cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

357
Views
4
Helpful
5
Replies
Beginner

How to verify tunnel connection attempts?

Hi folks,

I'm having trouble with a site-to-site tunnel setup.  At this point I'd just like to be able to verify that a connection attempt is being made from the ASA.  What's the best way to check via ASDM?  I tried packet capture, but I never saw anything hit the buffer.

Any help would be appreciated.

-Shane

5 REPLIES 5
Hall of Fame Master

Re: How to verify tunnel connection attempts?

Easiest is to check from the cli. "show cry isa sa" is the most relevant command. Run it, then introduce interesting traffic (i.e. do something from a client that initiates a connection to the remote end) and then run the command again. You should see the connection try to setup (and maybe fail).

 

Depending on your log level settings you should see some commands in ASDM monitoring.

 

You can also simulate the traffic using packet-tracer either from ASDM or cli.

Beginner

Re: How to verify tunnel connection attempts?

Thanks for the suggestions.

So on the tunnel I'm experimenting with I've defined the following:

10.187.0.0/16 - local network

10.199.0.0/16 - remote network

However when I ping from a host with the IP 10.187.1.6 to the host 10.199.2.30, the results of "show cry isa sa" don't change.  It doesn't appear as if any attempt is being made to contact the peer.

Any ideas why that might be?

Beginner

Re: How to verify tunnel connection attempts?

As @Marvin Rhoads alluded to, running a packet-tracer on the interesting traffic would most likely show you where the problem is. It sounds like your crypto access-list isn't matching the desired traffic, but that's just an educated guess

 

Regards,

Keith

Hall of Fame Master

Re: How to verify tunnel connection attempts?

Like Keith said - crypto access-list is the most likely issue.

 

Second most-likely is that the traffic is not being routed by the internal network to to ASA.

 

If you can share the ACL for #1 and confirm #2 we can assist further.

Highlighted
Beginner

Re: How to verify tunnel connection attempts?

I tried to get the packet tracer going and even recruited a network engineer to assist and yet we never saw any traffic or attempts being made to contact the peer.  Finally in frustration I deleted the tunnel settings and started from scratch with the ASDM L2L wizard with some very basic connection settings (almost all defaults) and the tunnel came right up.

Clearly some setting I had between each end was incorrect.  At this point we're just going to move on from the issue.

Thanks for the help.