How to capture IPSec traffic on ASA with capture type isakmp?

Unanswered Question
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Tue, 04/20/2010 - 03:33
User Badges:
  • Cisco Employee,

Capture type isakmp only captures the negotiation for phase 1. Anything specific you are looking for? Debug should tell you most things in regards to the isakmp negotiation.

Federico Coto F... Tue, 04/20/2010 - 07:46
User Badges:
  • Green, 3000 points or more

The output of the command:  sh cry ips sa

will show the status of the packets being sent through the tunnel.

You can see if the packets are being encapsulated/decapsulated, encrypted/decrypted or if there are errors.


Jennifer Halim Wed, 04/21/2010 - 03:40
User Badges:
  • Cisco Employee,

To check if ASA might be dropping any packets, you can perform packet capture on asp-drop:

capture type asp-drop

It will capture whatever packets that are being dropped by the ASA.

If you would like to capture traffic from the VPN and making sure that it is being routed towards the internal networks, you can perform packet capture on the internal interfaces and make sure that the packet leaves the ASA.

Hope that helps.


This Discussion