Hr exemption issue

there is a very complicated situation regarding children eductaion allowance inclusion in perk calculatio hope you can help me.
we are paying rs 300 as CEA AND person is having ony one child.
this means rs100 is exempt and rs 200 is taxable.
plus this rs 200 has to be used up for calculation of perk for coa/cla. but in our case this rs 200 is not being used up for calculation of perk value
sap is doing correct calculatio but picking wrong value
i.e /* value is not being used and instead of this /3 value is being used up.
how can we configure system to use up /* value and /3 value.

no one answered

Similar Messages

Issue in Gratutity Exemption

Dear Folks,
Please advise, here is a scenario of exemption of grautity. The client is calculate grautity amuont manually and proces thru Addtional payment thru custom wage type.
The amount of grautity is add to w.type /130 for exemption purpose. Accordingly I had wrote a pcr so that the amount of wage would store in /130, like this
   wage type.Gratuity Payment
     ELIMI *    Elim.time period ID
     ADDWT (gratuity wage type) OT   Output table
     ADDWT /416 OT   Output table
     AMT?350000 Comparison
       <
         ADDWT /130 OT   Output table
       =
         ADDWT /130 OT   Output table
       >
         ELIMI *    Elim.time period ID
         AMT=350000 Set
         ADDWT /130 OT   Output table
But there is a issue, when we are executing payroll for next month, the exempted amount of gratuity is not adding.
Please advise.
Regards,

Hi
This can be done at the reporting level. Below link will help you solve this.
http://www.wiseowl.co.uk/blog/s257/ssrs-rows-per-page-pt2.htm
When you have multiple pages, your header may disappear. So below link will help you to have the header repeating in each page.
http://social.technet.microsoft.com/wiki/contents/articles/19398.ssrs-how-to-repeat-headers-on-each-page.aspx
Let me know how it goes.
Cheers
[email protected]
Dr.Subramani Paramasivam

Issues in Conveyance Allowance amount in Exemption U/S 10

New issues rise Now....
For New (mid month) joinee at the first month Exemption U/S 10 is calculated based on the Conveyance Allowance amount *12 months (or no. of remaining months for financial yr end), but in my client income tax Exemption U/S 10 based on the actual salary (not earned salary) from the first month onwards.
For example :
Employee X,
Joined date 15.08.2011,
Conveyance Allowance = 800 INR. Earned Conveyance Allowance for 15 days = 400 INR.
While Start Payroll for the period 5th (August) 2011. The WT /130 Exemption U/S 10 = 3,200 (400*8). Based on this Conveyance Allowance The Exemption U/S 10 calculated, But I want to calculated the Exemption U/S 10 at first month (august 2011) based on follows,
August month earned Conveyance Allowance = 400 INR + Actual Conveyance Allowance per month =800*7 =5,600.
Exemption U/S 10 = 6,000 INR.
Please give me some solution
Thanks and regards
Mohan .V
Edited by: mohantamilan on Sep 23, 2011 5:27 PM

Hi,
I think for your earlier thread someone had replied that in the 1st month your calculations will be as per the actual received amounts for mid month joinees,however when you run the second payroll for this employee the system shall consider full attendance and Conveyance shall be 800 x remaining months + the already populated 400 in RT Tables.
After you run the first Payroll live you can check the 2nd payroll with simulation may be this will clear your doubt.
Salil

Exempted vendor Service Tax Issue

Hi ,
One our vendor having exemptions from service tax . The scenario is follows
If total amount of invoice is 100000 Rs then in normal case service tax payable is 10.33 % = 10330 Rs and Total value is 110330 Rs .
Now for this particular vendor if amount is 100000 Rs then he has to charge service tax on 35 % of amount that means 10.33 % on 35000 Rs so Tax = 3615 Rs and total Invoice amount will be 100000 + 3615= 103615 Rs.
Each time calculating it manually and booking the invoice is not possible . How can I configure such scenarios . Is there any standard settings available for the same
Regards
Bhushan

Hai,
create the new service tax code with required percentage and use the same .

Billing issue: No one in the overseas call center understands state tax-exempt license numbers, but we need a refund of sales tax

I've just purchased a year's license to Creative Cloud on my unit's tax-exempt purchasing card, but the tax was assessed anyway. Several calls to the help desk revealed that no one has been trained in U.S. state sales-tax exempt organizations, and so I have no way of trying to get this charge backed out - which will result in a big accounting headache.
Is there anyone out there who may be able to help? Unfortunately there seems to be no way to escape being connected to the overseas call center, where managers aren't really able to provide any assistance either.

