How to mirror IPSec traffic from the controller for troubleshooting?

Aruba Employee
Aruba Employee

Introduction : Sometimes for troubleshooting of IPSec VPN's or master local sync, TAC will ask the customer to provide mirrored  IPSec data.


Environment : This article is valid for all Aruba controllers running 3.x and above.


Network Topology : We must have a PC with wireshark running on it.

For best results:

1. This PC must have wired connectivity to the controller.
2. If the PC is wireless, we must make sure that it is in authenticated role.


Configuration Steps : For 3.x to 6.2.x:

    a. Enable the IPSecsession mirroring:

                      # firewall session-mirror-ipsec

    b. Send the mirrored traffic to a packet capture capable device:

                      # firewall session-mirror-destination < destination ip_address >

For 6.3 and above:

    a. Set the packet capture location:
                    # packet-capture destination ip-address < wireshark device >
    b. Enable IPSec mirroring:
                    # packet-capture ipsec


Note: We can make the captures more granular by specifying the peer name:

                        # packet-capture ipsec < inner ip address of the ipsec peer >


Answer : Export the mirrored traffic from the wireshark and sent it to the TAC using:

1. Email the captures to TAC engineer if the captures are smaller than 10MB. Make sure that the "" is copied before sending the email.

2. Upload to the case directly from the support site.




Please check it the PC is not in the user table of the controller and is not falling in a role.
b. Make sure that there is ample bandwidth in the network path b/w the Controller and the wireshark device.

Version history
Revision #:
1 of 1
Last update:
‎07-08-2014 02:33 PM
Updated by:

How do I stop the packet capture after doing 


packet-capture ipsec < inner ip address of the ipsec peer >



You can try the below:


(Aruba) #no packet-capture ?
controlpath Enable controlpath capture. Captured packets are
stored in /var/log/oslog/filter.pcap. Only capture
to local-filesystem is supported.
datapath Enable datapath capture. Captured packets are stored
in /var/log/oslog/datapath.pcap or mirrored out of
the controller.
destination Configure capture destination.

Thank you, the 'no' in front of the command was the key :)

Yes :)

You are welcome.