Which VPN tunnel matches my traffic?

When we manage a VPN concentrator with thousands of active tunnels, we might face conflicts between crypto maps. This is not so easy to realize and we might spend a lot of time before we figure out that another tunnel is forwarding our traffic.

Here are the steps that I would use to check which tunnel matches my packets.

Redirecting HTTP (TCP/80) requests to the WebVPN portal

After completing a WebVPN setup, the users access the SSL VPN portal using a web browser and going to https://fw_ip_address (or a URL mapped to the firewall address). However users are not network experts and sometimes they will forget the "https://" or even use "http://" and the ASA will reject the connection attempt.

If we want to avoid users crying about timeout pages on their browsers, we can redirect HTTP requests to the TCP port in use for the WebVPN with the following command:

asa(config)# http redirect outside http

These are the HTTP messages that we see in the wire:

Browser to ASA
GET / HTTP/1.1
Host: 192.0.2.1
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

ASA to Browser
HTTP/1.0 302 Temporary moved
Content-Length: 0
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Tue, 23 Aug 2016 20:54:22 GMT
Location: https://192.0.2.1/

It doesn't matter if we are using TCP port 443 or any other for the SSL VPN portal, the ASA will redirect the browser to the right location.

debug menu

ASA command reference page does not include a detailed explanation for the debug menu command, therefore I collected the details from a device CLI. It's not recommended to use this command without TAC supervision, but some of them are really useful (check debug menu ssh). Some options might not be available on the OS version that you are running.