Cisco Bug With The “show crypto debug-condition” Command

June 25, 2014 — Leave a comment

Last year I discovered a bug in the “show crypto debug-condition” command. This bug doesn’t impact the operation of the router and is purely cosmetic. By cosmetic, I mean the output from the show command isn’t correct although the setting in the router is.

Here is what I’m talking about (compare the profile name I set in line #1 “abcdefgh” to the output you see line #11):


Router#debug crypto condition isakmp profile abcdefgh
Router#
Router#show crypto debug-condition
Crypto conditional debug currently is turned ON
IKE debug context unmatched flag: OFF
GDOI group debug context unmatched flag: OFF
IPsec debug context unmatched flag: OFF
Crypto Engine debug context unmatched flag: OFF

Isakmp Profile filters:
abcdefgh^U#G^K

Router#

When setting your debug condition on a profile that is exactly 8 characters in length (in this example, “abcdefgh”) and you display the debug condition you just set, you’ll see several additional characters tacked on to the end of that ISAKMP profile name.

I’ve tested this with 7 (or less) characters:


Router#debug crypto condition isakmp profile abcdefg
Router#
Router#show crypto debug-condition
Crypto conditional debug currently is turned ON
IKE debug context unmatched flag: OFF
GDOI group debug context unmatched flag: OFF
IPsec debug context unmatched flag: OFF
Crypto Engine debug context unmatched flag: OFF

Isakmp Profile filters:
abcdefg

Router#

And I’ve tested this with 9 (or more) characters:


Router#debug crypto condition isakmp profile abcdefghi
Router#
Router#show crypto debug-condition
Crypto conditional debug currently is turned ON
IKE debug context unmatched flag: OFF
GDOI group debug context unmatched flag: OFF
IPsec debug context unmatched flag: OFF
Crypto Engine debug context unmatched flag: OFF

Isakmp Profile filters:
abcdefghi

Router#

…but the display output in all those scenarios is just fine EXCEPT when your ISAKMP profile name is exactly 8 characters in length (which, of course, many of ours are). 🙁

Just in case anyone from Cisco sees this post (I’ve seen folks from Cisco browse my blog before), I haven’t found any documentation of this bug as reported to Cisco or anywhere else on the web. These results were taken on this version IOS:


Router#show version
Cisco IOS Software, 7200 Software (C7200P-ADVIPSERVICESK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 23-Mar-10 13:16 by prod_rel_team

ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, 7200 Software (C7200P-KBOOT-M), Version 12.4(15)T5, RELEASE SOFTWARE (fc4)

Aaron Melton

Posts

No Comments

Be the first to start the conversation.

Leave a Reply

Text formatting is available via select HTML.

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> 

*