Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Network Tunnel Configuration Configure Tunnels with Cisco Adaptive Security Appliance Test and Verify

Last updated: Aug 07, 2025

Test and Verify

ASA CLI - You can verify the ASA tunnel status to Secure Access by using these commands:

show crypto ikev2 sa detail
show crypto ipsec sa detail

Use the following command to simulate a packet from the inside interface, with a specific source IP address and port and a specific destination IP address and port. The response indicates whether the packet flows through the tunnel.

packet-tracer input inside tcp 192.168.20.13 3520 72.163.4.161 443 detailed
 
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f8d35d7da90, priority=1, domain=permit, deny=false
    	hits=3848, user_data=0x0, cs_id=0x0, l3_type=0x8
    	src mac=0000.0000.0000, mask=0000.0000.0000
    	dst mac=0000.0000.0000, mask=0100.0000.0000
    	input_ifc=inside, output_ifc=any
 
Phase: 2
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config:
route-map sse-pbr permit 10
 match ip address pbr-sse
 set ip next-hop 11.11.11.12
Additional Information:
 Matched route-map sse-pbr, sequence 10, permit
 Found next-hop 11.11.11.12 using egress ifc vti
 
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f8d34b62c90, priority=0, domain=nat-per-session, deny=false
    	hits=459, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=any, output_ifc=any
 
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7f8d35d85db0, priority=0, domain=inspect-ip-options, deny=true
    	hits=456, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=inside, output_ifc=any
 
 
 
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
 Forward Flow based lookup yields rule:
 out id=0x7f8d35dfabc0, priority=70, domain=encrypt, deny=false
    	hits=152, user_data=0x78dc, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=any, output_ifc=vti
 
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f8d36c3cd90, priority=69, domain=ipsec-tunnel-flow, deny=false
    	hits=152, user_data=0x84dc, cs_id=0x0, reverse, flags=0x0, protocol=0
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=vti, output_ifc=any
 
 
 
 
Phase: 7
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f8d34b62c90, priority=0, domain=nat-per-session, deny=false
    	hits=461, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=any, output_ifc=any
 
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
 Reverse Flow based lookup yields rule:
 in  id=0x7f8d35e547a0, priority=0, domain=inspect-ip-options, deny=true
    	hits=291, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
    	src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
    	dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
    	input_ifc=vti, output_ifc=any
 
 
 
 
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 547, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
 
Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat
 
 
 
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: vti
output-status: up
output-line-status: up
Action: allow
Previous topic Configure ASA Next topic Configure Tunnels with Cisco Secure Firewall