asa 5510 debug ipsec with packet-tracer or capture, what is the path

Unanswered Question
May 21st, 2009

Hello

I have tunnel s2s via ipsec. On my asa i have inside and outside interface. My LAN are 192.168.10.x, Remote LAN 192.168.20.x I try to debug problems with connection which comes, initialized from remote site to my ASA. When ipsec packet arrives to my ASA, first interface is outside and next is inside ? Can i see packets from 192.168.20.x ? Which interface is first i should see packet from 192.168.20.x in packet-tracer or in capture. From inside to outside all is clear

thx for explanation packet path :)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Wed, 05/27/2009 - 06:24

The packet-tracer command lets you do the following:

•Debug all packet drops in production network.

•Verify the configuration is working as intended.

•Show all rules applicable to a packet along with the CLI lines which caused the rule addition.

•Show a time line of packet changes in a data path.

•Inject tracer packets into the data path.

The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, "packet dropped due to bad ip header (reason)."

Actions

This Discussion