Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
697
Views
0
Helpful
2
Replies

Capturing packets in a tunnel on ASAs

smith-bill
Level 1
Level 1

‎09-30-2011 11:00 AM - edited ‎03-11-2019 02:32 PM

Can one setup a packet capture on an ASA for packets entering an IPSec tunnel?   If so, please provide a configuration example.

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-01-2011 01:41 AM

On principle ASA does not use virtual interfaces for IPsec so we need to rely on packet capture on physical/logical interfaces. This means we only have a scope of the encapsulated packet.

To overcome this we're using packet capture with "trace detail" option, which will show packet-tracer-like output for INBOUND packets only. 

capture TEST interface outside access-list TEST trace detail

later:

show capture TEST trace det

If you export that capture you will recive a normal PCAP dump, but if you view with CLI you will see additional info.

This capture + ASP drop capture is typially enough to get you started on troubleshooting traffic-through-VPN problems.

Marcin

0 Helpful

smith-bill
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-03-2011 07:13 AM

Thanks for the reply, but this I knew. I was really looking to see that the packets entering the tunnel were NATed correctly.  I've been able to get a good enough view of that with ASDM.  However, that does not replace being able to do packet captures on both your ingress and egress interfaces simultaneously.  I guess it is what it is.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card