Solved

Troubleshoot of VPN packets

Posted on 2013-06-23
5
437 Views
Last Modified: 2013-07-09
Hi,

Can any one give the Troubleshoot steps of a VPN traffic

Scenario :

                           VPN client PC
                                 |
                                 |
                           Internet
                                 |
                                 |

                               ASA
                                  |
                              LAN server

requirement :

If a PC can not comunicate the LAN server

How to capture the packets through VPN

In capture , what is source IP and Destination IP for VPN traffic

Regards
Ramu
0
Comment
Question by:RAMU CH
5 Comments
 
LVL 6

Expert Comment

by:Vijay Pratap Singh
ID: 39270345
Use wireshark to capture packets and find all the information

xD
0
 
LVL 1

Author Comment

by:RAMU CH
ID: 39270368
Pls tell me what is the Packet structuer through VPN tunnel

What is Source IP and Destination ip while intilating the request  and
while replying the request , what is the Source IP and Destination IP

Regards
Ramu
0
 
LVL 69

Accepted Solution

by:
Qlemo earned 500 total points
ID: 39270571
The encrypted packet always has public IPs as source and destination. The IPSec payload contains only private IPs. So you have to consider at which point you are monitoring traffic all the time. The device/machine encrypting sees both kinds of traffic, any other device/machine only unencrypted  or encrypted.

If you use WireShark on a PC not connected directly to the Internet (and different from the VPN Client PC), you will only see unencrypted, private traffic.
On ASA you should be able to have both available, depending on the debugging commands you use.
The client PC acts with its VPN IP. You should be able to see both unencrypted and VPN (encrypted) traffic here.

As you can see, there are lot of points you can monitor traffic. If you do not know IOS, WireShark on both client and target PC with filter of (IPSec) source and target IPs gives a good idea. Probably you won't get around debugging your ASA, though, as only there you will see if traffic is rejected, dismissed or translated the wrong way (in regard of IP addresses).
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 39271384
Unless you are just trying to learn the process but don't actually have an issue, you probably don't need to do a packet capture to figure out why the server can't communicate with the VPN client. Posting a scrubbed config of the ASA would be a good starting point. This may simply be a NAT issue.
0
 
LVL 1

Author Closing Comment

by:RAMU CH
ID: 39310776
tks
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question