• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3059
  • Last Modified:

How to monitor site to site traffic CISCO ASA via ASDM

I have a site to site ipsec vpn between a Cisco ASA 5510 and a checkpoint FW.

I manage the ASA for our customer which is on version  8.4(2) via ASDM Version 6.4. The checkpoint is managed via a third party. I am trying to troubleshoot an issue involving the site to site traffic.

The issue is I am looking at the Logging (Monitoring>Logging>view>debugging) but cannot see any entries for any traffic coming from the remote LAN. E.g I can see no entries in the log for any ip's from the remote LAN network behind the checkpoint.

I've tried filtering without any success. I'm assuming I have to enable an additional option within ASDM to see the S2s traffic. I know that the traffic is traversing the site to site vpn as I can see matches on a Cisco Router ACL for the remote site traffic, which sits behind my ASA.

  • 5
  • 4
1 Solution
sharjeel ashrafSenior Network EngineerCommented:
try view information, or try view all.

have you enabled debugging for the traffic / interface.

from CLI try debug crytpo isakmp and debug crypto ipsec
PeterHingAuthor Commented:

I've enabled debug crypto ipsec, debug crypto isakamp is not valid.

Not sure that the view information/view all is a valid option?
sharjeel ashrafSenior Network EngineerCommented:
you need to do this from the cli interface with enable mode entered.

if you have site-to-site VPN using IPSEC then your device will allow both commands, if you do a show ver on it can you post the output, remove and sensitive information.
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

PeterHingAuthor Commented:
debug crypto isakamp is not valid

see below

debug crypto ?

  ca          Set PKI debug levels
  condition   Set IPSec/ISAKMP debug filters
  engine      Set crypto engine debug levels
  ike-common  Set IKE common debug levels
  ikev1       Set IKEV1 debug levels
  ikev2       Set IKEV2 debug levels
  ipsec       Set IPSec debug levels
  vpnclient   Set EasyVPN client debug levels
fw# debug crypto

########## Show Ver output #############

fw# sh ver

Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)206

Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"

fw up 236 days 23 hours

Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                             Number of accelerators: 1

 0: Ext: Ethernet0/0         : address is 6400.f123.ab06, irq 9
 1: Ext: Ethernet0/1         : address is 6400.f123.ab07, irq 9
 2: Ext: Ethernet0/2         : address is 6400.f123.ab08, irq 9
 3: Ext: Ethernet0/3         : address is 6400.f123.ab09, irq 9
 4: Ext: Management0/0       : address is 6400.f123.ab05, irq 11
 5: Int: Not used            : irq 11
 6: Int: Not used            : irq 5

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 100            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
VPN-DES                           : Enabled        perpetual
VPN-3DES-AES                      : Enabled        perpetual
Security Contexts                 : 2              perpetual
GTP/GPRS                          : Disabled       perpetual
AnyConnect Premium Peers          : 2              perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 250            perpetual
Total VPN Peers                   : 250            perpetual
Shared License                    : Disabled       perpetual
AnyConnect for Mobile             : Disabled       perpetual
AnyConnect for Cisco VPN Phone    : Disabled       perpetual
Advanced Endpoint Assessment      : Disabled       perpetual
UC Phone Proxy Sessions           : 2              perpetual
Total UC Proxy Sessions           : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
Intercompany Media Engine         : Disabled       perpetual

This platform has an ASA 5510 Security Plus license.

Running Permanent Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Configuration register is 0x1

sharjeel ashrafSenior Network EngineerCommented:
sorry try debug crypto ikev1, if you get no information do debug crypto ikev2.
PeterHingAuthor Commented:

Still no difference
sharjeel ashrafSenior Network EngineerCommented:
whats the issues you are trying to resolve
PeterHingAuthor Commented:
I don't need to go into the issue at this time, just need to be able to see site to site vpn traffic.

Thanks for trying to help
sharjeel ashrafSenior Network EngineerCommented:
You can use firegen to get traffic information from the ASA/PIX/Other logs.


You could also monitor/sniff the line with something like nProbe.


Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now