Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Missing return/inbound packets. ESP packets only. Why?

We have been doing some testing with Cisco 3015 concentrators and VPN 3.5 - 3.7 client software (Linux and Windows) and have observed the following issue.

When using a Linux VPN Cisco client (3.5-3.7) and pinging or nmaping a remote computer the ping or nmap will complete but you never see any return packets except esp packets. When running tcpdump or ethereal and looking at the packets you see the outbound traffic to the distant computer but when the packet is returned all you will see is the esp packet There appears to be some type of disconnect with either the network capture drivers or the Cisco vpn client.

When using a Windows platform the return packets are seen with most versions.

We have also observed that adding certain patches from Microsoft will cause this to break.

The question I have is has anyone else see this behavior, have a fix, or can point me in the right direction to get this resolved?

Cisco Employee

Re: Missing return/inbound packets. ESP packets only. Why?

Not really sure what you're asking here. You're saying that the pings, etc over the tunnel are working OK, but trying to see these packets with ethereal or tcpdump, you see the original unencrypted packet going out, but you only see the encrypted packet coming back in?

Are you running tcpdump or ethereal on the same host that you're pinging from, the same host that has the VPN client on it? If so, I would say that all you're seeing is how ethereal, tcpdump, the VPN client and the IP stack on the machine itself fit in with each other. Tcpdump/ethereal are looking at the IP stack in that machine at a certain spot, and all you're seeing is that when packets are sent out, tcpdump/ethereal sees them BEFORE they get encrypted, and on the way in, tcpdump/ethereal sees them BEFORE they get decrypted.

With Windows versions, ethereal is looking at a different spot in the IP stack.

If you put a Sniffer on the same subnet as this box and capture the traffic, rather than on the box itself, you'll only see encrypted packets going out and coming back in.

Hope that helps. If I have the completely wrong understanding of what you're saying here, please elaborate further.

New Member

Re: Missing return/inbound packets. ESP packets only. Why?

To be a little more discriptive.

We are running ethereal / tcpdump on the same machine we are doing nmap and ping from and are on a switched network.

We are trying to see the return unencrypted packets. When using windows and using ethereal we can see both the esp packet and the unencrypted return packet for the remote machine we nmaped or pinged. When we use linux we are unable to see any return packets of anything but the nmap and ping work. The problem we have is that we need to see the return packets to verify they are from the actual remote machine and not a firewall or other device. If you know a way to be able to get this working on the Linux side this would be helpful and