https://community.cisco.com/t5/network-security/next-cli-command-to-determine-what-acl-is-dropping-traffic/m-p/4266759#M1077008 <P>Create a packet capture that only collects dropped packets due to an ACL:</P><PRE>ASA5508# capture mycapture type asp-drop acl-drop</PRE><P>Next view the packet capture to see what traffic is getting dropped which might lead you to the ACL that needs tweaking:</P><PRE>ASA5508# show capture mycapture 5 packets captured 1: 18:25:42.987879 1.1.1.1.43605 &gt; 2.2.2.2.34577: S 431469340:431469340(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule </PRE> Tue, 05 Jan 2021 00:29:49 GMT TJ-20933766 2021-01-05T00:29:49Z https://community.cisco.com/t5/network-security/next-cli-command-to-determine-what-acl-is-dropping-traffic/m-p/4266733#M1077003 <P>Hey, pros, I've determined that an Implicit ACL is causing my Mobile32 traffic to drop in Phase 3, BUT it's not so kind as to give me which rule is dropping the traffic. If you're me, what's your next command? What command would you enter to see what ACL is dropping traffic for Mobile32?&nbsp;</P><P>&nbsp;</P><P>Thank you all!</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-01-04 at 5.18.50 PM.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/100862i1393B7DD8FE25C46/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2021-01-04 at 5.18.50 PM.png" alt="Screen Shot 2021-01-04 at 5.18.50 PM.png" /></span></P> Mon, 04 Jan 2021 22:55:19 GMT https://community.cisco.com/t5/network-security/next-cli-command-to-determine-what-acl-is-dropping-traffic/m-p/4266733#M1077003 Alan Inman 2021-01-04T22:55:19Z https://community.cisco.com/t5/network-security/next-cli-command-to-determine-what-acl-is-dropping-traffic/m-p/4266759#M1077008 <P>Create a packet capture that only collects dropped packets due to an ACL:</P><PRE>ASA5508# capture mycapture type asp-drop acl-drop</PRE><P>Next view the packet capture to see what traffic is getting dropped which might lead you to the ACL that needs tweaking:</P><PRE>ASA5508# show capture mycapture 5 packets captured 1: 18:25:42.987879 1.1.1.1.43605 &gt; 2.2.2.2.34577: S 431469340:431469340(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule </PRE> Tue, 05 Jan 2021 00:29:49 GMT https://community.cisco.com/t5/network-security/next-cli-command-to-determine-what-acl-is-dropping-traffic/m-p/4266759#M1077008 TJ-20933766 2021-01-05T00:29:49Z https://community.cisco.com/t5/network-security/next-cli-command-to-determine-what-acl-is-dropping-traffic/m-p/4267243#M1077043 <P>You can use the command&nbsp;</P><P>&gt;system support trace&nbsp;</P><P>the result tells you which policy generates the block.</P><P>example.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ftd-trace.jpg" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/100929i66E240476E8D092F/image-size/medium?v=v2&amp;px=400" role="button" title="ftd-trace.jpg" alt="ftd-trace.jpg" /></span></P><P>more information</P><P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html</A></P> Tue, 05 Jan 2021 17:55:09 GMT https://community.cisco.com/t5/network-security/next-cli-command-to-determine-what-acl-is-dropping-traffic/m-p/4267243#M1077043 setian_london 2021-01-05T17:55:09Z