cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
425
Views
0
Helpful
1
Replies

ASA5520 ACE issue

Dale Sanderson
Beginner
Beginner

Hi there,

I am working on a ASA5520 running asa724-33-k8.bin and have been seeing some strange beheviour in relation to ACE additions.

On particular access-lists there is an implicit deny; so any new entries are added before this line.

However, once the line is in place, both packet tracer and a test of connectivity results in a drop - packet-tracer indicates the implicit deny in the middle of the ACL is the cause of this. This is usually resolved by removing any IP to name mappings and using the IP instead in the ACL; however this sometimes resolves the issues and sometimes not.

I was at first thinking that a large access list may exhibit this behaviour however the same thing has occured with an ACL that is only around 40 lines max.


There is a case open with our support provider but was wondering if anyone in the community has come across something similar?

Thanks in advance.

1 REPLY 1

mirober2
Cisco Employee
Cisco Employee

Hi Dale,

Sometimes the packet tracer output can be misleading as the ACL drop reason is more of a "catch all".

Can you post an example of an ACL that is showing this behavior along with the packet tracer output? That should help narrow down the problem.

-Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: