Hello.

I want to do a test in ASA packet tracer for traffic that is routed to a L2L  VPN configured on the firewall,  when i do the packet-tracer the traffic is being dropped on Phase 6 which is type: VPN  subtype: encrypt.  my guess is because the firewall is not yet connected to the Internet and the VPN has not been established yet.  Is there a way i can test this type of traffic without having the VPN being established first?

below is my packet-tracer output:

NBS-BT-INTERNET-ASA5525# packet-tracer input INSIDE tcp 10.40.23.4 1234 192.16$
WARNING: 5 sec waittime expire start 2252064, end 2252065,flags 0, trace 0x0000000000411315/0x0000000000411315

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic NBS_INTERNAL obj-10.0.21.243 destination static SWIFT_SUBNET SWIFT_SUBNET
Additional Information:
NAT divert to egress interface OUTSIDE
Untranslate 192.169.34.12/443 to 192.169.34.12/443

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE_access_in in interface INSIDE
access-list INSIDE_access_in extended permit ip any host 196.213.205.250
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5cdc780220, priority=13, domain=permit, deny=false
hits=8, user_data=0x7f5cd13c0c00, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip/id=10.40.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.169.34.0, mask=255.255.255.0, port=443, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (INSIDE,OUTSIDE) source dynamic NBS_INTERNAL obj-10.0.21.243 destination static SWIFT_SUBNET SWIFT_SUBNET
Additional Information:
Dynamic translate 10.40.23.4/1234 to 10.0.21.243/1234
Forward Flow based lookup yields rule:
in id=0x7f5cdc5ce340, priority=6, domain=nat, deny=false
hits=283, user_data=0x7f5cde91d890, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.40.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.169.34.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=OUTSIDE

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5cdb5891a0, priority=0, domain=nat-per-session, deny=false
hits=425937, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f5cdc3d1ba0, priority=0, domain=inspect-ip-options, deny=true
hits=461278, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=INSIDE, output_ifc=any

Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f5cdec798a0, priority=70, domain=encrypt, deny=false
hits=289, user_data=0x0, cs_id=0x7f5cdec74b10, reverse, flags=0x0, protocol=0
src ip/id=10.0.21.240, mask=255.255.255.240, port=0, tag=any
dst ip/id=192.169.34.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000056223c99ccb9 flow (NA)/NA