Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1353
Views
4
Helpful
5
Replies

How to verify tunnel connection attempts?

SHANE4252
Level 1
Level 1

‎08-21-2017 08:17 PM - edited ‎03-12-2019 04:29 AM

Hi folks,

I'm having trouble with a site-to-site tunnel setup.  At this point I'd just like to be able to verify that a connection attempt is being made from the ASA.  What's the best way to check via ASDM?  I tried packet capture, but I never saw anything hit the buffer.

Any help would be appreciated.

-Shane

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-21-2017 10:15 PM

Easiest is to check from the cli. "show cry isa sa" is the most relevant command. Run it, then introduce interesting traffic (i.e. do something from a client that initiates a connection to the remote end) and then run the command again. You should see the connection try to setup (and maybe fail).

 

Depending on your log level settings you should see some commands in ASDM monitoring.

 

You can also simulate the traffic using packet-tracer either from ASDM or cli.

SHANE4252
Level 1
Level 1
In response to Marvin Rhoads

‎08-22-2017 12:16 PM - edited ‎08-22-2017 12:17 PM

Thanks for the suggestions.

So on the tunnel I'm experimenting with I've defined the following:

10.187.0.0/16 - local network

10.199.0.0/16 - remote network

However when I ping from a host with the IP 10.187.1.6 to the host 10.199.2.30, the results of "show cry isa sa" don't change.  It doesn't appear as if any attempt is being made to contact the peer.

Any ideas why that might be?

0 Helpful

Keith Miller
Level 1
Level 1
In response to SHANE4252

‎08-22-2017 12:31 PM - edited ‎08-22-2017 12:31 PM

As @Marvin Rhoads alluded to, running a packet-tracer on the interesting traffic would most likely show you where the problem is. It sounds like your crypto access-list isn't matching the desired traffic, but that's just an educated guess

 

Regards,

Keith

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to SHANE4252

‎08-22-2017 06:33 PM

Like Keith said - crypto access-list is the most likely issue.

 

Second most-likely is that the traffic is not being routed by the internal network to to ASA.

 

If you can share the ACL for #1 and confirm #2 we can assist further.

SHANE4252
Level 1
Level 1

‎08-23-2017 01:10 PM

I tried to get the packet tracer going and even recruited a network engineer to assist and yet we never saw any traffic or attempts being made to contact the peer.  Finally in frustration I deleted the tunnel settings and started from scratch with the ASDM L2L wizard with some very basic connection settings (almost all defaults) and the tunnel came right up.

Clearly some setting I had between each end was incorrect.  At this point we're just going to move on from the issue.

Thanks for the help.

0 Helpful
Customers Also Viewed These Support Documents