debug Command
The debug command lets you watch the VPN negotiation take place. This command is
available only from configuration mode on the PIX and will not display any output in a
Telnet session. Table 13-8 explains the two debug commands most commonly used to
troubleshoot VPN connectivity.
spi: 0x50b98b5(84646069)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: Chapter11
sa timing: remaining key lifetime (k/sec): (460800/21)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9a46ecae(2588339374)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: Chapter11
sa timing: remaining key lifetime (k/sec): (460800/21)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
Table 13-7 clear Commands
Command Description
clear isakmp sa Removes all ISAKMP statements from the configuration
clear [crypto] isakmp sa Clears all active ISAKMP SAs
clear [crypto] ipsec sa Clears all active IPSec SAs
Example 13-7 show crypto ipsec sa Command Output (Continued)
Configuring the Security Appliance as a VPN Gateway 359
Example 13-8 displays the output from the debug crypto isakmp command on the PIX
Firewall in 192.168.1.1 that is configured for a VPN connection to 192.168.2.1. Note the
highlighted comments “atts are not acceptable” and “atts are acceptable” that are generated
during the negotiation as address transforms attempt to find a match.
Command Description
debug crypto isakmp Displays IKE communication between the PIX and its IPSec peers
debug crypto ipsec Displays IPSec communication between the PIX and its IPSec peers