cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2118
Views
0
Helpful
9
Replies

how to fastly troubleshooting which access list rule drop specific traffic

martlee2
Cisco Employee
Cisco Employee

how to fastly troubleshooting which access list rule drop specific traffic from ten thousands of rules?

9 Replies 9

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

I think if you would like to verify traffic drops from large ACE , I think packet tracer would be the best option.

Running packet Tracer for that specific traffic would help you verify the traffic being passed or dropped.

https://supportforums.cisco.com/document/29601/troubleshooting-access-problems-using-packet-tracer

Also , using the Syslog ID:- 106023

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html#pgfId-6482625

Thanks and Regards,

Vibhor Amrodia

I have used packet tracer but config attribute is empty

how to show the config of access rule in config attribute of packet tracer?

Hi,

use the "detail" keyword at the end of the packet tracer command:-

packet-tracer input outside tcp  10.190.2.156 3456 10.190.32.45 22 detail

Thanks and Regards,

Vibhor Amrodia

packet tracer command i tried already had detail option at the end

still do not have config in config attribute

is there a command to enable show config in config attribute in packet tracer?

if so, it is default disabled shown config in packet tracer?

why disable shown?

is there security reason about this?

 

if it is due to rules not exist to allow the traffic, is it the reason?

Hi,

If there is configuration which is dropping traffic it will show up in the output with detailed keyword.

Are you seeing implicit rule dropping the traffic.

Please post the output from the packet tracer.

Thanks and Regards,

Vibhor Amrodia

though we already found that is it due to one of rule not include an ip address,

it seems that it can not show some tips about this

 

i guess that it may be due to the default rule of ASA which drop all when not match

 

can we make a conclusion that every time we see config attribute is

empty means one of rules do not allow specific traffic?

 

Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffad41dd5a0, priority=11, domain=permit, deny=true
        hits=873597888, user_data=0x5, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

As this traffic seems to be from outside to inside , I think this has to be with the incorrect NAT rule as you pointed out.

Now , this Implicit rule drop is in cases when either we use the source or destination as ASA interfaces itself.

In some case when the NAT phase is not hit , this will be the default drop reason.

These cannot be checked as this is traffic not being denied by the access group on the interface but incorrect or missing some configuration.

Thanks and Regards,

Vibhor Amrodia

can we make a conclusion that every time we see config attribute is

empty means one of rules do not allow specific traffic?

Hi,

Yes , we can make this conclusion as at the end of every access group there would be an implicit deny rule.

Also , there can be times when an incorrect packet tracer might also give this same drop.

Thanks and Regards,

Vibhor Amrodia

Review Cisco Networking for a $25 gift card