I will make a complaint to the better business bureau. I'm out $48 (because I gave it to my brother- we are both college students paying our way through school- except I'm in my 30's and also paying bills). It isn't a lot of money but its a spit in the eyes from Verizon. 15 year customer- so what- spit in the eyes. Sells Verizon phones at her job everyday when she's not working really hard in school- so what- spit in the eyes. I'm also forwarding all of this to our district Verizon rep- see what she says.

Mid year go live issue

Hi
its mid year go live i uploaded april to nov. legacy payroll, then run inlk schema . then set the with each month payroll with releasing and exiting the controll record. then i run December month payroll with regular schema . now system is not calculating
annual gross and annual regular income for 12 month, in log tree for tax calculation.
it calculating for dec. to march 4 month as annual salary . with is much amount its calculating all tax declaration, so tax calculation is coming wrong.
exemption /130 tech wage type also its ignoring last 9 month . its calculating from December only.
help me to solve this issue.
suprita

Hello Suprita
Kindly refer to the notes which would assist you further in your query.
Please check if you have carried out the changes as required for mid-year golive as per the notes.
506128: Legacy data transfer
590725: Documentation for rules in INLK Schema
563491: Legacy data transfer - FAQ-
Thanks and Kind Regards
Ramana

For the mid month new joiner the annual Conveyance exemption is coming incorrectly

Dear All,
For one of our client, we have have faced a uniqe issue.
If any employee join in the mid of the month, his prorated conveyance amount ( wage type 2020) is coming correctly. Suppose an employee joined at 16th of the month, system is calculating his conveyance for that month as INR 400 and which is correct.
However in his tax calculation for that particular month, system is taking INR 400*(rest of the month of the FY) in the wage type /4E3. which is incorrect. Suppose he joined in 16th April , system is calculating tax exemption 400*12=4800
Now if we run next month payroll , system is caculating the exemption properly. i.e. INR 400 + 800* rest of the month of the FY,
Please help
Regards
Tirtha

Hi Tirtha,
system is calculating perfectly.
first of all system check the no. of present days and accordingly it give the amount in the wage type /3C3 conveyance amount monthly and /3C4 will give Conveyance monthly exemption and it will multiply with no. of months to the fiscal year end and store in the wage type /4E3.
for example check for PF:
Every month PF amount store in WT /3F1 and send to /3F5 and this WT multiplied with No. of months and store the Annual amount in wt /3F6.
Regards,
Praneeth kumar

Income tax issue for mid month joinees

Issue 2:
For New (mid month) joinee at the first month gross salary is calculated based on the earned salary amount *12 months (or no. of remaining months for financial yr end), but in my client income tax deducted based on the actual salary (not earned salary) from the first month onwards.
For example :
Employee X,
Joined date 15.08.2011,
Actual salary = 1,00,000 INR. Earned salary for 15 days = 50,000 INR.
While Start Payroll for the period 5th (August) 2011. The WT /416 Gross salary = 4,00,000 (50000*8). Based on this gross salary income tax calculated, But I want to calculated the gross at first month (august 2011) based on follows,
Gross salary : August month earned salary = 50,000 + Actual salary per month =1,00,000*7 =7,00,000.
Gross salary = 7,50,000 INR.
Please give me some solution
Thanks and regards
Mohan .V

Hi Param Dayal,
New issues rise Now....
For New (mid month) joinee at the first month Exemption U/S 10 is calculated based on the Conveyance Allowance amount *12 months (or no. of remaining months for financial yr end), but in my client income tax Exemption U/S 10 based on the actual salary (not earned salary) from the first month onwards.
For example :
Employee X,
Joined date 15.08.2011,
Conveyance Allowance = 800 INR. Earned Conveyance Allowance for 15 days = 400 INR.
While Start Payroll for the period 5th (August) 2011. The WT /130 Exemption U/S 10 = 3,200 (400*8). Based on this Conveyance Allowance The Exemption U/S 10 calculated, But I want to calculated the Exemption U/S 10 at first month (august 2011) based on follows,
August month earned Conveyance Allowance = 400 INR + Actual Conveyance Allowance per month =800*7 =5,600.
Exemption U/S 10 = 6,000 INR.
Please give me some solution
Thanks and regards
Mohan .V
Edited by: mohantamilan on Sep 26, 2011 2:52 PM

Issue Regarding Payroll

The issue is like this.
A company pays Rs 3000 as Fuel reimbrursement thru Additional Payments infotype for their employees. This is along with the regular conveyance paid of Rs 800 every month in the Basic pay Infotype.
Now there are 2 to 3 scenarios which need to be configured for the same which are as below.
Scene 1 :
For all the employees who submit Petrol bills for Rs 3000, the Fuel reiumbursement is not taxable. and Conveyance is taxable ( Rs 9600 annually ).
Scene 2 :
For all those who didnt submit petrol bills for Rs 3000, the amount is taxable only upto Rs 1200 and Rs 1800 is not taxable ( out of a total of Rs 3000 ).
Conveyance is non taxable for these employees..
How to configure???Inputs are highly appreciated..
Edited text

Hi
you create two wage type one is for payment say ab01and one is for exemption ab02 .
ab02 u copy from mcax model wage type
create a tax code then link this tax code to the wage type ab01.
then maintaimTax Exemptions >> Define Other Allowance or Reimbursement Subtype for Exemption
maintain T7INa9
in schema XNAL before XO23 role enter
INCTC taxcode ab02 a
If u maintain amount in 582 same amount will give exmption. payment will be done through 15.regards,
Balaji

Issue on Projected Income Tax (Payroll India)

Hi Experts
We have upgraded the system with SP_HR Component patch level 64 and configured SAP Note 1568264.
We have an issues on Projected Income Tax.
Scenario :
Monthly sal : 25000/- and paid the same to employee in Apr, May 11.
In the month of June employee has LOP for 2 days and paid 22000/- against June 11.
Now system is calculating projected IT based on 22000/- for the remaining months i.e., 22000*10= 2,20,000/-.
Showing projected income tax as 2,20,000+50000 = 2,70,000/- (should be 3,00,000/-)
Please suggest the possible ways to resolve this.
Appreciate your help.
Thanks
Venkat Babu Kurada

Hi Experts,
New issues rise Now....
For New (mid month) joinee at the first month Exemption U/S 10 is calculated based on the Conveyance Allowance amount *12 months (or no. of remaining months for financial yr end), but in my client income tax Exemption U/S 10 based on the actual salary (not earned salary) from the first month onwards.
For example :
Employee X,
Joined date 15.08.2011,
Conveyance Allowance = 800 INR. Earned Conveyance Allowance for 15 days = 400 INR.
While Start Payroll for the period 5th (August) 2011. The WT /130 Exemption U/S 10 = 3,200 (400*8). Based on this Conveyance Allowance The Exemption U/S 10 calculated, But I want to calculated the Exemption U/S 10 at first month (august 2011) based on follows,
August month earned Conveyance Allowance = 400 INR + Actual Conveyance Allowance per month =800*7 =5,600.
Exemption U/S 10 = 6,000 INR.
Please give me some solution
Thanks and regards
Mohan .V

Income Tax Exemption on Professional Tax Deducted for Tamilnadu Employees

Hi Experts,
I am working on India Payroll and configured Professional Tax for Tamilnadu employees. Professional Tax is deducted correctly for the employee in the month of August and then in month of January.
However while calcuating income tax exemption system is considering only amount deducted in the month of August for the exemption upto December month and in the month of January its cosidering PTax deducted in the month of August and January both. In case of Maharashtra employees form first month its considering annual projected Professional Tax amount for Exemption.
Can anyone guide me what changes i have to do for considering projected PTax amount for exemption in case of Tamilnadu employees.
Thanks in advance.
OMKAR

As per standrad the for chennai professional tax is projected for every six months right
so it is takeing like that say the entire amount will be upto to Projection period so it is takeing for that period
We have similar issue at one of the client place that is instead of deducting the PTAX for every six months it has to be deducted
for mothly so we have changed the frequnecy of deduction from six months to monthly so than it has shown the entire project amout yearly
and lets wait for the expert views on this

Issue in income tax computation

Dear All,
I have some issue in income tax calculation India Payroll for few employees.
Listed the problems below
1. Exemption Under Section 10 is not considered during Income tax calculation
2. Medi-claim is not deducted from gross salary

Hi Lakshman,
Exemption under sec 10 should be considered in the tax calculation. In the Tax calculation all the amount u/s 10 will be stored in wage type /130 and it will subtracted from the Gross salary (/416).
If this is not happening then please check the configuration of the wage type which you are using.
Normally Medical exemption will be processed before the arrival of gross salary.
Hope this will help you.
Thanks & Regards
Saroj Hial

ASA 5505 VPN conenction issue

Good morning everyone. I am in need of some help. I am a newbie when it comes to configuring the ASA. Here is my problem. I have the asa configure and it is allowing me to get out to the internet. I have several VLANs on my network and from inside I can ping everything. I have created the VPN and I am able to connect to it and get in IP assigned from the pool of address. If I have multiple connections I can ping the other PCs. Right now I am able to ping the outside and inside interfaces of the ASA but no where else. I have split tunneling enabled. Here is a copy of my config.
Thanks
Dave
Result of the command: "sh run"
: Saved
: Serial Number: *****
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.1(5)21
hostname Main-ASA
domain-name *****
enable password ***** encrypted
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
interface Ethernet0/0
switchport access vlan 12
interface Ethernet0/1
switchport access vlan 2
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan2
nameif inside
security-level 100
ip address 192.168.0.1 255.255.255.252
interface Vlan12
nameif Outside
security-level 0
ip address dhcp setroute
banner login *************************************
banner login       Unuathorized access is prohibited !!
banner login *************************************
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup inside
dns domain-lookup Outside
dns server-group DefaultDNS
domain-name *****
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network VLAN54
subnet 192.168.54.0 255.255.255.0
description VLAN 54
object network Management
subnet 192.168.80.0 255.255.255.0
description Management
object network VLAN51
subnet 192.168.51.0 255.255.255.0
description VLAN 51
object network VLAN52
subnet 192.168.52.0 255.255.255.0
description VLAN 52
object network VLAN53
subnet 192.168.53.0 255.255.255.0
description VLAN 53
object network VLAN55
subnet 192.168.55.0 255.255.255.0
description VLAN 55
object network VLAN56
subnet 192.168.56.0 255.255.255.0
description VLAN 56
object service 443
service tcp destination eq https
object service 80
service tcp destination eq www
object service 8245
service tcp destination eq 8245
object service 25295
service udp destination eq 25295
description Blocking 25295
object network VPN-Connections
subnet 192.168.59.0 255.255.255.0
description VPN Connections
object-group service No-IP
description no-ip.com DDNS Update
service-object object 80
service-object object 8245
service-object object 443
access-list inside_access_in remark No-ip DDNS Update
access-list inside_access_in extended permit object-group No-IP object VLAN51 any
access-list inside_access_in extended permit ip any any
access-list VPN standard permit 192.168.0.0 255.255.0.0
access-list Outside_access_in remark Blocking 25295 to HTPC
access-list Outside_access_in extended deny object 25295 any object VLAN54
pager lines 24
logging enable
logging asdm warnings
mtu inside 1500
mtu Outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,Outside) source dynamic any interface
access-group inside_access_in in interface inside
access-group Outside_access_in in interface Outside
router eigrp 1
no auto-summary
network 192.168.0.0 255.255.255.252
network 192.168.59.0 255.255.255.0
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (inside) host 192.168.51.1
server-port 636
ldap-base-dn cn=users,dc=spicerslocal
ldap-scope subtree
ldap-naming-attribute cn
ldap-login-password *****
ldap-login-dn cn=users,dc=*****
sasl-mechanism digest-md5
ldap-over-ssl enable
server-type microsoft
user-identity default-domain LOCAL
http server enable
http 192.168.0.0 255.255.0.0 inside
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=Main-ASA
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate
  quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
vpn-addr-assign local reuse-delay 5
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside
ssl trust-point ASDM_TrustPoint0 inside
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-3.1.06079-k9.pkg 1
anyconnect image disk0:/anyconnect-linux-2.5.2014-k9.pkg 2
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 3
anyconnect profiles AnyC-SSL-VPN_client_profile disk0:/AnyC-SSL-VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
group-policy GroupPolicy_AnyC-SSL-VPN internal
group-policy GroupPolicy_AnyC-SSL-VPN attributes
wins-server none
dns-server value 8.8.8.8
vpn-tunnel-protocol ikev2 ssl-client
default-domain value *****
webvpn
anyconnect profiles value AnyC-SSL-VPN_client_profile type user
username Dave password ***** encrypted privilege 15
username Don password ***** encrypted privilege 15
tunnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:af0fad1092e0314b0a80f20add03e3f7
: end

Hi Dave,
It seems to be an issue with the NAT, I saw your VPN configuration:
ip local pool AnyC-CPN-Client-Pool 192.168.59.0-192.168.59.250 mask 255.255.255.0
unnel-group AnyC-SSL-VPN type remote-access
tunnel-group AnyC-SSL-VPN general-attributes
address-pool AnyC-CPN-Client-Pool
tunnel-group AnyC-SSL-VPN webvpn-attributes
group-alias AnyC-SSL-VPN enable
group-policy DfltGrpPolicy attributes
dns-server value 192.168.51.1 8.8.8.8
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN
default-domain value *****
split-dns value 8.8.8.8
access-list VPN standard permit 192.168.0.0 255.255.0.0
You will need to set up a NAT exemption as follow:
object-group network obj-192.168.59.0-Pool
network-object 192.168.59.0 255.255.255.0
object-group network obj-192.168.0.0
network-object 192.168.0.0 255.255.0.0
nat (inside,outside) 1 source static obj-192.168.0.0 obj-192.168.0.0 destination static obj-192.168.59.0-Pool obj-192.168.59.0-Pool no-proxy-arp route-lookup
Please proceed to rate and mark as correct this post, if it helps!
David Castro,
Regards,

