Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3474
Views
20
Helpful
6
Replies

Not seeing ESP or IPSEC packets with Packet-Capturing

Go to solution
CiscoBrownBelt
Level 6
Level 6

‎05-24-2019 07:23 AM - edited ‎02-21-2020 09:10 AM

When conducting on ASA a Packet-Capture filtering the 1 and only subnet of interesting traffic to use IPSEC tunnel as source to ANY, I am not seeing any ESP or IPSEC traffic on the Egress interface when viewing the PCAP in Wireshark.

show crypto ipsec and show ikev2 show the sa and packets being crypt and decrypt.

Any ideas?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoBrownBelt

‎05-28-2019 11:24 AM - edited ‎05-28-2019 11:44 AM

You will see ESP packets on the egress, but between the VPN peer IP addresses (the external/outside interface of the router/firewall) only - the interesting traffic IP addresses will be encapsulated inside the ESP packets, the interesting traffic IP addresses themselves will not be visible on egress.

HTH

View solution in original post

Go to solution
Jon Major
Level 1
Level 1
In response to Rob Ingram

‎05-28-2019 12:03 PM

@Rob Ingram wrote:

You will see ESP packets on the egress, but between the VPN peer IP addresses (the external/outside interface of the router/firewall) only - the interesting traffic IP addresses will be encapsulated inside the ESP packets, the interesting traffic IP addresses themselves will not be visible on egress.

HTH

What he said :D. ESP is the outer encapsulation around the packets sent between devices in your interesting traffic. For example, if your two firewalls are OUTSIDE/208.1.1.1 and OUTSIDE/209.1.1.1 and your interesting traffic is 192.168.1.0/24 -> 192.168.2.0/24 and you're looking at a telnet between 192.168.1.10:2432 -> 192.168.2.20:23, IPsec (tunnel mode) is going to encapsulate the original IP header (Src: 192.168.1.10,,Dst:192.168.2.10) and add new ESP header that's 208.1.1.1 -> 209.1.1.1.

 

There are some caveats with the above, like IPsec transport mode, but that's a good rule of thumb to follow.

View solution in original post

6 Replies 6

Go to solution
Jon Major
Level 1
Level 1

‎05-24-2019 11:55 AM

@CiscoBrownBelt wrote:

When conducting on ASA a Packet-Capture filtering the 1 and only subnet of interesting traffic to use IPSEC tunnel as source to ANY, I am not seeing any ESP or IPSEC traffic on the Egress interface when viewing the PCAP in Wireshark.

show crypto ipsec and show ikev2 show the sa and packets being crypt and decrypt.

Any ideas?

Are you filtering the capture based on interesting traffic (i.e. as defined in the ACL tied to your crypto map) or are you filter the capture based on the tunnel endpoints (i.e. the IP in the set peer field of the crypto map, and/or your firewall's IP)?

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Jon Major

‎05-28-2019 10:16 AM

Filtering based on interesting traffic.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoBrownBelt

‎05-28-2019 10:57 AM

Hi,
The interesting traffic will be encapsulated inside the ESP packets, these will be between the VPN peer IP addresses - you will never see the interesting traffic network on egress.

HTH

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Rob Ingram

‎05-28-2019 11:12 AM

Awesome thanks!
So you saying I will not see any ESP packets at all on the Egress interface only on the Ingress correct?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoBrownBelt

‎05-28-2019 11:24 AM - edited ‎05-28-2019 11:44 AM

You will see ESP packets on the egress, but between the VPN peer IP addresses (the external/outside interface of the router/firewall) only - the interesting traffic IP addresses will be encapsulated inside the ESP packets, the interesting traffic IP addresses themselves will not be visible on egress.

HTH

Go to solution
Jon Major
Level 1
Level 1
In response to Rob Ingram

‎05-28-2019 12:03 PM

@Rob Ingram wrote:

You will see ESP packets on the egress, but between the VPN peer IP addresses (the external/outside interface of the router/firewall) only - the interesting traffic IP addresses will be encapsulated inside the ESP packets, the interesting traffic IP addresses themselves will not be visible on egress.

HTH

What he said :D. ESP is the outer encapsulation around the packets sent between devices in your interesting traffic. For example, if your two firewalls are OUTSIDE/208.1.1.1 and OUTSIDE/209.1.1.1 and your interesting traffic is 192.168.1.0/24 -> 192.168.2.0/24 and you're looking at a telnet between 192.168.1.10:2432 -> 192.168.2.20:23, IPsec (tunnel mode) is going to encapsulate the original IP header (Src: 192.168.1.10,,Dst:192.168.2.10) and add new ESP header that's 208.1.1.1 -> 209.1.1.1.

 

There are some caveats with the above, like IPsec transport mode, but that's a good rule of thumb to follow.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card