ASA - Packets in and accepted but not forwarded

ryancisco01 — Fri, 21 Feb 2020 14:28:14 GMT

Hi all,

Strange issue here, I have a fairly simple setup, client trying to connect to a server via the ASA, there is an ACL on the input interface and nothing on the egress interface. When they establish connection I see the traffic hit the ingress interface but never leave the egress interface (there is another ASA on the outsid einterface of this ASA which never recieves the packet). Packet tracer is also showing the same thing, I see the packet on the ingress but not the egress. However everything shows it shoudl be allowed.

Any thought osn what this could be? I know packet tracer is not always trust worthy but I have done this same testing with real traffic with the same captures and get the same results.

packet-tracer input INSIDE tcp 172.16.150.5 1025 10.10.10.5 445

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 OUTSIDE

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE
access-list INSIDE extended permit tcp 172.16.150.0 255.255.255.0 host 10.10.10.5 eq 445
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic any interface
Additional Information:
Dynamic translate 172.16.150.5/1025 to 10.10.20.1/1025

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic any interface
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3147485250, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

access-list CAP extended permit tcp any4 any4 eq 445

capture IN type raw-data access-list CAP interface INSIDE [Capturing - 74 bytes]
capture OUT type raw-data access-list CAP interface OUTSIDE [Capturing - 0 bytes]

show cap IN

1 packet captured
1: 17:51:04.962047 802.1Q vlan#123 P0 172.16.150.5.1025 > 10.10.10.5.445: S 638249094:638249094(0) win 8192
1 packet shown

show cap OUT
0 packet captured

any ideas what could be the cause?

Re: ASA - Packets in and accepted but not forwarded

jayohaitchenn — Tue, 31 Oct 2017 11:14:58 GMT

I have the same issue, i am attempting to traceroute. Packet tracer says the packet is allowed, a packet capture shows the packet arriving but not being forwarded to the outside.

Anyone have an ideas?

topic Re: ASA - Packets in and accepted but not forwarded in Network Security

ASA - Packets in and accepted but not forwarded

Re: ASA - Packets in and accepted but not forwarded