Security Troubleshooting: “debug” versus Syslog

Several weeks ago I wrote an introduction on effective security troubleshooting. As promised, this post supplements what I wrote before by focusing primarily on the cross-platform differences and similarities in the debug command implementation. My next posts will target specific areas of security troubleshooting such as general connectivity, VPNs, and authentication issues.

Debug Command on the IOS® Router and the ASA

Let’s start with the debug command as used by both the Cisco IOS router as well as the ASA. One major difference in the debug command’s implementation between the two platforms has to do with its dependence on syslog. For the router, syslog must be enabled for the debug messages to appear, while on the ASA logging can essentially be disabled. This independence is good since the ASA can send a potentially overwhelmingly large number of syslog messages which would unnecessarily obscure the valuable troubleshooting output.

Besides the differences in their syslog dependency, detailed debugging is done differently on the ASA versus the router. For detailed debugging on the ASA, the use of the optional level parameter is recommended where 1 ≤ level ≤ 255; the default level (if unspecified) is 1. As an aside, I wrote a white paper on VPN Troubleshooting which illustrates the use of differing values of the level parameter to isolate specific parameters.

The router does not implement this parameter; instead, it presents a high level of detail for cryptographic debug commands and lesser detail for such cases as debug… events. In addition, some debug commands on the router can be enabled for detailed packet debugging and also linked to the use of an access-list for more specificity.

Debug crypto condition

Now that I mentioned some differences, a key point of similarity is helpful in both platforms. The debug crypto condition command sequence provides a valuable filtering mechanism for specific VPN sessions which require troubleshooting. Two valuable command reference documents from Cisco (IOS Debug and ASA 8.4) specify the considerable flexibility of arguments which can be used including IP address, subnet, username, etc. While the use of the argument condition on the ASA is uniquely associated with the keyword crypto, the IOS router provides for a generic debug condition usage.

When using debug it’s often a good idea to enable screen capture to disk, especially since the ability to scroll the screen back a given number of lines depends on the terminal emulator. As a general rule when debug output becomes more verbose at a given level of detail, it means your troubleshooting is on the right track!

In this article

Join the Conversation