asa 5510 debug ipsec with packet-tracer or capture, what is the path

Unanswered Question
May 21st, 2009
User Badges:


I have tunnel s2s via ipsec. On my asa i have inside and outside interface. My LAN are 192.168.10.x, Remote LAN 192.168.20.x I try to debug problems with connection which comes, initialized from remote site to my ASA. When ipsec packet arrives to my ASA, first interface is outside and next is inside ? Can i see packets from 192.168.20.x ? Which interface is first i should see packet from 192.168.20.x in packet-tracer or in capture. From inside to outside all is clear

thx for explanation packet path :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tstanik Wed, 05/27/2009 - 06:24
User Badges:
  • Bronze, 100 points or more

The packet-tracer command lets you do the following:

•Debug all packet drops in production network.

•Verify the configuration is working as intended.

•Show all rules applicable to a packet along with the CLI lines which caused the rule addition.

•Show a time line of packet changes in a data path.

•Inject tracer packets into the data path.

The packet-tracer command provides detailed information about the packets and how they are processed by the security appliance. In the instance that a command from the configuration did not cause the packet to drop, the packet-tracer command will provide information about the cause in an easily readable manner. For example if a packet was dropped because of an invalid header validation, a message is displayed that says, "packet dropped due to bad ip header (reason)."


This Discussion