Re: Cisco ASA Packet Drop with Drop Location frame 0x000055a24277fdb9

Arie -- · ‎11-29-2023

Hi,

I'm on troubleshooting packet drop in Cisco ASA.

When I ran the packet tracer, I find that the packet is drop:

Phase: 11
Type: ACCESS-LIST
Subtype: filter-aaa
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055a24277fdb9 flow (NA)/NA

How can I locate which access list that drop the packet? Because there is no specific information about that.

ASA version: 9.14(4)14

Thank you

Arie

Isabella54 · ‎11-29-2023

Hi Arie,

To pinpoint which access list is causing the packet drop on your Cisco ASA, you can check the configured access control lists (ACLs) on the device. Navigate to the ASA's configuration using the command-line interface and review the access lists applied to the 'inside' and 'outside' interfaces. Examine the rules within those ACLs to identify any that might deny the flow described in your packet tracer output. The "filter-aaa" subtype indicates that the drop is related to AAA (Authentication, Authorization, and Accounting), so ensure that your ACLs are correctly configured for the desired traffic. If needed, you can modify the ACL rules to permit the traffic or adjust the flow to comply with your security policies.

MHM Cisco World · ‎11-29-2023

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvd97319

It bug

Two workaround

Reboot asa

Or

Config vpn filter with permit any any

MHM