Re: Capture VPN Trafic

Malick MBAYE · ‎02-07-2021

Hello, How can i do to capture a VPN trafic which is encrypted and passing thought my firewall. Here is the architecture (10.10.2.1) PC1-----------VPN1--ASA--VPN2------------PC2 (10.10.3.1) I want to look the tcp protocols which is sent by PC1 to PC2 which are both initiating a tunnel to my ASA on the same interface outside. (the trafic is not going accross the inside interface) i tried: capture VPNtrafic interface outside match ip host 10.10.2.1 host 10.10.3.1 but i still have [Capturing - 0 bytes] on capture shown.

Marvin Rhoads · ‎02-07-2021

The traffic from PC1 will be encrypted by device VPN1 and only be decrypted as it transits device VPN2. If you were able to see this traffic in plaintext on the ASA it wouldn't be very private at all - and it is designed to be a Virtual PRIVATE Network.

What you see on the ASA would just be the ESP (Encapsulating Security Payload) traffic between the outside addresses of VPN1 and VPN2.

https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload

balaji.bandi · ‎02-07-2021

You can do troubleshoot each level.

1. Is the ASA able to see the traffic outside (yes or not- no debug VPN traffic to see if this is hitting outside)

2. You can check inside interface same debug

3. you can also run Wireshark at the endpoint is this traffic really reaching the endpoint,.

Since you have a simple setup, you can capture 3 points and see where it got lost.

show crypto IPSec sa - output both sides give you is the traffic encrypted and decrypted. - if this is always Zero, that means your tunnel is not up, so you need to check trunnel config on both sides and run debug Phase 1 and Phase2

here is common troubleshooting tips for debugging VPN

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help