Routing & Security

I manage several Cisco IOS devices with alot of VPN connections on them, one device has 100+. So what happens when 1 of the 100 peers is failing to establish. Well, I can tell you, whatever you do, don’t do a debug crypto isakmp or ipsec without any conditions… you will definately give a big tug to the CPU on the device. This tug could be to the point that you can’t recover by issueing u all command. So to this end, a router reload would probably be the only option left which would probably trigger resume updating.

So how do you go about picking the needle out of the haystack? Well, Cisco has given us an excellent tool to solve this issue with VPN conditional debugging. With conditional filtering for VPN’s, we can filter based on several different attributes such as peer, getvpn group, username, spi, or connid to name a few. This has definately helped me out in a pinch and I am now in the habit of using this instead of just debugging everything crypto within the IOS device.

So how do we implement this great feature you may ask. Well, quite easily, but then again everything is easy once you know what you are doing. So let’s head over to command line and take a look…

So here is a list in which we can choose or option(s) and get our network straightened out quick and painlessly. So let’s do a basic peer filter. Take a look at peer – there are several more options we can narrow it down to. Isn’t this fantastic!

Ok, so let’s go by our IPV4 address. We will want to debug a peer coming in from an IP address of 192.0.2.1. Let’s get this into the router.

And we will confirm that this is enabled.

Now, all that is left is to enable our regular crypto debugging utilities.

Well, I hope that you found this useful. Of course this is only one example of filtering so I leave it up to you to experiment with the others. I know it has sure improved my troubleshooting skills when looking at information I only want to look at.