I need Help tracking down where packets are being dropped..

Discussion in 'Cisco' started by Scott Townsend, Mar 6, 2007.

  1. I'm looking for a way to see traffic that is being dumped on a PIX VPN
    Connection. I have Syslog set up to log all incoming packets and Denys and
    that is working, though it does not seem to be logging the packets that the
    VPN does not care about.

    I have a VPN between 2 PIXes and both sides have other subnets behind them

    10.3.x.y
    10.1.x.y
    PIX
    Internet
    PIX
    10.2.x.y
    10.6.x.y


    10.2 can see everything
    10.6 can only see 10.2
    10.1 can see 10.2, 10.3
    10.3 can see 10.2, 10.1


    Can I set up a capture or something in the Syslog to help me figure out
    where my issue in my Config is?

    Thanks,
    Scott<-
     
    Scott Townsend, Mar 6, 2007
    #1
    1. Advertisements

  2. Scott Townsend

    Havoc 25 Guest

    You have many cookbooks regarding VPN scenarios on Cisco.com.

    You can see dropped packets with "sh log | inc <ip address>... and open
    connections with show conn, so try to troubleshoot your connection. Also
    check your routing and ACL which defines which traffic should be encryped,
    and which traffic should be involved in NAT (if you have one).

    H.
     
    Havoc 25, Mar 6, 2007
    #2
    1. Advertisements

  3. Thank you for your Suggestions.

    Though I do not see the Traffic I'm looking for.

    I have a continuous ping set up from one side to the other.
    Doing a sh log | inc <src|dst> returns nothing.

    So maybe I should do this more by Example.

    So on my ACLs I have the Following:

    access-list <ACL-Name> extended permit ip 10.1.0.0 255.255.0.0 10.2.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.2.0.0 255.255.0.0 10.1.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.6.0.0 255.255.0.0 10.1.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.1.0.0 255.255.0.0 10.6.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.2.0.0 255.255.0.0 10.6.0.0
    255.255.0.0
    access-list <ACL-Name> extended permit ip 10.6.0.0 255.255.0.0 10.2.0.0
    255.255.0.0

    So I have 5 sets of the Above ACL where <ACL-Name> is one of the folloinw:
    inside_nat
    cryptomap_20
    cryptomap_40
    nat0_inbound
    nat0_outbound

    nat (outside) 0 access-list nat0_inbound outside
    nat (inside) 0 access-list inside_nat

    group-policy PIXB internal
    group-policy PIXB attributes
    split-tunnel-policy tunnelspecified
    split-tunnel-network-list value cryptomap_40

    crypto map olivet-dyn-map 20 match address cryptomap_20
    crypto map olivet-dyn-map 20 set peer <PIXB IP>
    crypto map olivet-dyn-map 20 set transform-set ESP-3DES-SHA
    crypto map olivet-dyn-map 65535 ipsec-isakmp dynamic olivet
    crypto map olivet-dyn-map interface outside

    So am I missing someghing? Is the Order of the entries in the ACLs make a
    difference?

    Thanks
     
    Scott Townsend, Mar 7, 2007
    #3
  4. So I've tried re-creating all the ACLs using object groups.

    Now I've Managed:

    10.3.x.y 10.11.x.y
    router
    10.1.x.y
    PIX H Router O w/ FW -> PIX A
    Internet Interent
    PIX S
    10.2.x.y
    router
    10.6.x.y

    10.1 cant see anything at PIX B
    10.11 can see all Subnets at PIX B
    10.3 can see 10.2

    object-group network NETWORK-OLIVET-ALL
    network-object 10.11.0.0 255.255.0.0
    object-group network NETWORK-SF-VPN
    network-object 10.2.0.0 255.255.0.0
    network-object 10.6.0.0 255.255.0.0
    object-group network NETWORK-HBG-VPN
    network-object 10.1.0.0 255.255.0.0
    network-object 10.3.0.0 255.255.0.0

    From Each Site I have ACLs in the format
    PIX H
    access-list <ACL Name> extended permit ip object-group NETWORK-HBG-VPN
    object-group NETWORK-SF-VPN
    access-list <ACL Name> extended permit ip object-group NETWORK-HBG-VPN
    object-group NETWORK-OLIVET-VPN

    PIX S
    access-list <ACL Name> extended permit ip object-group NETWORK-SF-VPN
    object-group NETWORK-HBG-VPN

    access-list <ACL Name> extended permit ip object-group NETWORK-SF-VPN
    object-group NETWORK-OLIVET-VPN

    I think I need to be a member of the Hair Club for men. I dont have much
    left.

    Thanks,
    Scott<-
     
    Scott Townsend, Mar 7, 2007
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.