How to mirror IPSec traffic from the controller for troubleshooting?
Introduction : Sometimes for troubleshooting of IPSec VPN's or master local sync, TAC will ask the customer to provide mirrored IPSec data.
Environment : This article is valid for all Aruba controllers running 3.x and above.
Network Topology : We must have a PC with wireshark running on it.
For best results:
1. This PC must have wired connectivity to the controller.
2. If the PC is wireless, we must make sure that it is in authenticated role.
Configuration Steps : For 3.x to 6.2.x:
a. Enable the IPSecsession mirroring:
# firewall session-mirror-ipsec
b. Send the mirrored traffic to a packet capture capable device:
# firewall session-mirror-destination < destination ip_address >
For 6.3 and above:
a. Set the packet capture location:
# packet-capture destination ip-address < wireshark device >
b. Enable IPSec mirroring:
# packet-capture ipsec
Note: We can make the captures more granular by specifying the peer name:
# packet-capture ipsec < inner ip address of the ipsec peer >
Answer : Export the mirrored traffic from the wireshark and sent it to the TAC using:
1. Email the captures to TAC engineer if the captures are smaller than 10MB. Make sure that the "firstname.lastname@example.org" is copied before sending the email.
2. Upload to the case directly from the support site.
Please check it the PC is not in the user table of the controller and is not falling in a role.
b. Make sure that there is ample bandwidth in the network path b/w the Controller and the wireshark device.