I have a IPsec tunnet to amazon VPC client.
The tunnel is up and the VPC side can get access to my resources but I cannot get access to VPC side.
The client claims that inbound security rules are setup to allow my subnet.
How can I troubleshoot if my packet to his network leave the outside interface through the tunnel.
I see the packet increment via show crypto ipsec but how can I be sure that they were sent to the client?
I also see in the packet capture over port 4500 that there is communication between IPsec tunnel pair.
How can I be 100% that my icmp packet left via tunnel and any of the responses I see over 4500 are not for that icmp?
Is there a to check if asa is dropping those in case correct reply was sent via the tunnel?
PCVST-ASA# capture b type raw-data interface outside match udp 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255 eq 4500
PCVST-ASA# ping inside 172.31.48.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.48.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
PCVST-ASA# show cap b
20 packets captured
1: 23:37:04.081157 1.1.1.1.4500 > 2.2.2.2.4500: udp 148
2: 23:37:06.076106 1.1.1.1.4500 > 2.2.2.2.4500: udp 148
3: 23:37:07.914823 2.2.2.2.4500 > 1.1.1.1.4500: udp 1
4: 23:37:07.914884 2.2.2.2.4500 > 1.1.1.1.4500: udp 1
5: 23:37:08.076183 1.1.1.1.4500 > 2.2.2.2.4500: udp 148
6: 23:37:09.917249 2.2.2.2.4500 > 1.1.1.1.4500: udp 96
7: 23:37:09.918485 1.1.1.1.4500 > 2.2.2.2.4500: udp 96
8: 23:37:10.076152 1.1.1.1.4500 > 2.2.2.2.4500: udp 148
9: 23:37:12.076091 1.1.1.1.4500 > 2.2.2.2.4500: udp 148
10: 23:37:15.934644 2.2.2.2.4500 > 1.1.1.1.4500: udp 400
11: 23:37:15.937741 1.1.1.1.4500 > 2.2.2.2.4500: udp 448
12: 23:37:16.499272 2.2.2.2.4500 > 1.1.1.1.4500: udp 100
13: 23:37:16.499974 1.1.1.1.4500 > 2.2.2.2.4500: udp 100
14: 23:37:16.510242 2.2.2.2.4500 > 1.1.1.1.4500: udp 100
15: 23:37:16.510319 2.2.2.2.4500 > 1.1.1.1.4500: udp 292
16: 23:37:16.510975 1.1.1.1.4500 > 2.2.2.2.4500: udp 100
17: 23:37:16.511799 1.1.1.1.4500 > 2.2.2.2.4500: udp 356
18: 23:37:16.521503 2.2.2.2.4500 > 1.1.1.1.4500: udp 100
19: 23:37:16.522281 1.1.1.1.4500 > 2.2.2.2.4500: udp 660
20: 23:37:16.532351 2.2.2.2.4500 > 1.1.1.1.4500: udp 100
20 packets shown
PCVST-ASA#