ASA enhanced packet tracer and packet capture capabilities
From ASA 9.9.1 1. On ASAv2, when VPN tunnel is up, the following command is used to trace a packet coming from the VPN tunnel: packet-tracer input outside icmp 192.168.2.2 8 0 192.168.1.2 decrypted 2. On ASAv2, the following command is used to generate a simulated packet, no longer requires end-user to initiate the interesting traffic. packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.2 transmit 3. On ASAv1, we can capture the decrypted packet on the outside interface, note doesn't include the return traffic. capture OUT interface outside include-decrypted match ip any any ASA1# sh capture OUT 5 packets captured 1: 20:52:24.752463 203.0.113.2.500 > 203.0.113.1.500: udp 84 2: 20:52:24.753180 203.0.113.1.500 > 203.0.113.2.500: udp 84 3: 20:52:34.184103 203.0.113.2 > 203.0.113.1: ip-proto-50, length 116 4: 20:52:34.184240 192.168.2.2 > 192.168.1.2: icmp: echo request 5: 20:52:34.186223