cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
504
Views
4
Helpful
3
Replies

ASA5525-- How to tell if this old L2L VPN is still passing traffic?

Hello.

GOAL: To discover if this VPN is useful in enterprise.

I am tasked with confirming the usefulness of a tunnel-- All documentation is messy, illogical, incorrect etc. No one knows if our two enterprises still need this tunnel. (LOL)

---

ASA5525# show crypto IPsec sa peer 150.0.0.8
peer address: 150.0.0.8
Crypto map tag: Outside_map, seq num: 6, local addr: 60.0.0.12

access-list VENDOR1 extended permit ip host 60.0.0.42 host 150.0.1.50
local ident (addr/mask/prot/port): (60.0.0.42/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (150.0.1.50/255.255.255.255/0/0)
current_peer: 150.0.0.8

#pkts encaps: 47399, #pkts encrypt: 47399, #pkts digest: 47399
#pkts decaps: 38127, #pkts decrypt: 38127, #pkts verify: 38127
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 47399, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

local crypto endpt.: 60.0.0.12/0, remote crypto endpt.: 150.0.0.8/0
current outbound spi: 2A8E157E
current inbound spi : 7B5394C

Questions:

1. "access-list VENDOR1 extended permit ip host 60.0.0.42 host 150.0.1.50" Are these the internal LAN endpoints? Why aren't they private IP addresses?

2. How can I reset these counters?-- "#pkts encaps: 47399, #pkts encrypt: 47399, #pkts digest: 47399
#pkts decaps: 38127, #pkts decrypt: 38127, #pkts verify: 38127"

3. What is the best way to determine if this tunnel is actively passing useful traffic (not just keepalives, etc.)?

Thank you!

 

1 Accepted Solution

Accepted Solutions

@jmaxwellUSAF It's likely in use, as the tunnel is established.

As its a policy based VPN, it requires interesting traffic in order to be established and kept up. If no interesting traffic the VPN would be down until interesting traffic is sent and the VPN would then be established.

You can tell if the tunnel is in use by checking the encaps|decaps counters increase over a X minute period. I am not sure you can clear the encap|decap counters without bouncing the tunnel.

You could take a packet capture on the inside interface to see what internal IP address is communicating over the VPN.

Traffic looks to be natted, its not uncommon with a VPN to a 3rd party.

View solution in original post

3 Replies 3

@jmaxwellUSAF It's likely in use, as the tunnel is established.

As its a policy based VPN, it requires interesting traffic in order to be established and kept up. If no interesting traffic the VPN would be down until interesting traffic is sent and the VPN would then be established.

You can tell if the tunnel is in use by checking the encaps|decaps counters increase over a X minute period. I am not sure you can clear the encap|decap counters without bouncing the tunnel.

You could take a packet capture on the inside interface to see what internal IP address is communicating over the VPN.

Traffic looks to be natted, its not uncommon with a VPN to a 3rd party.

check 
show vpn-sessiondn l2l detail 
then check the Rx and Tx see if the count in increase.

ccieexpert
Level 1
Level 1

this will reset the counter to zero:    clear crypto ipsec sa counters

after that check the ipsec sa encryp/decrypt counters increment.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/clear-a-to-clear-k-commands.html#wp3651836927

Tom - CCIEx2, Ex-TAC , www.technoxi.com

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: