The Network Sniffer is a great troubleshooting tool.  You can monitor both the public IP network interface and the Overlay Network interface of the VNS3 controller.

The Network Sniffer page includes some basic guidance for basic syntax.  In the event your filter expression is malformed, the page will result in an "expression syntax error".

When using the Network Sniffer, there are two things to remember:

  1. The page does not auto refresh.  Once you enter in your expression, be sure to click the refresh button to update your view of the traffic.

  2. The interface toggle is important.
    - eth0 - public IP network interface.  This is where all encapsulated IPsec traffic and all unencrypted VLAN traffic is visible.
    - tun0 - Overlay Network interface.

Troubleshooting an IPsec Connection

It is useful in troubleshooting an encrypted tunnel to first see if there is normal negotiation and keepalive traffic moving between the two IPsec Peers.  This will help you to understand if there is a network connectivity or FW issue that prevents the negotiation.

Once the tunnel is negotiated, use the Network Sniffer to monitor the tunnel traffic, making sure encrypted/encapsulated packets are moving in both directions. 

Use the following eth0 filter to do both:

src <remote IPsec device IP> or dst <remote IPsec device IP>

The result should be some UDP 500 traffic for maintenance traffic and encrypted traffic on UDP 4500 or ESP Protocol 50 (NAT-Traversal or Native IPsec respectively).

When troubleshooting, we recommend setting up a continuous ping down the tunnel with a larger-than-default size specified so that you can be sure the packets you are watching are your pings.  To do this you can use the -l argument on Windows and the -s argument on Linux.


Watch the video on YouTube: