I need Help tracking down where packets are being dropped..

Discussion in 'Cisco' started by Scott Townsend, Mar 6, 2007.

  1. I'm looking for a way to see traffic that is being dumped on a PIX VPN
    Connection. I have Syslog set up to log all incoming packets and Denys and
    that is working, though it does not seem to be logging the packets that the
    VPN does not care about.

    I have a VPN between 2 PIXes and both sides have other subnets behind them

    10.3.x.y
    10.1.x.y
    PIX
    Internet
    PIX
    10.2.x.y
    10.6.x.y


    10.2 can see everything
    10.6 can only see 10.2
    10.1 can see 10.2, 10.3
    10.3 can see 10.2, 10.1


    Can I set up a capture or something in the Syslog to help me figure out
    where my issue in my Config is?

    Thanks,
    Scott<-
     
    Scott Townsend, Mar 6, 2007
    #1
    1. Advertising

  2. Scott Townsend

    Havoc 25 Guest

    You have many cookbooks regarding VPN scenarios on Cisco.com.

    You can see dropped packets with "sh log | inc <ip address>... and open
    connections with show conn, so try to troubleshoot your connection. Also
    check your routing and ACL which defines which traffic should be encryped,
    and which traffic should be involved in NAT (if you have one).

    H.


    "Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com> wrote in message
    news:VGfHh.828$...
    > I'm looking for a way to see traffic that is being dumped on a PIX VPN
    > Connection. I have Syslog set up to log all incoming packets and Denys and
    > that is working, though it does not seem to be logging the packets that
    > the VPN does not care about.
    >
    > I have a VPN between 2 PIXes and both sides have other subnets behind them
    >
    > 10.3.x.y
    > 10.1.x.y
    > PIX
    > Internet
    > PIX
    > 10.2.x.y
    > 10.6.x.y
    >
    >
    > 10.2 can see everything
    > 10.6 can only see 10.2
    > 10.1 can see 10.2, 10.3
    > 10.3 can see 10.2, 10.1
    >
    >
    > Can I set up a capture or something in the Syslog to help me figure out
    > where my issue in my Config is?
    >
    > Thanks,
    > Scott<-
    >
     
    Havoc 25, Mar 6, 2007
    #2
    1. Advertising

  3. Thank you for your Suggestions.

    Though I do not see the Traffic I'm looking for.

    I have a continuous ping set up from one side to the other.
    Doing a sh log | inc <src|dst> returns nothing.

    So maybe I should do this more by Example.

    So on my ACLs I have the Following:

    access-list <ACL-Name> extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.1.0.0 255.255.0.0 10.6.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.2.0.0 255.255.0.0 10.6.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.6.0.0 255.255.0.0 10.2.0.0
    255.255.0.0

    So I have 5 sets of the Above ACL where <ACL-Name> is one of the folloinw:
    inside_nat
    cryptomap_20
    cryptomap_40
    nat0_inbound
    nat0_outbound

    nat (outside) 0 access-list nat0_inbound outside
    nat (inside) 0 access-list inside_nat

    group-policy PIXB internal
    group-policy PIXB attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value cryptomap_40

    crypto map olivet-dyn-map 20 match address cryptomap_20
    crypto map olivet-dyn-map 20 set peer <PIXB IP>
    crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA
    crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet
    crypto map olivet-dyn-map interface outside

    So am I missing someghing? Is the Order of the entries in the ACLs make a
    difference?

    Thanks

    "Havoc 25" <> wrote in message
    news:eskcd7$chp$-com.hr...
    > You have many cookbooks regarding VPN scenarios on Cisco.com.
    >
    > You can see dropped packets with "sh log | inc <ip address>... and open
    > connections with show conn, so try to troubleshoot your connection. Also
    > check your routing and ACL which defines which traffic should be encryped,
    > and which traffic should be involved in NAT (if you have one).
    >
    > H.
    >
    >
    > "Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com> wrote in message
    > news:VGfHh.828$...
    >> I'm looking for a way to see traffic that is being dumped on a PIX VPN
    >> Connection. I have Syslog set up to log all incoming packets and Denys
    >> and that is working, though it does not seem to be logging the packets
    >> that the VPN does not care about.
    >>
    >> I have a VPN between 2 PIXes and both sides have other subnets behind
    >> them
    >>
    >> 10.3.x.y
    >> 10.1.x.y
    >> PIX
    >> Internet
    >> PIX
    >> 10.2.x.y
    >> 10.6.x.y
    >>
    >>
    >> 10.2 can see everything
    >> 10.6 can only see 10.2
    >> 10.1 can see 10.2, 10.3
    >> 10.3 can see 10.2, 10.1
    >>
    >>
    >> Can I set up a capture or something in the Syslog to help me figure out
    >> where my issue in my Config is?
    >>
    >> Thanks,
    >> Scott<-
    >>

