Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2548
Views
0
Helpful
2
Replies

Debug and Access Lists

TRACY HARTMANN
Level 1
Level 1

‎01-21-2013 02:48 PM - edited ‎03-04-2019 06:47 PM

I am trying to troubleshoot an issue with a VPN tunnel to a vendor.   The design is   inside network----Firewall---router ---internet ---firewall--inside network.   The tunnel is setup on the router to the external Firewall.  The tunnel comes up however if I try to ssh, ping, traceroute...etc from one inside network to the other it does not work.   The one end firewall sees the request go out, the other sides Firewall sees the request and they see the reply.  However it never actually gets back to the first Firewall.  So I am trying to determine if we can see the traffic get back to the router.  I know you can turn some access-lists on debugs and was looking for some direction since I think the best debug would be debug IP packet and limited it to the soure and destination of the ping, telnet ssh etc.   Not sure how to set that up and if that is the best way to determine where the packet is getting lost.

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎01-21-2013 05:08 PM

Tracy

I will discuss how to set up access lists and use them to limit the output reported by debug. But first I would suggest that you check to verify that the routing logic does send the traffic (ssh, ping, traceroute) through the VPN and that the remote side is sending the responses through the tunnel.

The debug ip packet with access list is fairly simple.

First you create an access list (usually an extended access list) to identify the traffic that you want to investigate.

For example  you might use an access list like this

access-list 101 remark check for SSH from us to them

access-list 101 permit tcp eq 22

access-list 101 remark check for their response

access-list 101 permit tcp eq 22

Then you run debug ip packet and use the access list to limit the output to the specified traffic

debug ip packet 101

One thing to be aware of is that for debug to report the packet it must have been process switched by the router (the router CPU must see the packet). Since we do not know what type of router this is we do not know whether it processes VPN in the process switching path or in one of the enhanced switching paths.

HTH

Rick

HTH

Rick
0 Helpful

TRACY HARTMANN
Level 1
Level 1
In response to Richard Burts

‎01-28-2013 02:34 PM

Sorry I have been out and have not been able to address this issue until today.  I do have IP cef  turn on and I am not able to see the traffic in either direction.   The router is a 2900 with a Version of 15 code.  We can see from the firewall on the host site that the traffic goes out correctly and the tunnel starts up.  The remote end says it sees the traffic come in and sends it back out.  I can not verify my router is seeing the return traffic.  

0 Helpful
Customers Also Viewed These Support Documents