cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1353
Views
4
Helpful
5
Replies

How to verify tunnel connection attempts?

SHANE4252
Level 1
Level 1

Hi folks,

I'm having trouble with a site-to-site tunnel setup.  At this point I'd just like to be able to verify that a connection attempt is being made from the ASA.  What's the best way to check via ASDM?  I tried packet capture, but I never saw anything hit the buffer.

Any help would be appreciated.

-Shane

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

Easiest is to check from the cli. "show cry isa sa" is the most relevant command. Run it, then introduce interesting traffic (i.e. do something from a client that initiates a connection to the remote end) and then run the command again. You should see the connection try to setup (and maybe fail).

 

Depending on your log level settings you should see some commands in ASDM monitoring.

 

You can also simulate the traffic using packet-tracer either from ASDM or cli.

Thanks for the suggestions.

So on the tunnel I'm experimenting with I've defined the following:

10.187.0.0/16 - local network

10.199.0.0/16 - remote network

However when I ping from a host with the IP 10.187.1.6 to the host 10.199.2.30, the results of "show cry isa sa" don't change.  It doesn't appear as if any attempt is being made to contact the peer.

Any ideas why that might be?

As @Marvin Rhoads alluded to, running a packet-tracer on the interesting traffic would most likely show you where the problem is. It sounds like your crypto access-list isn't matching the desired traffic, but that's just an educated guess

 

Regards,

Keith

Like Keith said - crypto access-list is the most likely issue.

 

Second most-likely is that the traffic is not being routed by the internal network to to ASA.

 

If you can share the ACL for #1 and confirm #2 we can assist further.

SHANE4252
Level 1
Level 1

I tried to get the packet tracer going and even recruited a network engineer to assist and yet we never saw any traffic or attempts being made to contact the peer.  Finally in frustration I deleted the tunnel settings and started from scratch with the ASDM L2L wizard with some very basic connection settings (almost all defaults) and the tunnel came right up.

Clearly some setting I had between each end was incorrect.  At this point we're just going to move on from the issue.

Thanks for the help.