Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
855
Views
0
Helpful
1
Replies

ASA - Packets in and accepted but not forwarded

ryancisco01
Level 1
Level 1

‎10-11-2017 10:01 PM - edited ‎02-21-2020 06:28 AM

Hi all,

 

Strange issue here, I have a fairly simple setup, client trying to connect to a server via the ASA, there is an ACL on the input interface and nothing on the egress interface. When they establish connection I see the traffic hit the ingress interface but never leave the egress interface (there is another ASA on the outsid einterface of this ASA which never recieves the packet). Packet tracer is also showing the same thing, I see the packet on the ingress but not the egress. However everything shows it shoudl be allowed.

 

Any thought osn what this could be? I know packet tracer is not always trust worthy but I have done this same testing with real traffic with the same captures and get the same results.

 

 

packet-tracer input INSIDE tcp 172.16.150.5 1025 10.10.10.5 445


Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 OUTSIDE

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE
access-list INSIDE extended permit tcp 172.16.150.0 255.255.255.0 host 10.10.10.5 eq 445
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic any interface
Additional Information:
Dynamic translate 172.16.150.5/1025 to 10.10.20.1/1025

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic any interface
Additional Information:

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3147485250, packet dispatched to next module

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

 

access-list CAP extended permit tcp any4 any4 eq 445


capture IN type raw-data access-list CAP interface INSIDE [Capturing - 74 bytes]
capture OUT type raw-data access-list CAP interface OUTSIDE [Capturing - 0 bytes]

show cap IN

1 packet captured
1: 17:51:04.962047 802.1Q vlan#123 P0 172.16.150.5.1025 > 10.10.10.5.445: S 638249094:638249094(0) win 8192
1 packet shown


show cap OUT
0 packet captured

 

 

 

any ideas what could be the cause?

 

2 people had this problem
Labels:
0 Helpful
1 Reply 1

jayohaitchenn
Level 1
Level 1

‎10-31-2017 04:14 AM

I have the same issue, i am attempting to traceroute. Packet tracer says the packet is allowed, a packet capture shows the packet arriving but not being forwarded to the outside.

 

Anyone have an ideas?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card