diagnose debug flow (or any debug command) and diagnose debug info

slouw · ‎11-05-2023

Greetings

When I enable the various debugs as shown and I run diagnose debug info command I am expecting to see all currently enabled debugs in the location shown but I do not. Is this how it should be?

Where or how can I obtain feedback to confirm what debugs are turned on at any given point?

Thanks

Toshi_Esumi · ‎11-06-2023

As you're showing, you filter set is filtering only protocol 6 (TCP) in. The protocol filter takes only one. So your last filter 6/TCP is there. IPsec never uses TCP.
Just clear the filter with "diag debug flow filter clear" then specify only address to filter. If this is a spoke only with one IPsec, you don't have to specify even the address. I don't see any point specifying protocol to just debug IKE.

Toshi

View solution in original post

ezhupa · ‎11-06-2023

Hello slouw,

It seems that you have not enabled the debug at all, it's status is disabled.
debug output: disable
To enable the debug you have to run the below command:
diag debug enable

slouw · ‎11-06-2023

You make an interesting point which I need to digest. Thank you.
Please would you consider the following sequence annotated in the screenshot.
STEP1 Log on and run diagnose debug info (Ref 1 in diagram)

Q1 Is it acurate to say that there are at present no debugs turned on for this unit? (Ref 2)

STEP2 run diagnose debug application ike -1 (Ref3)

Q2 Is (Ref4) telling us that turning on ike debug level 1 has the effect of starting the debug timer?

STEP3 run diagnose debug info again (Ref5)
The fact that ike debug Level 1 is turned on is shown now (Ref6).

Q3 Is it accurate that this is the place to look to check what debugs are turned on at any point in time?

(Ref7) shows us the status of the timer. Q4 is about the relationship between the state of any debug (on/enabled or off/disabled) and the state of the timer (Running or not). In the sequence above we set the ike debug to on/enabled state. This had the effect of starting the timer. Is this the case for any debug?

Q4 If any debug is enabled does this have the effect of starting the timer?

(Ref8) The timer was set to 30min and most of this time has elapsed.
(Ref9) This is the bottom fragment of diagnose debug info showing timer is nearly done.
STEP4 run diagnose debug info (Ref10)
(Ref11) ike debug has turned off. This suggests that answer to Q3 is yes. This is the place to check if any debugs are turned on.

Much appreciate any help!

hbac · ‎11-06-2023

Hi @slouw,

To see debug flow filters, you can run "di deb flow filter" command.

Regards,

slouw · ‎11-06-2023

In reply to:

Hello slouw,

It seems that you have not enabled the debug at all, it's status is disabled.
debug output: disable
To enable the debug you have to run the below command:
diag debug enable

How about this below.

Debug output is now showing as enabled.

Still no output.

Note in a different screen I have diagnose sniffer packet wan 'host ww.xx.yy.172' running.

ww.xx.yy.172 is the hub underlay i.e. the far end of the IPsec tunnel.

What am I doing wrong in trying to get flow debug output?

thanks.....

Toshi_Esumi · ‎11-06-2023

As you're showing, you filter set is filtering only protocol 6 (TCP) in. The protocol filter takes only one. So your last filter 6/TCP is there. IPsec never uses TCP.
Just clear the filter with "diag debug flow filter clear" then specify only address to filter. If this is a spoke only with one IPsec, you don't have to specify even the address. I don't see any point specifying protocol to just debug IKE.

Toshi

slouw · ‎11-06-2023

OMG! It worked!

Thanks!!!!!

Toshi_Esumi · ‎11-06-2023

Sorry. For flow debug, you have to specify the address.
If IKE debug, you don't have to specify the address if there is only one IPSec.
I got confused myself.

Toshi