Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
136
Views
1
Helpful
1
Replies

Is there a way to see if your encrypting specific packets?

red2play
Level 1
Level 1

‎02-22-2024 07:34 AM - edited ‎02-22-2024 07:46 AM

This is a site-to-site IPSEC tunnel.  Everything looks good, including the packet capture but the packets aren't seen on the far end on their packet capture (the other company on the other side of the tunnel).  Both sides are using Cisco FTD's.  How can I tell if the packets are actually being encrypted and sent to the other company?

 

One of the commands that I sorely miss from the Cisco IOS-XE version is "show crypto session detail".  It's such a USEFUL command.

show crypto session detail

Interface: xxxxx
Profile: profile
Uptime: 10:30:39
Session status: UP-ACTIVE
Peer: 66.66.66.66 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 66.66.66.66
Desc: (none)
Session ID: 3
IKEv2 SA: local 55.55.55.55/500 remote 66.66.66.66/500 Active
Capabilities:U connid:6 lifetime:13:29:21
IPSEC FLOW: permit ip host 10.x.x.104 host 10.x.x.105
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 584769 drop 0 life (KB/Sec) 4607994/3060
Outbound: #pkts enc'ed 584789 drop 0 life (KB/Sec) 4607996/3060

 

Added command to show that traffic is taking place and the packet capture.  We don't know if the packets are originating from my side or his side and we have prtg constantly sending packets and his side sending packets (monitoring software) as well.  I need to determine if specific packets are being sent and encrypted and it looks like Cisco can't run a packet trace showing that the packets were encrypted and sent.

> show crypto ipsec sa
interface: ATT2-111111111
Crypto map tag: CSM_ATT2-111111111_map, seq num: 1, local addr: 55.55.55.55

access-list CSM_IPSEC_ACL_1 extended permit ip 10.x.x.x 255.255.0.0 10.x.x.x 255.255.255.0
Protected vrf (ivrf):
local ident (addr/mask/prot/port): (10.x.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.x.x.0/255.255.255.0/0/0)
current_peer: 66.66.66.66


#pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
#pkts decaps: 59, #pkts decrypt: 59, #pkts verify: 59

#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 81, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Elapsed time: 17486 ns
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 17486 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 33267 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 10.x.x.14 using egress ifc ATT2-ckt111111(vrfid:0)

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 4265 ns
Config:
nat (any,ATT2-ckt111111) source static bldg2-10.x.x.x bldg2-10.x.x.x destination static Company1 Company1 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface ATT2-ckt111111(vrfid:0)
Untranslate 10.x.x.14/0 to 10.x.x.14/0

Phase: 5
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 8
Destination Object Group Match Count: 3
Object Group Search: 0

Phase: 6
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 341 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip object-group FMC_INLINE_src_rule_268480611 object-group FMC_INLINE_dst_rule_268480611 rule-id 268480611 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268480611: PREFILTER POLICY: Firewall1
access-list CSM_FW_ACL_ remark rule-id 268480611: RULE: Company1-company2
object-group network FMC_INLINE_src_rule_268480611(hitcnt=6579, id=4026531860)
description: Auto Generated by FMC from src of PrefilterRule# 1 (Firewall1/mandatory)
group-object Company1(hitcnt=4770)
network-object object bldg2-10.x.x.x(hitcnt=1809)
object-group network FMC_INLINE_dst_rule_268480611(hitcnt=6579, id=4026531861)
description: Auto Generated by FMC from dst of PrefilterRule# 1 (Firewall1/mandatory)
group-object Company1(hitcnt=475)
network-object object bldg2-10.x.x.x(hitcnt=6104)
Additional Information:

Phase: 7
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 341 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 341 ns
Config:
nat (any,ATT2-ckt111111) source static bldg2-10.x.x.x bldg2-10.x.x.x destination static Company1 Company1 no-proxy-arp route-lookup
Additional Information:
Static translate 10.x.x.100/1 to 10.x.x.100/1

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 341 ns
Config:
Additional Information:

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 341 ns
Config:
Additional Information:

Phase: 11
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 42650 ns
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:

Phase: 12
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Elapsed time: 8530 ns
Config:
Additional Information:

Phase: 13
Type: VPN
Subtype: encrypt
Result: ALLOW
Elapsed time: 12795 ns
Config:
Additional Information:

Phase: 14
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 4265 ns
Config:
nat (any,ATT2-ckt111111) source static bldg2-10.x.x.x bldg2-10.x.x.x destination static Company1 Company1 no-proxy-arp route-lookup
Additional Information:

Phase: 15
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 57151 ns
Config:
Additional Information:

Phase: 16
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 3412 ns
Config:
Additional Information:

Phase: 17
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:

Phase: 18
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 58004 ns
Config:
Additional Information:
New flow created with id 4232694, packet dispatched to next module

Result:
input-interface: 3100-Interconnect-Inside-02(vrfid:0)
input-status: up
input-line-status: up
output-interface: ATT2-ckt111111(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 261016 ns


2: 23:48:40.390482 802.1Q vlan#41 P0 10.x.x.100 > 10.x.x.14 icmp: echo request

1 Reply 1

MHM Cisco World
VIP
VIP

‎02-27-2024 03:26 PM

Form what I see your tunnel is good and there is traffic hit the policy and encrypted. 

So can you more elaborate what issue you face here? 

MHM

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card