How to capture IPSec traffic on ASA with capture type isakmp?

marcus.korte · ‎04-20-2010

Hello,

I tried to capture IPSec data on the ASA with the command "capture cap type isakmp" without success yet.

It is a Cisco ASA 5520 with 8.0(4)32

I would like to see the decapsulated packets somehow.

Has anybody done a capture successfully with type isakmp?

Are there any specialities to consider?

Thanks!

Marcus.

Jennifer Halim · ‎04-20-2010

Capture type isakmp only captures the negotiation for phase 1. Anything specific you are looking for? Debug should tell you most things in regards to the isakmp negotiation.

marcus.korte · ‎04-20-2010

I would like to capture (cleartext) packets from inside the ASA just after they dropped out of the VPN tunnel.

Can they be captured from the dataplane or somewhere else?

The point is that I need to prove that the ASA does not drop some packets silently without any logging.

Federico Coto Fajardo · ‎04-20-2010

The output of the command: sh cry ips sa

will show the status of the packets being sent through the tunnel.

You can see if the packets are being encapsulated/decapsulated, encrypted/decrypted or if there are errors.

Federico.

Jennifer Halim · ‎04-21-2010

To check if ASA might be dropping any packets, you can perform packet capture on asp-drop:

capture type asp-drop

It will capture whatever packets that are being dropped by the ASA.

If you would like to capture traffic from the VPN and making sure that it is being routed towards the internal networks, you can perform packet capture on the internal interfaces and make sure that the packet leaves the ASA.

Hope that helps.