Courseiva
DebugPrivileged EXEC

debug crypto ipsec

Use this command to enable real-time debugging of IPsec security association (SA) negotiations and packet processing, typically for troubleshooting VPN connectivity issues.

Syntax·Privileged EXEC
debug crypto ipsec

When to Use This Command

  • Troubleshooting why an IPsec tunnel fails to establish between two routers.
  • Verifying the correct IPsec SA parameters (encryption, authentication, etc.) during tunnel setup.
  • Diagnosing packet drops due to mismatched IPsec policies or expired SAs.
  • Monitoring the progress of IKE phase 2 quick mode exchanges.

Command Examples

Basic IPsec debug output during tunnel establishment

debug crypto ipsec
00:11:22: %CRYPTO-4-RECV_PKT: IPSEC receive packet from 192.168.1.1 to 10.0.0.1 prot=50
00:11:22: IPSEC(sa_request): , (key eng. msg.) src=192.168.1.1, dest=10.0.0.1, src_proxy=192.168.1.0/255.255.255.0/0/0, dest_proxy=10.0.0.0/255.255.255.0/0/0, 
00:11:22:   inbound SA to 10.0.0.1 (proxy 10.0.0.0 to 192.168.1.0)
00:11:22:   has spi 0x12345678 and conn_id 2000, keysize 128, flags 0x200C
00:11:22: IPSEC(validate_proposal_request): proposal part #1,
00:11:22:   (transform esp-aes 128 esp-sha-hmac,)
00:11:22:   (life expiry: 3600 seconds and 4608000 kilobytes)
00:11:22: IPSEC(process_sa_request): SA request accepted
00:11:22: IPSEC(create_sa): sa created,
00:11:22:   (sa) sa_dest=10.0.0.1, sa_prot=50, sa_spi=0x12345678, sa_trans=esp-aes 128 esp-sha-hmac, sa_conn_id=2000, sa_lifetime=3600/4608000

Line 1: Indicates receipt of an IPsec packet (protocol 50 = ESP) from 192.168.1.1 to 10.0.0.1. Line 2: SA request message showing source/destination proxies (subnets). Line 3: Inbound SA details with SPI (Security Parameter Index) and connection ID. Line 4-5: Proposal validation showing transform set (AES 128, SHA-HMAC) and lifetime. Line 6: SA request accepted. Line 7-8: SA created with all parameters.

Debug output showing IPsec packet drop due to anti-replay

debug crypto ipsec
00:12:34: IPSEC(anti_replay): packet dropped, seq# 12345, expected seq# 12346
00:12:34: %CRYPTO-4-PKT_REPLAY: IPsec anti-replay check failed, dropped packet from 192.168.1.1 to 10.0.0.1

Line 1: Anti-replay check failed; received sequence number 12345 but expected 12346, indicating a possible replay attack or out-of-order delivery. Line 2: Syslog message summarizing the drop.

Understanding the Output

The output of 'debug crypto ipsec' provides real-time information about IPsec SA creation, deletion, and packet processing. Key fields include: 'src' and 'dest' (source/destination IPs of the tunnel endpoints), 'src_proxy' and 'dest_proxy' (subnets protected by the tunnel), 'spi' (Security Parameter Index, a unique identifier for the SA), 'conn_id' (internal connection ID), 'keysize' (encryption key length), 'transform' (encryption and authentication algorithms), 'life expiry' (SA lifetime in seconds/kilobytes). Good values: SA creation messages with matching transforms and proxies. Bad values: 'SA request rejected', 'no matching proposal', 'anti-replay dropped', or 'packet dropped' messages. Watch for mismatched transform sets, incorrect proxy IDs, or expired SAs.

CCNA Exam Tips

1.

CCNA exam tip: Remember that 'debug crypto ipsec' is used for IPsec SA-level debugging, while 'debug crypto isakmp' is for IKE phase 1. The exam may ask which debug to use for phase 2 issues.

2.

CCNA exam tip: Anti-replay drops can occur due to packet reordering; the exam might test that the default window is 64 packets.

3.

CCNA exam tip: The SPI value is a key identifier for an SA; exam questions may ask what SPI represents.

4.

CCNA exam tip: Always use 'undebug all' or 'no debug crypto ipsec' after troubleshooting to avoid CPU overload.

Common Mistakes

Mistake 1: Leaving debug enabled on a production router, causing high CPU usage and potential crashes.

Mistake 2: Confusing 'debug crypto ipsec' with 'debug crypto isakmp' — using the wrong debug for the phase being troubleshot.

Mistake 3: Not filtering debug output with 'debug crypto ipsec 192.168.1.1' to limit noise, leading to overwhelming logs.

Related Commands

debug crypto isakmp

Enables debugging of ISAKMP (Internet Security Association and Key Management Protocol) packets to troubleshoot IKE phase 1 issues in IPsec VPNs.

show crypto ipsec sa

Displays the current state and statistics of IPsec security associations (SAs) to verify VPN tunnel establishment and monitor encrypted traffic.

show crypto map

Displays the configured crypto map entries, including their match criteria, peer addresses, and transform sets, used to verify IPsec VPN policy configuration.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions