10-11-2017 10:01 PM - edited 02-21-2020 06:28 AM
Hi all,
Strange issue here, I have a fairly simple setup, client trying to connect to a server via the ASA, there is an ACL on the input interface and nothing on the egress interface. When they establish connection I see the traffic hit the ingress interface but never leave the egress interface (there is another ASA on the outsid einterface of this ASA which never recieves the packet). Packet tracer is also showing the same thing, I see the packet on the ingress but not the egress. However everything shows it shoudl be allowed.
Any thought osn what this could be? I know packet tracer is not always trust worthy but I have done this same testing with real traffic with the same captures and get the same results.
packet-tracer input INSIDE tcp 172.16.150.5 1025 10.10.10.5 445
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.10.10.0 255.255.255.0 OUTSIDE
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE in interface INSIDE
access-list INSIDE extended permit tcp 172.16.150.0 255.255.255.0 host 10.10.10.5 eq 445
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic any interface
Additional Information:
Dynamic translate 172.16.150.5/1025 to 10.10.20.1/1025
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic any interface
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 3147485250, packet dispatched to next module
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow
access-list CAP extended permit tcp any4 any4 eq 445
capture IN type raw-data access-list CAP interface INSIDE [Capturing - 74 bytes]
capture OUT type raw-data access-list CAP interface OUTSIDE [Capturing - 0 bytes]
show cap IN
1 packet captured
1: 17:51:04.962047 802.1Q vlan#123 P0 172.16.150.5.1025 > 10.10.10.5.445: S 638249094:638249094(0) win 8192
1 packet shown
show cap OUT
0 packet captured
any ideas what could be the cause?
10-31-2017 04:14 AM
I have the same issue, i am attempting to traceroute. Packet tracer says the packet is allowed, a packet capture shows the packet arriving but not being forwarded to the outside.
Anyone have an ideas?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide