cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
394
Views
0
Helpful
3
Replies
Highlighted
Beginner

How to validate VPN Traffic is Passing and receiving in reply

Hello All, 

 

I configured a VPN tunnel , VPN Tunnel is UP and I see Encap & Decap Value in ipsec sa command.

 

When I do a packet tracer sourcing from inside interlace ( from where Interested traffic is initiating ) to Remote Destination it is allowed while hitting the correct acl , correct nAT exempt rule. 

 

But Client is saying Client is not able to hit to remote server application  ?

 

What are other areas I can check  ? How can I do a 

 

--- asp drop  to confirm that ASA is not dropping the traffic ?

--- How to confirm I am receiving return traffic from Remote Interested traffic  ?

 

Note :: Both Interested traffic is not behind nat 

 

3 REPLIES 3
Beginner

Re: How to validate VPN Traffic is Passing and receiving in reply

You can set up a packet capture on both sides of the tunnel. This way you can see that the RDP traffic is making it to the other side. 

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

 

Please remember to rate useful posts, by clicking on the star below.
-Troy J.
VIP Advisor

Re: How to validate VPN Traffic is Passing and receiving in reply

Hi

For asa, I've made a doc to show all steps to validate that traffic is going through the right tunnel:
https://community.cisco.com/t5/security-documents/asa-how-to-troubleshoot-vpn-l2l-ensure-traffic-is-passing/ta-p/3166082

Can you please follow all steps ans share all outputs into a text file?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
VIP Advisor

Re: How to validate VPN Traffic is Passing and receiving in reply

If you are capturing on the outside interface you will see encrypted
packets only. You need to have the keyword include-decrypted in the capture
command to get decrypted packets