    >
    >
     
    Scott Townsend, Mar 7, 2007
    #3
  4. So I've tried re-creating all the ACLs using object groups.

    Now I've Managed:

    10.3.x.y 10.11.x.y
    router
    10.1.x.y
    PIX H Router O w/ FW -> PIX A
    Internet Interent
    PIX S
    10.2.x.y
    router
    10.6.x.y

    10.1 cant see anything at PIX B
    10.11 can see all Subnets at PIX B
    10.3 can see 10.2

    object-group network NETWORK-OLIVET-ALL
    network-object 10.11.0.0 255.255.0.0
    object-group network NETWORK-SF-VPN
    network-object 10.2.0.0 255.255.0.0
    network-object 10.6.0.0 255.255.0.0
    object-group network NETWORK-HBG-VPN
    network-object 10.1.0.0 255.255.0.0
    network-object 10.3.0.0 255.255.0.0

    From Each Site I have ACLs in the format
    PIX H
    access-list <ACL Name> extended permit ip object-group NETWORK-HBG-VPN
    object-group NETWORK-SF-VPN
    access-list <ACL Name> extended permit ip object-group NETWORK-HBG-VPN
    object-group NETWORK-OLIVET-VPN

    PIX S
    access-list <ACL Name> extended permit ip object-group NETWORK-SF-VPN
    object-group NETWORK-HBG-VPN

    access-list <ACL Name> extended permit ip object-group NETWORK-SF-VPN
    object-group NETWORK-OLIVET-VPN

    I think I need to be a member of the Hair Club for men. I dont have much
    left.

    Thanks,
    Scott<-

    "Havoc 25" <> wrote in message
    news:eskcd7$chp$-com.hr...
    > You have many cookbooks regarding VPN scenarios on Cisco.com.
    >
    > You can see dropped packets with "sh log | inc <ip address>... and open
    > connections with show conn, so try to troubleshoot your connection. Also
    > check your routing and ACL which defines which traffic should be encryped,
    > and which traffic should be involved in NAT (if you have one).
    >
    > H.
    >
    >
    > "Scott Townsend" <scott-i@.-N0-SPAMplease.enm.com> wrote in message
    > news:VGfHh.828$...
    >> I'm looking for a way to see traffic that is being dumped on a PIX VPN
    >> Connection. I have Syslog set up to log all incoming packets and Denys
    >> and that is working, though it does not seem to be logging the packets
    >> that the VPN does not care about.
    >>
    >> I have a VPN between 2 PIXes and both sides have other subnets behind
    >> them
    >>
    >> 10.3.x.y
    >> 10.1.x.y
    >> PIX
    >> Internet
    >> PIX
    >> 10.2.x.y
    >> 10.6.x.y
    >>
    >>
    >> 10.2 can see everything
    >> 10.6 can only see 10.2
    >> 10.1 can see 10.2, 10.3
    >> 10.3 can see 10.2, 10.1
    >>
    >>
    >> Can I set up a capture or something in the Syslog to help me figure out
    >> where my issue in my Config is?
    >>
    >> Thanks,
    >> Scott<-
    >>

    >
    >
     
    Scott Townsend, Mar 7, 2007
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Justin Rich

    Dropped/slow packets - VERY odd

    Justin Rich, Apr 28, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    2,209
    Carl DaVault [MSFT]
    May 5, 2005
  2. Joshua Colvin
    Replies:
    2
    Views:
    3,231
    Joshua Colvin
    Oct 23, 2003
  3. Replies:
    10
    Views:
    5,997
  4. Hoffa
    Replies:
    0
    Views:
    555
    Hoffa
    Dec 5, 2006
  5. Steve Pfister
    Replies:
    4
    Views:
    593
    Steve Pfister
    Feb 11, 2013
Loading...

Share This Page