Showing results for 
Search instead for 
Did you mean: 

How can I see what packets are traversing a VPN in an ASA 5510 8.2 ?

Hi All

I would like to see the packets traversing an IPSec connection I have running.

The ACL has following

From to

but I would like to know exactly what is going over this VPN.

Can I do this just using the ASA and its tools ?



Jouni Forss


If you have logs going to a Syslog server you could go through the logs from a longer perioid of time. This might require certain of logging to see what connection has been formed through the firewall.

You could also configure packet capture on the firewall itself to capture the traffic between those networks (would have to do this on the firewall LAN interface) and then see what type of connections are being initiated and from which end of the L2L VPN.

Packet capture with a separate computer in between would naturally provide chance to save more capture data. ASA has limitations to buffer size but is pretty easy and fast to configure.

- Jouni

Thanks JouniForss - Done that and now I see packets coming out of the VPN on the outside interface but they never leave the inside interface although no ACL blocks them and routing is working (Can ping the Dest IP from the ASA).

I have tried to use the ASP tables to see why it is being dropped but no luck there - also nothing in syslog about the dropped packet.

I can see in the tables though that a reverse entry is made - I reckon that this is to allow the return path packet through the ASA.

Anything else I can check ?



How did you confirm that connections were coming from the L2L VPN and NOT going to the actual LAN network? You said Syslog aint showing anything related to this?

Make sure your logging level is set to "informational" and then you should be able to see log messages of connection forming and them being torn down.

Was your ogirinal post about just checking what connections are being taken through the L2L VPN or is there an actual problem with the L2L VPN connection at the moment? I got the picture originally that you just want to monitor the connections going through the VPN

- Jouni

Hello Jouni

My Actual problem is this

I allow from site B all 192.168 IP addresses

on my side i have all 10/8 IP addresses

one subnet on my side (/26) cannot be reached.

I see packets with the inbuilt packet capture entering the outside interface from the VPN that are destined for this specific network.

with the packet capture I see that none of these packets are exiting or entering the Inside interface.

my ACL allows all 192.168/16 to reach all 10/8 IP addresses and vice versa.

I can also ping the subnet from the ASA Inside Interface so routing is also fine.

from all other nets in the 10/8 range I can also reach everything.

from the /26 IO can also reach the 192.168 nets without problems - it is just from site B to my site that does not work.

there is nothing in the logger saying that the packets are being dropped

i have logging on debugging so I shld see all info right ?



Would it be possible to see the configurations? (Atleast partially remove public IP addresses and any sensitive information)

I would just like to go through the VPN,ACL and NAT related configurations.

I have only once had a really strange problem with an L2L VPN ASA running 8.2(x) (might have been 8.2(1) or 8.2(2)) where our customer had 2 local networks and the remote end 1 network. One of the local networks could use the L2L VPN without any problems and the other one couldnt.

Since it was a failover enviroment we changed the active firewall in the evening and it corrected the problem. I was also ready to reboot the whole firewall device with the customers permission. What made it even more strange was that the L2L VPN in question had been operational for over half a year before we ran into this problem and we also havent run into the same situation after the last time.

Though in your situation it seems that the connections coming from your networks arent even coming back to the firewall.

- Jouni

I am back in the office tonight - I will post then

Thanks for your assistance.


Recognize Your Peers
Content for Community-Ad