Debug Commands
If you have problems establishing any of the VPN tunnels, use the following commands for
troubleshooting:
Step 1 If you are connected to the PIX by the console port, enable debugging
on the console using this command:
logging console debugging
If you are connected to the PIX by Telnet, enable debugging using this
command:
logging monitor debugging
Step 2 To view debug information related to the VPN configuration, use the
following commands:
• debug crypto ipsec—Used to debug IPSec processing
• debug crypto isakmp—Used to debug ISAKMP processing
• debug crypto engine—Used to display debug messages about crypto
engines, which perform encryption and decryption
Step 3 To clear SAs, use the following commands in the PIX configuration
mode:
• clear [crypto] ipsec sa—Deletes the active IPSec SAs. The keyword
crypto is optional.
• clear [crypto] isakmp sa—Deletes the active IKE SAs. The keyword
crypto is optional.