn't matter now since it seems to have started working out of no where..... *shrug* Anyone know any issues w/ the 861-W? lol
 
Dillirium said:
What I meant was.. after enabling the debugs.. I was connected via console port... and I connected via the WAN port with SSH. I saw the CRYPTO ENGINE message come up when it gave me a login prompt... that CRYPTO message displayed in my CONSOLE window.

Make more sense? Doesn't matter now since it seems to have started working out of no where..... *shrug* Anyone know any issues w/ the 861-W? lol
Click to expand...
You shouldn't have gotten any kind of console messages after first logging in without first issuing the "term mon" command. Weird.

Also, it most likely started working out of no where when traffic from one end of the tunnel started sending traffic to the other end and your crypto acl was matched, check your ACL 150 to verify that its getting hits. Configure IKE keepalive should square you away from no on out.

Also, did you check before it started working again to see if there were valid SA's on each router?
 
If your not getting debug messages when on the console port itself try

logging console debug

and if you want to save syslog messages so you can just do show logging, use:

logging buffered 20000
 
Just a quick reply to this for closure.
I was being a nub.. This was only my 2nd cisco router I've ever programmed.. I'm just a normal Sys admin not a CCNA or anything. I didn't realize you need to basically jump start the VPN by sending a ping to make it establish the connection.

The programming was actually 100% fine. Just needed to ping and it would had been fine....

Thanks for all your help and I actually learned a couple things from the responses I received.

Thank you!
-Dill
 
Its called 'interesting traffic'; anything which needs to cross the VPN will cause the VPN to come up, but it won't come up if nothing needs it.
 
You must log in or register to reply here.
Back
Top