[c-nsp] debugging and tracing on IP-Sec tunnel

[Peter Rathlev]

On Fri, 2008-08-01 at 07:32 +0200, Arne Larsen wrote:
> I need some advise regarding trace and debug on a tunnel with IPSec. We
>  are using a provider to some kind off health service, these servers
>  can be reached via a tunnel interface in our network and vise versa.
>  My problem is that one server is out off reach on http traffic but not
>  on ssh. If I deploy an access-list on the tunnel interface, I can see
>  that the http-traffic is being forwarded via the tunnel interface. So
>  how can I be sure that the IP-Sec interface also is forwarding the
>  http traffic and not just ssh.

You could place a sniffer on the outside to look for ESP packets. If
there's a time window with no or little other traffic, you could be
fairly certain that some generated HTTP traffic is what you see on the
outside.

An access-list in Fa0/0 should also work. It could be the same as you
use for encrypting ("krypt-medcom"), which I presume allows GRE traffic
from your end to the other end.

Both are limited by the fact that the traffic is now encrypted, so it's
harder to tell if what you see is really is what you expect.

Of course there could be other problems: The other end of the tunnel not
accepting the traffic (this specific peer usually sends unreachables
though) or maybe PMTUd problems. If a simple telnet towards port 80 is
working, but downloading pages isn't, adjust-mss might help. (We use "ip
tcp adjust-mss 1355" on our tunnel towards this provider.) This is less
probable if you have two similar servers working, but they might be
behind different tunnels themselves in the other end.

Mail me off list if you'd like me to test things from our end. :-)

Regards,
Peter