How to capture spoke to spoke VPN traffic on ASA

Unanswered Question
Oct 20th, 2008
User Badges:

Hi, I am debugging intermittent hairpin VPN traffic between EZVPN clients, ASA 5520 is ezvpn server. I am trying to determine where the packet is dropped.

From one client continuous ping to the other client is issued, the ping packets should go to ASA's outside interface, decrypted and encrypted and again be sent out the same outside interface. When I do capture for the ping packets on ASA's outside interface, nothing is captured even when ping is successful.

ping capture from ezvpn client to ASA inside network is fine.

How should I do packet capture in this VPN hairpin scenario? Thanks a lot for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Mon, 10/20/2008 - 21:50
User Badges:
  • Red, 2250 points or more

What is the access-list you are using to capture on the outside interface?


Regards


Farrukh

jiangu Mon, 10/20/2008 - 22:31
User Badges:

EZVPN client is running at network extension mode, each user is using 172.16.0.0/28 address space, so the ACL I am using is something like this: access-list ping_acl extended permit icmp host 172.16.0.1 host 172.16.0.17

Farrukh Haroon Mon, 10/20/2008 - 22:56
User Badges:
  • Red, 2250 points or more

Try the following:


access-list ping_acl extended permit icmp host 172.16.0.1 host 172.16.0.17 log

access-list ping_acl extended permit icmp host 172.16.0.17 host 172.16.0.1 log


See if you get hits in the log (besides the capture).


Also make sure you clear the VPN sessions/connections before testing, an easy way would be


clear local-host all

clear crypto isakmp sa

clear crypto ipsec sa


Regards


Farrukh

jiangu Mon, 10/20/2008 - 23:31
User Badges:

Thank you for your help, unfortunately this is not a lab environment, I can not do any of those clear commands unless a maintenance window is scheduled.

Actions

This Discussion