About packet-tracer output

evelio.vila — Tue, 12 Mar 2019 05:43:53 GMT

Hello,

I have a cisco 5550-X with

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

options configured.

There are not ACLs configured either.

IPv4 traffic flows fine but I'm having troubles with IPv6. (OSPFv3 is not forming adj either).

Below is the output of a packet-tracker command using the ipv6 addresses. All Phases show Result: ALLOW, however the end result is

Drop-reason: (acl-drop) Flow is denied by configured rule.

any ideas?

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffce194060, priority=13, domain=capture, deny=false
        hits=24571, user_data=0x7fffcd988be0, cs_id=0x0, l3_type=0x0
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0000.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffcd889350, priority=1, domain=permit, deny=false
        hits=9, user_data=0x0, cs_id=0x0, l3_type=0xdd86
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=outside, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x:x:x:x:x:x:x:x using egress ifc identity

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffcda945b0, priority=120, domain=permit, deny=false
        hits=8, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=58
        src ip/id=::/0, icmp-type=0, tag=any
        dst ip/id=::/0, icmp-code=0, tag=any
        input_ifc=outside, output_ifc=identity

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffcd2ad210, priority=0, domain=nat-per-session, deny=true
        hits=9, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=any
        dst ip/id=::/0, port=0, tag=any
        input_ifc=any, output_ifc=any

Phase: 6
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffcd889c60, priority=208, domain=cluster-redirect, deny=false
        hits=9, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=::/0, port=0, tag=any
        dst ip/id=::/0, port=0, tag=any
        input_ifc=outside, output_ifc=identity

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffcda94ee0, priority=66, domain=inspect-icmp, deny=false
        hits=9, user_data=0x7fffcd965ac0, cs_id=0x0, use_real_addr, flags=0x0, protocol=58
        src ip/id=::/0, icmp-type=0, tag=any
        dst ip/id=::/0, icmp-code=0, tag=any
        input_ifc=outside, output_ifc=identity

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffcda95540, priority=66, domain=inspect-icmp-error, deny=false
        hits=9, user_data=0x7fffcd9648e0, cs_id=0x0, use_real_addr, flags=0x0, protocol=58
        src ip/id=::/0, icmp-type=0, tag=any
        dst ip/id=::/0, icmp-code=0, tag=any
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,I would not rely on the

Vibhor Amrodia — Fri, 03 Apr 2015 14:19:46 GMT

Hi,

I would not rely on the packet tracer for the To the Box traffic and would instead apply the IPv6 captures on the interface which is trying to form the neighbor ship.

Thanks and Regards,

Vibhor Amrodia

Hi, I am not sure if this

Pranay Prasoon — Sat, 04 Apr 2015 04:28:40 GMT

Hi,

I am not sure if this capture is for ospfv6, because as Vibhor said any traffic destined for ASA will show drop in packet tracer. For ospfv6 neighborship issue, packet-tracer is not a good tool. As ospfv6 uses link-local interface address to send ospf packet, you can rather take captures and debug to see what is going on. In captures you can match traffic between "link-local ipv6 address from source interface" to FF02::5 and ::6.

Thanks

Pranay

Hi Vibhor,I was already doing

evelio.vila — Tue, 07 Apr 2015 23:10:53 GMT

Hi Vibhor,

I was already doing packet captures but I wasn't seeing any traffic destined for ospf multicast addresses so I was wondering what kind of issue it might be.

The topology was actually a VIRL lab that had the NX-OS reference image between the ASA and the router and i think its some kind of bug. Testing the same configs on a real gear worked like a charm!

Regards,

Evelio

topic Hi, I am not sure if this in Network Security

About packet-tracer output

Hi,I would not rely on the

Hi, I am not sure if this

Hi Vibhor,I was already doing