debugging on a 2811 router


Need help with some syntax.
Site A and Site B have an ipsec tunnel between each other and crypto map is applied to their outside interfaces.

I want to debug traffic on site A as it enters the tunnel to get encrypted to go to site B.

Don't have much experience doing this on a router.

Site A: needs to access site B via port 25

Need to debug on the inside interface. What is the best way to do it? Debug ip packet? please provide syntax if possible.
Who is Participating?
harbor235Connect With a Mentor Commented:

Like Steve J shows:

debug ip packet 150   (where 150 is acl 150)

access-list 150 permit ip
access-list 150 permit ip  
****** (assumed outside interface was*****

router# term mon
router(config#) logging con

harbor235 ;}

trojan81Author Commented:

debug crypto ipsec sa
debug crypto isakmp
debug crypto engine

harbor235 ;}
Steve JenningsIT ManagerCommented:
To be clear, you want to see the traffic before it's encrypted, but only the traffic that's going to be encrypted?

So you have an ACL that defines interesting traffic . . . say ACL 150

debug ip packet 150 detail dump

harbor235 gave you commands to debug IPSEC traffic, but it sounds like you want to see the actual traffic (payload). The command I gave you will display a mess.

Good luck,
trojan81Author Commented:
I just want to see the traffic as it comes into the inside interface about to get encrypted and sent out the outside interface where the crypto map is applied.

In short, I just want to say "yes the traffic is at least making it to the VPN router". I dont care of it enters the tunnel or not. Just want to see it arrive at the doorstep.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.