How to monitor site to site traffic CISCO ASA via ASDM

Posted on 2012-09-06
Last Modified: 2012-09-13
I have a site to site ipsec vpn between a Cisco ASA 5510 and a checkpoint FW.

I manage the ASA for our customer which is on version  8.4(2) via ASDM Version 6.4. The checkpoint is managed via a third party. I am trying to troubleshoot an issue involving the site to site traffic.

The issue is I am looking at the Logging (Monitoring>Logging>view>debugging) but cannot see any entries for any traffic coming from the remote LAN. E.g I can see no entries in the log for any ip's from the remote LAN network behind the checkpoint.

I've tried filtering without any success. I'm assuming I have to enable an additional option within ASDM to see the S2s traffic. I know that the traffic is traversing the site to site vpn as I can see matches on a Cisco Router ACL for the remote site traffic, which sits behind my ASA.

Question by:PeterHing
    LVL 6

    Expert Comment

    by:sharjeel ashraf
    try view information, or try view all.

    have you enabled debugging for the traffic / interface.

    from CLI try debug crytpo isakmp and debug crypto ipsec
    LVL 2

    Author Comment


    I've enabled debug crypto ipsec, debug crypto isakamp is not valid.

    Not sure that the view information/view all is a valid option?
    LVL 6

    Expert Comment

    by:sharjeel ashraf
    you need to do this from the cli interface with enable mode entered.

    if you have site-to-site VPN using IPSEC then your device will allow both commands, if you do a show ver on it can you post the output, remove and sensitive information.
    LVL 2

    Author Comment

    debug crypto isakamp is not valid

    see below

    debug crypto ?

      ca          Set PKI debug levels
      condition   Set IPSec/ISAKMP debug filters
      engine      Set crypto engine debug levels
      ike-common  Set IKE common debug levels
      ikev1       Set IKEV1 debug levels
      ikev2       Set IKEV2 debug levels
      ipsec       Set IPSec debug levels
      vpnclient   Set EasyVPN client debug levels
    fw# debug crypto

    ########## Show Ver output #############

    fw# sh ver

    Cisco Adaptive Security Appliance Software Version 8.4(2)
    Device Manager Version 6.4(5)206

    Compiled on Wed 15-Jun-11 18:17 by builders
    System image file is "disk0:/asa842-k8.bin"
    Config file at boot was "startup-config"

    fw up 236 days 23 hours

    Hardware:   ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
    Internal ATA Compact Flash, 256MB
    BIOS Flash M50FW016 @ 0xfff00000, 2048KB

    Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                                 Boot microcode        : CN1000-MC-BOOT-2.00
                                 SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                                 IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.06
                                 Number of accelerators: 1

     0: Ext: Ethernet0/0         : address is 6400.f123.ab06, irq 9
     1: Ext: Ethernet0/1         : address is 6400.f123.ab07, irq 9
     2: Ext: Ethernet0/2         : address is 6400.f123.ab08, irq 9
     3: Ext: Ethernet0/3         : address is 6400.f123.ab09, irq 9
     4: Ext: Management0/0       : address is 6400.f123.ab05, irq 11
     5: Int: Not used            : irq 11
     6: Int: Not used            : irq 5

    Licensed features for this platform:
    Maximum Physical Interfaces       : Unlimited      perpetual
    Maximum VLANs                     : 100            perpetual
    Inside Hosts                      : Unlimited      perpetual
    Failover                          : Active/Active  perpetual
    VPN-DES                           : Enabled        perpetual
    VPN-3DES-AES                      : Enabled        perpetual
    Security Contexts                 : 2              perpetual
    GTP/GPRS                          : Disabled       perpetual
    AnyConnect Premium Peers          : 2              perpetual
    AnyConnect Essentials             : Disabled       perpetual
    Other VPN Peers                   : 250            perpetual
    Total VPN Peers                   : 250            perpetual
    Shared License                    : Disabled       perpetual
    AnyConnect for Mobile             : Disabled       perpetual
    AnyConnect for Cisco VPN Phone    : Disabled       perpetual
    Advanced Endpoint Assessment      : Disabled       perpetual
    UC Phone Proxy Sessions           : 2              perpetual
    Total UC Proxy Sessions           : 2              perpetual
    Botnet Traffic Filter             : Disabled       perpetual
    Intercompany Media Engine         : Disabled       perpetual

    This platform has an ASA 5510 Security Plus license.

    Running Permanent Activation Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Configuration register is 0x1

    LVL 6

    Expert Comment

    by:sharjeel ashraf
    sorry try debug crypto ikev1, if you get no information do debug crypto ikev2.
    LVL 2

    Author Comment


    Still no difference
    LVL 6

    Expert Comment

    by:sharjeel ashraf
    whats the issues you are trying to resolve
    LVL 2

    Author Comment

    I don't need to go into the issue at this time, just need to be able to see site to site vpn traffic.

    Thanks for trying to help
    LVL 6

    Accepted Solution

    You can use firegen to get traffic information from the ASA/PIX/Other logs.

    You could also monitor/sniff the line with something like nProbe.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now