Courseiva
DebugPrivileged EXEC

debug crypto isakmp

Enables debugging of ISAKMP (Internet Security Association and Key Management Protocol) packets to troubleshoot IKE phase 1 issues in IPsec VPNs.

Syntax·Privileged EXEC
debug crypto isakmp

When to Use This Command

  • Troubleshooting why an IPsec tunnel fails to establish during IKE phase 1.
  • Verifying that ISAKMP proposals, pre-shared keys, or authentication methods match between peers.
  • Diagnosing issues with ISAKMP SA lifetime or aggressive mode negotiation.
  • Monitoring ISAKMP exchange details during initial VPN setup or after configuration changes.

Command Examples

Basic ISAKMP debug output

debug crypto isakmp
ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (N) NEW SA
ISAKMP (0:0): processing SA payload. message ID = 0
ISAKMP (0:0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP (0:0): encryption DES-CBC
ISAKMP (0:0): hash SHA
ISAKMP (0:0): auth pre-share
ISAKMP (0:0): group 2
ISAKMP (0:0): lifetime 86400 seconds
ISAKMP (0:0): atts are acceptable. Next payload is 0
ISAKMP (0:0): processing KE payload. message ID = 0
ISAKMP (0:0): processing NONCE payload. message ID = 0
ISAKMP (0:0): processing ID payload. message ID = 0
ISAKMP (0:0): peer is part of isakmp profile default
ISAKMP (0:0): processing HASH payload. message ID = 0
ISAKMP (0:0): SA has been authenticated
ISAKMP (0:0): beginning Quick Mode exchange, M-ID of -123456789
ISAKMP (0:0): sending packet to 192.168.1.2 (I) QM_IDLE
ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) QM_IDLE
ISAKMP (0:0): processing ID payload. message ID = -123456789
ISAKMP (0:0): processing HASH payload. message ID = -123456789
ISAKMP (0:0): Loading all IPSEC SAs
ISAKMP (0:0): Generating IPSEC SAs
ISAKMP (0:0): sending packet to 192.168.1.2 (I) QM_IDLE
ISAKMP (0:0): received packet from 192.168.1.2 dport 500 sport 500 Global (I) QM_IDLE
ISAKMP (0:0): deleting node -123456789 error FALSE reason "quick mode done"
ISAKMP (0:0): Input = IKE_MESG_FROM_IPSEC, IKE_SA_REAP_INIT
ISAKMP (0:0): Old State = IKE_P1_COMPLETE  New State = IKE_DONE

Line 1: Received a new SA request from peer 192.168.1.2. Line 2-3: Processing SA payload and checking transform set. Lines 4-8: Displaying the proposed transform details (encryption, hash, auth, DH group, lifetime). Line 9: Transform is acceptable. Lines 10-12: Processing key exchange, nonce, and identity payloads. Line 13: Peer matched to default ISAKMP profile. Line 14: Hash verification successful, SA authenticated. Lines 15-16: Beginning Quick Mode (IKE phase 2) with a message ID. Lines 17-22: Quick Mode exchange completing. Line 23: Node deleted indicating successful QM. Lines 24-25: State transition to IKE_DONE, meaning phase 1 and phase 2 complete.

Debug with errors - pre-shared key mismatch

debug crypto isakmp
ISAKMP (0:0): received packet from 10.0.0.1 dport 500 sport 500 Global (N) NEW SA
ISAKMP (0:0): processing SA payload. message ID = 0
ISAKMP (0:0): Checking ISAKMP transform 1 against priority 1 policy
ISAKMP (0:0): encryption AES-CBC
ISAKMP (0:0): hash SHA256
ISAKMP (0:0): auth pre-share
ISAKMP (0:0): group 5
ISAKMP (0:0): lifetime 86400 seconds
ISAKMP (0:0): atts are acceptable. Next payload is 0
ISAKMP (0:0): processing KE payload. message ID = 0
ISAKMP (0:0): processing NONCE payload. message ID = 0
ISAKMP (0:0): processing ID payload. message ID = 0
ISAKMP (0:0): peer is part of isakmp profile default
ISAKMP (0:0): processing HASH payload. message ID = 0
ISAKMP (0:0): SA authentication failed
ISAKMP (0:0): sending packet to 10.0.0.1 (R) MM_KEY_EXCH
ISAKMP (0:0): peer matches default profile
ISAKMP (0:0): deleting SA with 10.0.0.1
ISAKMP (0:0): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP (0:0): Old State = IKE_READY  New State = IKE_DEST_SA

Lines 1-8: Similar to first example, transform is acceptable. Lines 9-12: Processing KE, nonce, ID. Line 13: Peer matched to default profile. Line 14: Hash verification failed, meaning pre-shared keys do not match or authentication failed. Line 15: Router sends notification back to peer. Line 16: Peer matches profile again. Line 17: SA is deleted. Lines 18-19: State transitions to IKE_DEST_SA, indicating the SA is destroyed. This output indicates a pre-shared key mismatch or authentication issue.

Understanding the Output

The debug crypto isakmp command outputs real-time messages about ISAKMP (IKE phase 1) events. Each line begins with 'ISAKMP (0:0):' where the numbers represent the ISAKMP SA index and connection ID. Key fields to watch: 'received packet from' shows the peer IP and port; 'processing SA payload' indicates transform negotiation; 'atts are acceptable' means the transform matches; 'SA has been authenticated' means phase 1 succeeded; 'SA authentication failed' indicates a pre-shared key or certificate issue; 'deleting node' with 'quick mode done' means phase 2 completed; 'Old State' and 'New State' show state transitions. Good values: 'atts are acceptable', 'SA has been authenticated', 'IKE_DONE'. Bad values: 'SA authentication failed', 'no acceptable proposal', 'deleting SA' without completion. Watch for repeated failures or timeouts.

CCNA Exam Tips

1.

CCNA exam may ask what debug command to use for IKE phase 1 issues; answer is 'debug crypto isakmp'.

2.

Remember that 'debug crypto isakmp' can generate a lot of output; use 'terminal monitor' if accessing via Telnet/SSH.

3.

The exam might show a debug output with 'SA authentication failed' and ask the cause; answer is usually pre-shared key mismatch.

4.

Be aware that 'debug crypto isakmp' does not show IKE phase 2 details; use 'debug crypto ipsec' for that.

Common Mistakes

Leaving debug enabled on a production router, causing high CPU usage and log flooding.

Confusing 'debug crypto isakmp' with 'debug crypto ipsec'; the former is for IKE phase 1, the latter for phase 2.

Not using 'undebug all' or 'no debug crypto isakmp' to disable debugging after troubleshooting.

Related Commands

crypto isakmp policy [priority]

Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.

debug crypto ipsec

Use this command to enable real-time debugging of IPsec security association (SA) negotiations and packet processing, typically for troubleshooting VPN connectivity issues.

show crypto ipsec sa

Displays the current state and statistics of IPsec security associations (SAs) to verify VPN tunnel establishment and monitor encrypted traffic.

show crypto isakmp sa

Displays the current state of Internet Key Exchange (IKE) Security Associations (SAs) used for IPsec VPN tunnels, allowing verification of Phase 1 tunnel establishment.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions