Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1981
Views
0
Helpful
10
Replies

CIsco ASA

Poo17
Level 1
Level 1

‎05-25-2021 08:41 AM

Hello,

 

site to site tunnel is up on the firewall but the packet encap is showing 0. It looks like ASA is not sending any encrypted packet to the tunnel. Any suggestion?

 

 

0 Helpful
10 Replies 10

Rob Ingram
VIP
VIP

‎05-25-2021 08:52 AM

@Poo17 

It could potentially be the traffic is unintentially natted by an existing nat rule. Or a routing issue from the local switch.

Run packet-tracer from the CLI and provide the output.

Also provide your configuration and the output of "show nat detail".

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎05-25-2021 09:39 AM

Not sure what is the issue, can you show us exmaple config, if the traffic need to go to destination you need to be added in intresting traffic to allow in tunnel. this can be verified your config and ACL.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Poo17
Level 1
Level 1

‎05-26-2021 07:53 PM

How to run the packet tracer command?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Poo17

‎05-26-2021 09:41 PM

Like this:

packet-tracer input <interface name of your inside interface> tcp <source address of any inside host> 1025 <destination address of any remote host> 80

It doesn't matter if the destination host is listening on port 80 or not. Packet-tracer only creates a synthetic packet for processing into the ASA and displays the results of the packet processing.

0 Helpful

Poo17
Level 1
Level 1
In response to Marvin Rhoads

‎05-26-2021 11:07 PM

Thank you, Marvin. This is what I got

 

ASA# packet-tracer input inside tcp 1.1.1.1 1025 2.2.2.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 12.X.X.X, outside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-26-2021 11:45 PM

Did you use a real inside and outside host address vs. the dummy "1.1.1.1" and "2.2.2.2" you indicated in your reply?

If so, then you appear to have an access-list on the inside interface denying the incoming traffic.

0 Helpful

Poo17
Level 1
Level 1
In response to Marvin Rhoads

‎05-26-2021 11:53 PM

Yes, I used the real IP address.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Poo17

‎05-27-2021 03:06 AM

So check your ACL (any ACL applied to the interface with "access-group" command in the running-config or appearing in ASDM under the inside interface).

0 Helpful

Poo17
Level 1
Level 1
In response to Marvin Rhoads

‎05-27-2021 10:11 AM

ASA# sh run | i access-group
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Poo17

‎05-27-2021 01:57 PM

Need to check the access-list inside_access_in.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card