Re: How to validate VPN Traffic is Passing and receiving in reply

subrun.jamil · ‎08-15-2018

Hello All,

I configured a VPN tunnel , VPN Tunnel is UP and I see Encap & Decap Value in ipsec sa command.

When I do a packet tracer sourcing from inside interlace ( from where Interested traffic is initiating ) to Remote Destination it is allowed while hitting the correct acl , correct nAT exempt rule.

But Client is saying Client is not able to hit to remote server application ?

What are other areas I can check ? How can I do a

--- asp drop to confirm that ASA is not dropping the traffic ?

--- How to confirm I am receiving return traffic from Remote Interested traffic ?

Note :: Both Interested traffic is not behind nat

Troy Jackson · ‎08-15-2018

You can set up a packet capture on both sides of the tunnel. This way you can see that the RDP traffic is making it to the other side.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

Francesco Molino · ‎08-15-2018

Hi

For asa, I've made a doc to show all steps to validate that traffic is going through the right tunnel:
https://community.cisco.com/t5/security-documents/asa-how-to-troubleshoot-vpn-l2l-ensure-traffic-is-passing/ta-p/3166082

Can you please follow all steps ans share all outputs into a text file?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Mohammed al Baqari · ‎08-16-2018

If you are capturing on the outside interface you will see encrypted
packets only. You need to have the keyword include-decrypted in the capture
command to get decrypted packets