There are times when you just have to take advantage of some cool troubleshooting tools that these companies put out. Cisco has a pretty cool CLI command that I like when I just cant seem to see the config problem with my eyes. Its the below capture command. I used this when trying to troubleshoot why I couldnt get packets across the VPN. I could see it on the interface in a packet capture, but going back, it was getting dropped. How do I know that? First, my packet capture told me when I looked on the inside interface of the ASA. I saw it. I also saw the packet coming back on the inside interface as well. But, it turns out that there was an ACL dropping it, as shown below. Once I saw this, I immediately took off the ACL (to test) and the packets went through the VPN just fine after that. Then, I modified the ACL to resolve the issue.
ASA# capture asp-drop type asp-drop acl-drop
ASA# show capture asp-drop
32 packets captured
...
27: 14:05:42.770162 802.1Q vlan#15 P0 10.10.15.25 > 10.10.50.127: icmp: echo reply Drop-reason: (acl-drop) Flow is denied by configured rule
...
32 packets shown
ASA#
No comments:
Post a Comment
Your comment will be reviewed for approval. Thank you for submitting your comments.