https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694780#M194526 <P>Hi,</P><P>I think if you would like to verify traffic drops from large ACE , I think packet tracer would be the best option.</P><P>Running packet Tracer for that specific traffic would help you verify the traffic being passed or dropped.</P><P>https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer</P><P>Also , using the Syslog ID:- 106023</P><P>http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html#pgfId-6482625</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Mon, 04 May 2015 11:45:57 GMT Vibhor Amrodia 2015-05-04T11:45:57Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694779#M194525 <P>how to fastly troubleshooting which access list rule drop specific traffic&nbsp;from ten thousands of rules?</P> Tue, 26 Mar 2019 00:55:47 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694779#M194525 martlee2 2019-03-26T00:55:47Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694780#M194526 <P>Hi,</P><P>I think if you would like to verify traffic drops from large ACE , I think packet tracer would be the best option.</P><P>Running packet Tracer for that specific traffic would help you verify the traffic being passed or dropped.</P><P>https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer</P><P>Also , using the Syslog ID:- 106023</P><P>http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html#pgfId-6482625</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Mon, 04 May 2015 11:45:57 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694780#M194526 Vibhor Amrodia 2015-05-04T11:45:57Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694781#M194527 <P>I have used packet tracer but config attribute is empty</P><P>how to show the config of access rule in config attribute of packet tracer?</P> Mon, 04 May 2015 11:48:47 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694781#M194527 martlee2 2015-05-04T11:48:47Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694782#M194528 <P>Hi,</P><P>use the "detail" keyword at the end of the packet tracer command:-</P><P>packet-tracer input outside tcp&nbsp; 10.190.2.156 3456 10.190.32.45 22 <STRONG>detail</STRONG></P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Mon, 04 May 2015 11:51:18 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694782#M194528 Vibhor Amrodia 2015-05-04T11:51:18Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694783#M194529 <P>packet tracer command i tried already had detail option at the end</P><P>still do not have config in config attribute</P><P>is there a command to enable show config in config attribute in packet tracer?</P><P>if so, it is default disabled shown config in packet tracer?</P><P>why disable shown?</P><P>is there security reason about this?</P><P>&nbsp;</P><P>if it is due to rules not exist to allow the traffic, is it the reason?</P> Mon, 04 May 2015 12:15:46 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694783#M194529 martlee2 2015-05-04T12:15:46Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694784#M194530 <P>Hi,</P><P>If there is configuration which is dropping traffic it will show up in the output with detailed keyword.</P><P>Are you seeing implicit rule dropping the traffic.</P><P>Please post the output from the packet tracer.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Mon, 04 May 2015 12:15:47 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694784#M194530 Vibhor Amrodia 2015-05-04T12:15:47Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694785#M194531 <P>though we already found that is it due to one of rule not include an ip address,</P><P>it seems that it can not show some tips about this</P><P>&nbsp;</P><P>i guess that it may be due to the default rule of ASA which drop all when not match</P><P>&nbsp;</P><P>can we make a conclusion that every time we see config attribute is</P><P>empty means one of rules do not allow specific traffic?</P><P>&nbsp;</P><P>Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:<BR />&nbsp;Forward Flow based lookup yields rule:<BR />&nbsp;in &nbsp;id=0x7ffad41dd5a0, priority=11, domain=permit, deny=true<BR />&nbsp; &nbsp; &nbsp; &nbsp; hits=873597888, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; src ip/id=0.0.0.0, mask=0.0.0.0, port=0<BR />&nbsp; &nbsp; &nbsp; &nbsp; dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0<BR />&nbsp; &nbsp; &nbsp; &nbsp; input_ifc=outside, output_ifc=any</P><P>Result:<BR />input-interface: outside<BR />input-status: up<BR />input-line-status: up<BR />output-interface: inside<BR />output-status: up<BR />output-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule</P> Mon, 04 May 2015 12:21:25 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694785#M194531 martlee2 2015-05-04T12:21:25Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694786#M194532 <P>Hi,</P><P>As this traffic seems to be from outside to inside , I think this has to be with the incorrect NAT rule as you pointed out.</P><P>Now , this Implicit rule drop is in cases when either we use the source or destination as ASA interfaces itself.</P><P>In some case when the NAT phase is not hit , this will be the default drop reason.</P><P>These cannot be checked as this is traffic not being denied by the access group on the interface but incorrect or missing some configuration.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Mon, 04 May 2015 12:21:26 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694786#M194532 Vibhor Amrodia 2015-05-04T12:21:26Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694787#M194533 <P>can we make a conclusion that every time we see config attribute is</P><P>empty means one of rules do not allow specific traffic?</P> Mon, 04 May 2015 12:25:13 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694787#M194533 martlee2 2015-05-04T12:25:13Z https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694788#M194534 <P>Hi,</P><P>Yes , we can make this conclusion as at the end of every access group there would be an implicit deny rule.</P><P>Also , there can be times when an incorrect packet tracer might also give this same drop.</P><P>Thanks and Regards,</P><P>Vibhor Amrodia</P> Mon, 04 May 2015 12:39:06 GMT https://community.cisco.com/t5/network-security/how-to-fastly-troubleshooting-which-access-list-rule-drop/m-p/2694788#M194534 Vibhor Amrodia 2015-05-04T12:39:06Z