How to capture spoke to spoke VPN traffic on ASA

Unanswered Question
Oct 20th, 2008

Hi, I am debugging intermittent hairpin VPN traffic between EZVPN clients, ASA 5520 is ezvpn server. I am trying to determine where the packet is dropped.

From one client continuous ping to the other client is issued, the ping packets should go to ASA's outside interface, decrypted and encrypted and again be sent out the same outside interface. When I do capture for the ping packets on ASA's outside interface, nothing is captured even when ping is successful.

ping capture from ezvpn client to ASA inside network is fine.

How should I do packet capture in this VPN hairpin scenario? Thanks a lot for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Mon, 10/20/2008 - 21:50

What is the access-list you are using to capture on the outside interface?



jiangu Mon, 10/20/2008 - 22:31

EZVPN client is running at network extension mode, each user is using address space, so the ACL I am using is something like this: access-list ping_acl extended permit icmp host host

Farrukh Haroon Mon, 10/20/2008 - 22:56

Try the following:

access-list ping_acl extended permit icmp host host log

access-list ping_acl extended permit icmp host host log

See if you get hits in the log (besides the capture).

Also make sure you clear the VPN sessions/connections before testing, an easy way would be

clear local-host all

clear crypto isakmp sa

clear crypto ipsec sa



jiangu Mon, 10/20/2008 - 23:31

Thank you for your help, unfortunately this is not a lab environment, I can not do any of those clear commands unless a maintenance window is scheduled.


This Discussion