ASA enhanced packet tracer and packet capture capabilities

on

From ASA 9.9.1



 1. On ASAv2, when VPN tunnel is up, the following command is used to trace a packet coming from the VPN tunnel:
   packet-tracer input outside icmp 192.168.2.2 8 0 192.168.1.2 decrypted

 2. On ASAv2, the following command is used to generate a simulated packet, no longer requires end-user to initiate the interesting traffic.
   packet-tracer input inside icmp 192.168.2.2 8 0 192.168.1.2 transmit

3. On ASAv1, we can capture the decrypted packet on the outside interface, note doesn't include the return traffic.
    capture OUT interface outside include-decrypted match ip any any

ASA1# sh capture OUT

 5 packets captured

    1: 20:52:24.752463       203.0.113.2.500 > 203.0.113.1.500:  udp 84
   2: 20:52:24.753180       203.0.113.1.500 > 203.0.113.2.500:  udp 84
   3: 20:52:34.184103       203.0.113.2 > 203.0.113.1:  ip-proto-50, length 116
   4: 20:52:34.184240       192.168.2.2 > 192.168.1.2: icmp: echo request
   5: 20:52:34.186223       203.0.113.1 > 203.0.113.2:  ip-proto-50, length 116
5 packets shown
ASA1#


==============
packet-trace with decrypted option does not work for IP assigned to AnyConnect SSL tunnel
CSCvt78175  
Symptom: packet-trace output contains below logs: ********************************************************************* WARNING: An existing decryption SA was not found. Please confirm the IPsec Phase 2 SA or Anyconnect Tunnel is established. ********************************************************************* ... Result: input-interface: outside input-status: up input-line-status: up output-interface: inside output-status: up output-line-status: up Action: drop Drop-reason: (vpn-context-expired) Expired VPN context Conditions: - SSL AnyConnect Tunnel is established (can be confirmed with "show vpn-sessiondb anyconnect"); IPsec tunnels are not affected - decrypted option is used - IP address belongs to AnyConnect client For example: packet-tracer input outside icmp 172.16.1.3 8 0 192.168.10.200 decrypted Workaround: Run capture with include-decrypted trace options, for example: capture CP interface outside include-decrypted trace match ip any host x.x.x.x show capture CP packet-number X trace detail


Comments

Post a Comment