Debug Commands
This section explains how you use debug commands to help you diagnose and resolve VPN-related problems. The commands described here are not exhaustive, this section include commands according to their usefulness in assisting you to diagnose VPN-related problems.
Usage Guidelines
Because debugging output is assigned high priority in the CPU process, it can render the system unusable. For this reason, use debug commands only to troubleshoot specific problems or during troubleshooting sessions with the Cisco Technical Assistance Center (TAC). Moreover, it is best to use debug commands during periods of lower network traffic and fewer users. Debugging during these periods decreases the likelihood that increased debug command processing overhead will affect system use.
You can view debug output in a CLI session only. Output is directly available when connected to the Console port, or when in the diagnostic CLI (enter system support diagnostic-cli ). You can also view output from the regular Firepower Threat Defense CLI using the show console-output command.
To show debugging messages for a given feature, use the debug command. To disable the display of debug messages, use the no form of this command. Use no debug all to turn off all debugging commands.
debug feature [ subfeature] [ level]
no debug feature [ subfeature]
Syntax Description
feature |
Specifies the feature for which you want to enable debugging. To see the available features, use the debug ? command for CLI help. |
subfeature |
(Optional) Depending on the feature, you can enable debug messages for one or more subfeatures. Use ? to see the available subfeatures. |
level |
(Optional) Specifies the debugging level. Use ? to see the available levels. |
Command Default
The default debugging level is 1.
Example
With multiple sessions running on remote access VPN, troubleshooting can be difficult, given the size of the logs. You can use the debug webvpn condition command to set up filters to target your debug process more precisely.
debug webvpn condition {group name | p-ipaddress ip_address [{subnet subnet_mask | prefix length}] | reset | user name}
Where:
-
group name filters on a group policy (not a tunnel group or connection profile).
-
p-ipaddress ip_address [{subnet subnet_mask | prefix length}] filters on the public IP address of the client. The subnet mask (for IPv4) or prefix (for IPv6) is optional.
-
reset resets all filters. You can use the no debug webvpn condition command to turn off a specific filter.
-
user name filters by username.
If you configure more than one condition, the conditions are conjoined (ANDed), so that debugs appear only if all conditions are met.
After setting up the condition filter, use the base debug webvpn command to turn on the debug. Setting the conditions alone does not enable the debug. Use the show debug and show webvpn debug-condition commands to view the current state of debugging.
The following shows an example of enabling a conditional debug on the user jdoe.
firepower# debug webvpn condition user jdoe
firepower# show webvpn debug-condition
INFO: Webvpn conditional debug is turned ON
INFO: User name filters:
INFO: jdoe
firepower# debug webvpn
INFO: debug webvpn enabled at level 1.
firepower# show debug
debug webvpn enabled at level 1
INFO: Webvpn conditional debug is turned ON
INFO: User name filters:
INFO: jdoe