-
Cisco IOS XR System Security Debug Command Reference, Release 3.6
-
Preface
-
Authentication, Authorization and Accounting Debug Commands on Cisco IOS XR Software
-
Crypto Debug Commands on Cisco IOS XR Software
-
Crypto Conditional Debug Commands on Cisco IOS XR Software
-
Keychain Management Debug Commands on Cisco IOS XR Software
-
Software Authentication Manager Debug Commands on Cisco IOS XR Software
-
Secure Socket Layer Protocol Debug Commands on Cisco IOS XR Software
-
Secure Shell Debug Commands on Cisco IOS XR Software
-
Management Plane Protection Debug Commands on Cisco IOS XR Software
-
Index
-
Table Of Contents
Crypto Conditional Debug Commands on Cisco IOS XR Software
debug condition crypto hostname
debug condition crypto username
Crypto Conditional Debug Commands on Cisco IOS XR Software
This chapter describes the Cisco IOS XR software crypto conditional debug commands.
For high-level, conceptual information about using debug commands generally, see Using Debug Commands on Cisco IOS XR Software, Release 3.6.0.
debug condition crypto ipv4
To select a peer by the IPv4 address, use the debug condition crypto ivp4 command in EXEC mode. Information will be displayed for both the Internet Key Exchange (IKE) and the IP Security (IPSec) negotiation stages. To disable the peer selection, use the no form of this command.
debug condition crypto ipv4 ip-address [/length]
no debug condition crypto ipv4 ip-address [/length]
Syntax Description
Defaults
If conditional crypto debug statements are not used, crypto debug information will be displayed for all connections
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco XR 12000 Series Router and the Cisco CRS-1.
Release 3.5.0
No modification.
Release 3.6.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.
Use conditional crypto debug commands in conjunction with crypto debug commands to select the peers or connections for which crypto debug information will be displayed. If crypto debug commands are not used, the conditional crypto debug commands will not display information. If multiple conditional debug commands are used, connections are selected using OR logic.
Use the IP condition when you know the IP address of the peer, and if the peer uses the IP as the identifier.
Task ID
Related Commands
debug condition crypto hostname
To select a peer by the hostname string (to a maximum of 128 characters), use the debug condition crypto hostname command in EXEC mode. Information will be displayed for both the Internet Key Exchange (IKE) and the IP Security (IPSec) negotiation stages. To disable the peer selection, use the no form of this command.
debug condition crypto hostname {peer-identity}
no debug condition crypto hostname {peer-identity}
Syntax Description
peer-identity
Identity of the hostname of the peer in the format hostname.domain, to a maximum of 128 characters.
Defaults
If conditional crypto debug statements are not used, crypto debug information will be displayed for all connections
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco XR 12000 Series Router and the Cisco CRS-1.
Release 3.5.0
No modification.
Release 3.6.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.
Use conditional crypto debug commands in conjunction with crypto debug commands to select the peers or connections for which crypto debug information will be displayed. If crypto debug commands are not used, the conditional crypto debug commands will not display information. If multiple conditional debug commands are used, connections are selected using OR logic.
Use the hostname condition when you know the domain and hostname of the peer, and if the peer uses the hostname as the identifier.
Task ID
Related Commands
debug condition crypto ike
To display debug information about Internet Key Exchange (IKE) operations for specific connections, use the debug condition crypto ike command in EXEC mode. To disable the selection, use the no form of this command.
debug condition crypto ike {connid connection-id | fvrf front-door-vrf | group unity-group | isakmp-profile isakmp-profile | ivrf inside-vrf | unmatch}
no debug condition crypto ike {connid connection-id | fvrf front-door-vrf | group unity-group | isakmp-profile isakmp-profile | ivrf inside-vrf | unmatch}
Syntax Description
Defaults
If conditional crypto debug statements are not used, crypto debug information will be displayed for all connections
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco XR 12000 Series Router and the Cisco CRS-1.
Release 3.5.0
No modification.
Release 3.6.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.
Use conditional crypto debug commands in conjunction with crypto debug commands to select the peers or connections for which crypto debug information will be displayed. If crypto debug commands are not used, the conditional crypto debug commands will not display information. If multiple conditional debug commands are used, connections are selected using OR logic.
