Drop with Packet Capture?help
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 08:46 AM - edited 03-11-2019 12:44 PM
Hi Folks
how to start troubleshoot the Below:
the user source address 172.16.3.2 (Behind ASA-1
the destination SIP Server: 10.100.100.100 (Behind ASA-2)
packet-tracer input outside udp 172.16.3.2 4263 10.100.100.100 sip
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
- Labels:
-
NGFW Firewalls

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 08:58 AM
ibrahim.jamil wrote:
Hi Folks
how to start troubleshoot the Below:
the user source address 172.16.3.2 (Behind ASA-1
the destination SIP Server: 10.100.100.100 (Behind ASA-2)
packet-tracer input outside udp 172.16.3.2 4263 10.100.100.100 sip
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access listPhase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flowPhase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Look at you access lists. normally packet-tracer will write the acl-statement which is blocking the connection
rgds,
MiKa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 09:04 AM
on witch asa should i check ASA-1 or ASA-2 ? on asa-1 i have an access-list permit ip any any,pls tell where?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 09:20 AM
on the asa where you did the packe-trace
then repeat on the other asa (packet-tracer and acl-verification)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 09:26 AM
Dude,on the asa where i did packet-trace there is an access-list that match all traffic permit ip any any
access-list cached ACL log flows: total 0, denied 0

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 09:51 AM
Hi Ibrahim,
then its somewhere else, the packet-tracer output "denied by implicit rule" doesn't neccessaryly point to the implicit "deny any" of the acl, it was just so tempting.
I have seen this message pointing to following problems:
- Interfaces having the same security level without "same-security-traffic permit..."
- NAT issues, I don't see an phase for NAT ont your packet-tracer output
what does the show xlate detail and show conn detail tell you for 172.16.3.2?
maybe you should post a sanitized sh run (obfuscate public IPs, keys and passwords, even the encrypted)
rgds,
MiKa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 09:56 AM
Hi
What do mean below?
- NAT issues, I don't see an phase for NAT ont your packet-tracer output
sh xlate
- Global 50.50.50.10 Local 172.16.3.2
thanks

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 10:14 AM
Ibrahim,
So, the topology is like this?
host(172.16.3.2)-- (in)ASA-1(out)----(out)ASA2(in)---SIP server (100.100.100.100)
Now, pls. verify the following:
On ASA1:
1. Do you have a route for 100.100.100.x pointing to ASA2?
2. What translation are you using for this host 172.16.3.2?
3. what do the syslogs show on ASA when it fails?
5. Do you have SIP inspection enabled?
6. Is 100.100.100.100 the mapped IP of the SIP server behind ASA2?
On ASA2:
1. what do the syslogs show when the connection fails?
2. What kind of translation is the SIP server IP configured to use on ASA2. It has to be static if you will be trying to reach it from the outside.
enable logging and post the output:
conf t
logging on
logging buffered 7
sh logg | i x.x.x.x
where x.x.x.x is 172.16.3.2 on ASA1 and 100.100.100.100 on ASA2
-KS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 10:38 AM
- 'yeah i can ping 100.100.100.100 form asa-1
- Global 50.50.50.10 Local 172.16.3.2
- Teardown TCP connection 2687341 for outside:100.100.100.100/4443 to inside:172.16.3.2/3128 duration 0:00:00 bytes 0 TCP Reset-O
- SIP is enable under policy
- no mapping
- BTH the coonection betweeen two sites r MPLS
Pls Help

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-03-2011 02:45 PM
Reset-O means the reset came from the lower security interface.
We need captures to see which mac address is responsible for the reset.
It would be better to gather the capture on the ingress and egress interface of ASA-2.
It would be better to open a TAC case as we will need simultaneous captures ingress and egress on both ASAs as well as gather the debug level syslogs from both the ASAs during the problem to figure out where the reset is coming from.
-KS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2011 12:41 AM
Hi Sankar!
might the AIP-SSM sensor block traffic? if so how to check that?

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2011 01:10 AM
You can certainly try to remove the IPS module from the policy-map from ASA2 and try the flow.
-KS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2011 01:25 AM
Hi Sankar
I realy Appreciate ur Help and ur Professional Support; how can i check that from the IPS module itself?
so to remove the IPS from the policy-map
so i need the below:
policy-map global_policy
no class ips-module
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2011 02:29 AM
Hi Sunkar
PLs chexk the below
5510# sh logg | in 10.0.4.25
%ASA-7-609001: Built local-host outside:100.100.100.100
%ASA-6-302013: Built outbound TCP connection 2697766 for outside:100.100.100.100/4443 (100.100.100.100/4443) to inside:172.16.3.2/3602 (50.50.50.10/3602)
%ASA-6-302014: Teardown TCP connection 2697766 for outside:100.100.100.100/4443 to inside:172.16.3.2/3602 duration 0:00:00 bytes 0 TCP Reset-O
%ASA-7-609002: Teardown local-host outside 100.100.100.100 duration 0:00:00

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2011 03:09 AM
Ibrahim,
Pls. enable logging timestamp.
conf t
logging timestamp
This will give you a time stamp of when these syslogs are getting printed.
Now, I see that it is immediately getting torn down and there is no bytes passed "duration 0:00:00 bytes 0".
So, this may very well be reset by the IPS module
Why don't you exempt this traffic from being scanned by the module?
You can do this via MPF. As to how to check this in the IPS GUI, you should be able to see these event under the monitoring tab in the IDM GUI.
-KS
