Wednesday, August 24, 2011

Debugging crypto properly, getting all those lovely attributes you dont normally get

hi Guys

I am not sure how many of you have dealt with IPSEC and VRF, but its quite complicated, what makes it even more complicated is trying to troubleshoot it, it can be a VERY difficult process. Below are some commands I learnt about recently that provide a HUGE level of debugging:

#show debug

Cryptographic Subsystem:
Crypto ISAKMP debugging is on (actual command is debug crypto isakmp)
Crypto ISAKMP Error debugging is on (actual command is debug crypto isakmp error)

IKEV2 error debugging is on (actual command is debug crypto ikev2 event)
IKEV2 terse debugging is on
IKEV2 event debugging is on
verbose debug output debugging is on (this is the _KEY_ command, debug crypto verbose)

The last one is the most important one, as with it you get beautiful debug output that shows you things like, was the keychain actually hit, if it was where the attributes acceptable, what attributes did the other end send etc