Use the debug condition crypto ike commands to debug peer-specific, configuration, or functionality-related IKE problems that could occur during a large-scale VPN deployment, in particular with hub routers that have large numbers of peers and live traffic. The condition statements focus on specific IKE sessions using different filters.
Use the group condition when the group to which the peer belongs is known, and if the peer uses the group as the identifier.
Use the unmatch condition to show messages that cannot be related to a specific session. By default, some messages are not displayed when other conditional debug commands are used. Combine other conditional debug commands with the unmatch condition and a crypto debug command to generate output for the specified session.
Task ID
Related Commands
debug condition crypto ipsec
To display debug information about IP Security (IPSec) operations for a specific session, use the debug condition crypto ipsec command in EXEC mode. To disable the selection, use the no form of this command.
debug condition crypto ipsec {flow-id flow-id | fvrf front-door-vrf | profile ipsec-profile | unmatch}
no debug condition crypto ipsec {flow-id flow-id | fvrf front-door-vrf | profile ipsec-profile | unmatch}
Syntax Description
Defaults
If conditional crypto debug statements are not used, crypto debug information will be displayed for all connections
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco XR 12000 Series Router and the Cisco CRS-1.
Release 3.5.0
No modification.
Release 3.6.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.
Use conditional crypto debug commands in conjunction with crypto debug commands to select the peers or connections for which crypto debug information will be displayed. If crypto debug commands are not used, the conditional crypto debug commands will not display information. If multiple conditional debug commands are used, connections are selected using OR logic.
Use the debug condition crypto ipsec commands to debug peer-specific, configuration, or functionality-related IPSec problems that could occur during a large-scale VPN deployment, in particular with hub routers that have large numbers of peers and live traffic. The condition statements enable you to focus on specific IPSec sessions using different filters.
Use the unmatch condition to show messages that cannot be related to a specific session. By default, some messages are not displayed when other conditional debug commands are used. Combine other conditional debug commands with the unmatch condition and a crypto debug command to generate output for the specified session.
Task ID
Related Commands
debug condition crypto username
To select a peer by its username, use the debug condition crypto username command in EXEC mode. Information is displayed for both the Internet Key Exchange (IKE) and the IP Security (IPSec). To disable the peer selection, use the no form of this command.
debug condition crypto username peer-identity
no debug condition crypto username peer-identity
Syntax Description
peer-identity
Value is the fully qualified domain name (FQDN) username of the peer in the format username@domain.
Defaults
If conditional crypto debug statements are not used, crypto debug information will be displayed for all connections
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco XR 12000 Series Router and the Cisco CRS-1.
Release 3.5.0
No modification.
Release 3.6.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.
Use conditional crypto debug commands in conjunction with crypto debug commands to select the peers or connections for which crypto debug information will be displayed. If crypto debug commands are not used, the conditional crypto debug commands will not display information. If multiple conditional debug commands are used, connections are selected using OR logic.
Use the username condition when you know the username and domain of the peer, and if the peer uses the username as the identifier.
Task ID
Related Commands
debug condition crypto vi
To define a virtual interface name as a crypto debug condition, use the debug condition crypto vi command in EXEC mode. Information is displayed for both the Internet Key Exchange (IKE) and IP Security (IPSec). To disable the selection, use the no form of this command.
debug condition crypto vi {tunnel-ipsec tunnel-id}
no debug condition crypto vi {tunnel-ipsec tunnel-id}
Syntax Description
Defaults
If conditional crypto debug statements are not used, crypto debug information will be displayed for all connections
Command Modes
EXEC
Command History
Release 3.4.0
This command was introduced on the Cisco XR 12000 Series Router and the Cisco CRS-1.
Release 3.5.0
No modification.
Release 3.6.0
No modification.
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes the proper task IDs. For detailed information about user groups and task IDs, see the Configuring AAA Services on Cisco IOS XR Software module of the Cisco IOS XR System Security Configuration Guide.
Debugging output is assigned high priority in the CPU process and, therefore, can affect system performance. For more information about the impact on system performance when using debug commands, refer to Using Debug Commands on Cisco IOS XR Software.
Use conditional crypto debug commands in conjunction with crypto debug commands to select the peers or connections for which crypto debug information will be displayed. If crypto debug commands are not used, the conditional crypto debug commands will not display information. If multiple conditional debug commands are used, connections are selected using OR logic.
Use this command to see output for all connections on the specified interface.
Task ID
Related Commands