Issues with multiple subnets - ASA5510 to Vigor 2820 VPN

Hi there,
I am hoping someone here can help. I have been struggling for some time to sort out issues in a VPN we have between our main London office and the Edinburgh branch office. We have an ASA 5510 in London, talking to a Vigor 2820 in Edinburgh.
The London office has a 192.168.0.0/24 subnet, with the default gateway as a Cisco Catalyst at 192.168.0.254, and the Cisco ASA at 192.168.0.254 as the firewall.
The Edinburgh office has the subnet 192.168.2.0/24, with the Vigor running on 192.168.2.1, providing routing, DHCP and firewall services there.
I have the VPN working fine, correctly routing traffic between those two subnets over the IPsec tunnel. However, I have had much trouble adding additional subnets for our VLANs in London.
What I want to happen is traffic from 192.168.2.0/24 to be able to get to and from 192.168.50.0/24 and several similar networks.
Upon tracing it using the Cisco packet tracer, I can see that the packets for the 192.168.50.0/24 subnet are not making it over the tunnel, having being stopped by the VPN: subtype: encrypt rules. Looking at these rules though, I can't spot the problem. Multiple changes of order of the rules, and reloads have not sorted out the problem. When I run a packet trace on the main subnet it works fine. I have attached some of the configuration (below) as well as the output from the packet tracer, and the config of the Vigor router.
I apologise in advance for the length of the post, but I have tried to include all relevant information to see if anyone can help.
Firstly, here's the ASA config that seemed relevant. I tried to remove some since we have quite a few site-to-site tunnels set up, and these are probably not relevant (and are all working correctly).
access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip any 192.168.0.192 255.255.255.192 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.7.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.2.0 255.255.255.0 192.168.7.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0 nat (inside) 0 access-list insideOutboundNonatAclnat (inside) 9 access-list vpnNatAclnat (inside) 10 192.168.30.5 255.255.255.255nat (inside) 10 192.168.0.0 255.255.255.0nat (inside) 10 192.168.20.0 255.255.255.0nat (inside) 10 192.168.30.0 255.255.255.0nat (inside) 10 192.168.50.0 255.255.255.0access-list inside_in extended permit ip 192.168.0.0 255.255.255.0 any access-list inside_in extended permit tcp host 192.168.5.2 host 192.168.0.2 eq domain access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.20.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.50.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.30.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list inside_in extended permit ip 192.168.40.0 255.255.255.0 any access-list inside_in extended permit ip 192.168.10.0 255.255.255.0 any access-list inside_in extended permit ip host 192.168.2.1 192.168.30.0 255.255.255.0 inactive access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.50.0 255.255.255.0 access-list inside_in extended permit ip 192.168.2.0 255.255.255.0 192.168.0.0 255.255.255.0 access-group inside_in in interface insideaccess-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0 route inside 192.168.20.0 255.255.255.0 192.168.0.254 1route inside 192.168.50.0 255.255.255.0 192.168.0.254 1route inside 192.168.30.0 255.255.255.0 192.168.0.254 1route inside 192.168.40.0 255.255.255.0 192.168.0.254 1crypto ipsec transform-set ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET esp-3des esp-md5-hmac crypto ipsec transform-set TRANS_VPN_SET mode transportcrypto ipsec transform-set TRANS_VPN_SET_2 esp-3des esp-sha-hmac crypto ipsec transform-set TRANS_VPN_SET_2 mode transportcrypto ipsec transform-set ESP_3DES_SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP_3DES_MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec df-bit clear-df outsidecrypto dynamic-map core_vpn_dyn_map 20 set transform-set ESP_3DES_MD5 ESP_DES_MD5 TRANS_VPN_SET TRANS_VPN_SET_2crypto dynamic-map core_vpn_dyn_map 40 set pfs crypto dynamic-map core_vpn_dyn_map 40 set transform-set ESP_3DES_SHA ESP_DES_MD5crypto map outside_map 2 match address outside_2_cryptomapcrypto map outside_map 2 set pfs crypto map outside_map 2 set peer [branch peer ip]crypto map outside_map 2 set transform-set ESP_3DES_MD5crypto isakmp identity address crypto isakmp identity address crypto isakmp policy 25 authentication pre-share encryption 3des hash md5     group 1      lifetime 28800crypto isakmp nat-traversal 30crypto isakmp disconnect-notifygroup-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 100 vpn-idle-timeout none vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec l2tp-ipsec webvpn password-storage disable ip-comp disable re-xauth enable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none intercept-dhcp 255.255.255.255 disable secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable nac disable nac-sq-period 300 nac-reval-period 36000 nac-default-acl none address-pools none smartcard-removal-disconnect enable client-firewall none client-access-rule nonetunnel-group [branch peer ip] type ipsec-l2ltunnel-group [branch peer ip] ipsec-attributes pre-shared-key *
