Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
1
Replies

Asa - troubleshooting IPSEC traffic

blwegrzyn
Level 1
Level 1

‎01-08-2018 08:42 PM

I have a IPsec tunnet to amazon VPC client.

The tunnel is up and the VPC side can get access to my resources but I cannot get access to VPC side.

The client claims that inbound security rules are setup to allow my subnet.

How can I troubleshoot if my packet to his network leave the outside interface through the tunnel.

I see the packet increment via show crypto ipsec but how can I be sure that they were sent to the client?

I also see in the packet capture over port 4500 that there is communication between IPsec tunnel pair.

How can I be 100% that my icmp packet left via tunnel and any of the responses I see over 4500 are not for that icmp?

Is there a to check if asa is dropping those in case correct reply was sent via the tunnel?

PCVST-ASA# capture b type raw-data interface outside match udp 1.1.1.1 255.255.255.255 2.2.2.2 255.255.255.255 eq 4500
PCVST-ASA# ping inside 172.31.48.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.48.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
PCVST-ASA# show cap b

20 packets captured

   1: 23:37:04.081157       1.1.1.1.4500 > 2.2.2.2.4500:  udp 148
   2: 23:37:06.076106       1.1.1.1.4500 > 2.2.2.2.4500:  udp 148
   3: 23:37:07.914823       2.2.2.2.4500 > 1.1.1.1.4500:  udp 1
   4: 23:37:07.914884       2.2.2.2.4500 > 1.1.1.1.4500:  udp 1
   5: 23:37:08.076183       1.1.1.1.4500 > 2.2.2.2.4500:  udp 148
   6: 23:37:09.917249       2.2.2.2.4500 > 1.1.1.1.4500:  udp 96
   7: 23:37:09.918485       1.1.1.1.4500 > 2.2.2.2.4500:  udp 96
   8: 23:37:10.076152       1.1.1.1.4500 > 2.2.2.2.4500:  udp 148
   9: 23:37:12.076091       1.1.1.1.4500 > 2.2.2.2.4500:  udp 148
  10: 23:37:15.934644       2.2.2.2.4500 > 1.1.1.1.4500:  udp 400
  11: 23:37:15.937741       1.1.1.1.4500 > 2.2.2.2.4500:  udp 448
  12: 23:37:16.499272       2.2.2.2.4500 > 1.1.1.1.4500:  udp 100
  13: 23:37:16.499974       1.1.1.1.4500 > 2.2.2.2.4500:  udp 100
  14: 23:37:16.510242       2.2.2.2.4500 > 1.1.1.1.4500:  udp 100
  15: 23:37:16.510319       2.2.2.2.4500 > 1.1.1.1.4500:  udp 292
  16: 23:37:16.510975       1.1.1.1.4500 > 2.2.2.2.4500:  udp 100
  17: 23:37:16.511799       1.1.1.1.4500 > 2.2.2.2.4500:  udp 356
  18: 23:37:16.521503       2.2.2.2.4500 > 1.1.1.1.4500:  udp 100
  19: 23:37:16.522281       1.1.1.1.4500 > 2.2.2.2.4500:  udp 660
  20: 23:37:16.532351       2.2.2.2.4500 > 1.1.1.1.4500:  udp 100
20 packets shown
PCVST-ASA#

Labels:
0 Helpful
1 Reply 1

marc.abel
Level 1
Level 1

‎01-11-2018 12:26 PM

I would run packet-tracer on the ASA, It will tell you if the packet is encrypted. It can still be dropped post encryption if your interesting traffic ACLs don't mirror.

https://www.petenetlive.com/KB/Article/0001198

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card