Note: [branch peer ip] replaces any instances of the branch office outside IP address
I appreciate there may be some duplicated/redundant rules here - I have been playing with config to try to fix the problem. I'd really appreciate any suggestions on how to track this down.
Here's the vigor config:
So it looks to match ok to me at both ends, unless there is something I missed. The vigor routing table shows:
Key: C - connected, S - static, R - RIP, * - default, ~ - private*             0.0.0.0/         0.0.0.0 via [ISP gateway server],   WAN1S         [branch peer ip]/ 255.255.255.255 via [branch peer ip],   WAN1S~       192.168.40.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.50.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.10.0/   255.255.255.0 via [London office ip],    VPNS~        192.168.0.0/   255.255.255.0 via [London office ip],    VPNC~        192.168.2.0/   255.255.255.0 is directly connected,    LANS~        192.168.7.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.30.0/   255.255.255.0 via [London office ip],    VPNS~       192.168.20.0/   255.255.255.0 via [London office ip],    VPN*     [ISP dns server]/ 255.255.255.255 via [ISP gateway server],   WAN1
I have replaced IPs here as is shown. You can see the vigor seems to want to route the appropriate traffic over the VPN.
Finally, here is the packet trace output:
ciscoasa# packet-trace input outside tcp 192.168.2.1 echo 192.168.50.10 echo d$Phase: 1Type: FLOW-LOOKUPSubtype: Result: ALLOWConfig:Additional Information:Found no matching flow, creating a new flowPhase: 2Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in   192.168.50.0    255.255.255.0   insidePhase: 3Type: ACCESS-LISTSubtype: logResult: ALLOWConfig:access-group outsideInAcl in interface outsideaccess-list outsideInAcl extended permit ip 192.168.2.0 255.255.255.0 any Additional Information: Forward Flow based lookup yields rule: in id=0x4529e48, priority=12, domain=permit, deny=false        hits=362922, user_data=0x4529e08, cs_id=0x0, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 4      Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in id=0x44057f0, priority=0, domain=permit-ip-option, deny=true        hits=2693939, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 5      Type: NAT-EXEMPTSubtype: rpf-checkResult: ALLOW Config:       Additional Information: Forward Flow based lookup yields rule: in id=0x44fe9a0, priority=6, domain=nat-exempt-reverse, deny=false        hits=12, user_data=0x44fe800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0        src ip=192.168.2.0, mask=255.255.255.0, port=0        dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 6      Type: NAT     Subtype: rpf-checkResult: ALLOW Config:       nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Forward Flow based lookup yields rule: out id=0x4b80e80, priority=1, domain=nat-reverse, deny=false hits=32, user_data=0x4b80ce0, cs_id=0x0, flags=0x0, protocol=0 src ip=0.0.0.0, mask=0.0.0.0, port=0 dst ip=192.168.50.0, mask=255.255.255.0, port=0Phase: 7Type: NATSubtype: host-limitsResult: ALLOWConfig:nat (inside) 10 192.168.50.0 255.255.255.0 match ip inside 192.168.50.0 255.255.255.0 outside any    dynamic translation to pool 10 (external [Interface PAT])    translate_hits = 2250, untranslate_hits = 17Additional Information: Reverse Flow based lookup yields rule: in id=0x4b80fa0, priority=1, domain=host, deny=false hits=2811, user_data=0x4b80ce0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip=192.168.50.0, mask=255.255.255.0, port=0 dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 8Type: IP-OPTIONSSubtype:      Result: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: in id=0x4469ef8, priority=0, domain=permit-ip-option, deny=true        hits=2010804, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0        src ip=0.0.0.0, mask=0.0.0.0, port=0        dst ip=0.0.0.0, mask=0.0.0.0, port=0Phase: 9      Type: VPN     Subtype: encryptResult: DROP Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4887aa8, priority=70, domain=encrypt, deny=false        hits=10, user_data=0x0, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.50.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0Result:       input-interface: outsideinput-status: upinput-line-status: upoutput-interface: insideoutput-status: upoutput-line-status: upAction: drop Drop-reason: (acl-drop) Flow is denied by configured rule
So it seems to find the rule, which it ought to match, but then returns DENY. What's going on here? Perhaps this is misleading and the issue is elsewhere, but it isn't clear from the output here.
For further information, this is output for the WORKING subnet - I have just taken a small part here though:
Phase: 10     Type: VPN     Subtype: encryptResult: ALLOW Config:       Additional Information: Reverse Flow based lookup yields rule: out id=0x4b86418, priority=70, domain=encrypt, deny=false        hits=332214, user_data=0x7da5c, cs_id=0x44b18f8, reverse, flags=0x0, protocol=0        src ip=192.168.0.0, mask=255.255.255.0, port=0        dst ip=192.168.2.0, mask=255.255.255.0, port=0
Thanks very much in advance for any help you can provide - I've been really stuck on this one!
Chris

Hi,
Can you issue the packet-tracer with the direction beeing your London office -> Remote office?
Also issue the command twice.
Personally I've used packet-tracer with some L2L VPNs to test if the remote end has the configurations correct. Also I've noticed that the first packet-tracer test never goes through. So issue that command twice and show how it goes.
Though I imagine you have tried to connect through the L2L VPN with real host machines and not just the firewalls packet-tracer?
Also I imagine the original info has a typo. You say your ASAs LAN gateway IP and the local L3 switches IP address is the same, 192.168.0.254.
Basically the hardest part regarding L2L VPNs should be the initial setup of the VPN connection. Even though it should be simple people still tend to mess up PSKs or Phase1/2 parameters. But as your L2L VPN is already in working order and you are just adding networks to it, it should be pretty simple.
When you add network and dont require any special NAT configurations, your NAT0 and Encryption domain access-list should look pretty much the same.
And looking at your configurations, it should be like this
access-list outside_2_cryptomap extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list outside_2_cryptomap extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list insideOutboundNonatAcl extended permit ip 192.168.20.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.30.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.40.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.50.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.10.0 255.255.255.0 192.168.2.0 255.255.255.0 access-list insideOutboundNonatAcl extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0
Btw what is the network 192.168.7.0/24? It seems to have a VPN rule at the remote site but not at the HO site. Though there is a NAT0 rule for that traffic on the HO site.
EDIT: I imagine the VPN network rules should be an exact mirror image of eachother. Though it seems this doesnt stop devices from negotiating the VPN up but who knows if some other device type is picky about that one. Only thing in your situation that I see is the network 192.168.7.0/24 that is not included in the other ends configurations.
EDIT2: Also the reason your test for the already existing rule might be going through without a problem might be because the tunnel is up and working for the networks in question.
EDIT3: Does your Vigor device also have NAT0 rules configured for the new networks?
- Jouni

L2L VPN Issue - one subnet not reachable

Hi Folks,
I have a strange issue with a new VPN connection and would appreciate any help.
I have a pair of Cisco asa 5540s configured as a failover pair (code version 8.2(5)).
I have recently added 2 new L2L VPNs - both these VPNs are sourced from the same interface on my ASA (called isp), and both are to the same customer, but they terminate on different firewalls on the cusomter end, and encrypt traffic from different customer subnets.    There's a basic network diagram attached.
VPN 1 - is for traffic from the customer subnet 10.2.1.0/24.    Devices in this subnet should be able to access 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN works correctly.
VPN 2 - is for traffic from the customer subnet 192.168.1.0/24.    Devices in this subnet should be able to access the same 2 subnets on my network - DMZ 211 (192.168.211.0./24) and DMZ 144 (192.168.144.0/24).    This VPN is not working correctly - the customer can access DMZ 144, but not DMZ 211.
There are isakmp and ipsec SAs for both VPNs.    I've noticed that the packets encaps/decaps counter does not increment when the customer sends test traffic to DMZ 211. This counter does increment when they send test traffic to DMZ144.   I can also see traffic sent to DMZ 144 from the customer subnet 192.168.1.0/24 in packet captures on the DMZ 144 interface of the ASA.   I cannot see similar traffic in captures on the DMZ211 interface (although I can see traffic sent to DMZ211 if it is sourced from 10.2.1.0/24 - ie when it uses VPN1)
Nat exemption is configured for both 192.168.1.0/24 and 10.2.1.0/24.
There is a route to both customer subnets via the same next hop.
There is nothing in the logs toindicate that traffic from 192.168.1.0/24 is being dropped
I suspect that this may be an issue on the customer end, but I'd like to be able to prove that.   Specifically, I would really like to be able to capture traffic destined to DMZ 211 on the isp interface of the firewall after it has been decrypted - I don't know if this can be done however, and I haven'treally found a good way to prove or disprove that VPN traffic from 192.168.1.0/24 to DMZ211 is arriving at the isp interface of my ASA, and to show what's happening to that traffic after it arrives.
Here is the relevant vpn configuration:
crypto map MY_CRYPTO_MAP 90 match address VPN_2
crypto map MY_CRYPTO_MAP 90 set peer 217.154.147.221
crypto map MY_CRYPTO_MAP 90 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 90 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP 100 match address VPN_1
crypto map MY_CRYPTO_MAP 100 set peer 193.108.169.48
crypto map MY_CRYPTO_MAP 100 set transform-set 3dessha
crypto map MY_CRYPTO_MAP 100 set security-association lifetime seconds 86400
crypto map MY_CRYPTO_MAP interface isp
ASA# sh access-list VPN_2
access-list VPN_2; 6 elements; name hash: 0xa902d2f4
access-list VPN_2 line 1 extended permit ip object-group VPN_2_NETS 192.168.1.0 255.255.255.0 0x56c7fb8f
access-list VPN_2 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=45) 0x93b6dc21
access-list VPN_2 line 1 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=6) 0x0abf7bb9
access-list VPN_2 line 1 extended permit ip host 192.168.146.29 192.168.1.0 255.255.255.0 (hitcnt=8) 0xcc48a56e
ASA# sh access-list VPN_1
access-list VPN_1; 3 elements; name hash: 0x30168cce
access-list VPN_1 line 1 extended permit ip 192.168.144.0 255.255.252.0 10.2.1.0 255.255.255.0 (hitcnt=6) 0x61759554
access-list VPN_1 line 2 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=3) 0xa602c97c
access-list VPN_1 line 3 extended permit ip host 192.168.146.29 10.2.1.0 255.255.255.0 (hitcnt=0) 0x7b9f32e3
nat (dmz144) 0 access-list nonatdmz144
nat (dmz211) 0 access-list nonatdmz211
ASA# sh access-list nonatdmz144
access-list nonatdmz144; 5 elements; name hash: 0xbf28538e
access-list nonatdmz144 line 1 extended permit ip 192.168.144.0 255.255.255.0 192.168.0.0 255.255.0.0 (hitcnt=0) 0x20121683
access-list nonatdmz144 line 2 extended permit ip 192.168.144.0 255.255.255.0 172.28.2.0 255.255.254.0 (hitcnt=0) 0xbc8ab4f1
access-list nonatdmz144 line 3 extended permit ip 192.168.144.0 255.255.255.0 194.97.141.160 255.255.255.224 (hitcnt=0) 0xce869e1e
access-list nonatdmz144 line 4 extended permit ip 192.168.144.0 255.255.255.0 172.30.0.0 255.255.240.0 (hitcnt=0) 0xd3ec5035
access-list nonatdmz144 line 5 extended permit ip 192.168.144.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x4c9cc781
ASA# sh access-list nonatdmz211 | in 192.168\.1\.
access-list nonatdmz1 line 3 extended permit ip 192.168.211.0 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=0) 0x2bbfcfdd
ASA# sh access-list nonatdmz211 | in 10.2.1.
access-list nonatdmz1 line 4 extended permit ip 192.168.211.0 255.255.255.0 10.2.1.0 255.255.255.0 (hitcnt=0) 0x8a836d91
route isp 192.168.1.0 255.255.255.0 137.191.234.33 1
route isp 10.2.1.0 255.255.255.0 137.191.234.33 1
Thanks in advance to anyone who gets this far!

Darragh
Clearing the counters was a good idea. If the counter is not incrementing and if ping from the remote side is not causing the VPN to come up it certainly confirms that something is not working right.
It might be interesting to wait till the SAs time out and go inactive and then test again with the ping from the remote subnet that is not working. Turn on debug for ISAKMP and see if there is any attempt to negotiate. Especially if you do not receive any attempt to initiate ISAKMP from then then that would be one way to show that there is a problem on the remote side.
Certainly the ASA does have the ability to do packet capture. I have used that capability and it can be quite helpful. I have not tried to do a capture on the outside interface for incoming VPN traffic and so am not sure whether you would be capturing the encrypted packet or the de-encrypted packet. You can configure an access list to identify traffic to capture and I guess that you could write an access list that included both the peer addresses as source and destination to capture the encrypted traffic and entries that were the un-encrypted source and destination subnets to capture traffic after de-encryption.
HTH
Rick

Hr exemption issue

Similar Messages

Maybe you are looking for