Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
990
Views
0
Helpful
5
Replies

New interface not passing traffic

Brian.bsi
Level 1
Level 1

‎09-27-2018 10:09 AM - edited ‎02-21-2020 08:17 AM

I have a set of 5545's Running multi context. I have added the interface to the correct context. I have created the inside interface and have an IP on it which is able to ping systems on the inside. I have created access-list for the new interface and have tied it to the interface though the access-group command. For some reason the packet is still getting dropped. I am trying to pass icmp to 10.41.10.10 (docker) from 10.6.1.56 (campus). The Packet tracer says denied but I am not sure what I am missing. Can any one see in the below trace output why it is being dropped other than the "configured rule". Question What configured rule?

 

 

# packet-tracer input docker icmp 10.41.10.10 1 1 1 10.6.1.56 detial

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 10.41.0.17, campus

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffefee30e60, priority=500, domain=permit, deny=true
hits=1523, user_data=0x8, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=docker, output_ifc=any

Result:
input-interface: docker
input-status: up
input-line-status: up
output-interface: campus
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

##########

I found this in the log.

 

6|Sep 27 2018 15:04:48|302020: Built inbound ICMP connection for faddr 10.6.1.56/1 gaddr 10.41.10.10/0 laddr 10.41.10.10/0
3|Sep 27 2018 15:04:48|201008: Disallowing new connections.
6|Sep 27 2018 15:04:50|302021: Teardown ICMP connection for faddr 10.6.1.56/1 gaddr 10.41.10.10/0 laddr 10.41.10.10/0
6|Sep 27 2018 15:04:53|302020: Built inbound ICMP connection for faddr 10.6.1.56/1 gaddr 10.41.10.10/0 laddr 10.41.10.10/0
3|Sep 27 2018 15:04:53|201008: Disallowing new connections.
6|Sep 27 2018 15:04:55|302021: Teardown ICMP connection for faddr 10.6.1.56/1 gaddr 10.41.10.10/0 laddr 10.41.10.10/0

 

 

 

 

 

0 Helpful
5 Replies 5

paul driver
VIP
VIP

‎09-27-2018 02:39 PM

Hello

the traffic is being implicit dropped meaning it hitting the default deny any any of an access list 

 

check your acl config


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Marius Gunnerud
VIP
VIP

‎09-28-2018 02:02 PM

You would need to post your running configuration as the output of the capture doesn't really tell us what is dropping it.  The implicit rule drop can be an incorrect ACL configuration, or it could be a missing configuration such as same-security-traffic command, or something else for that matter.

Please post you full running config, remove any usernames, passwords and public IPs.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

paul driver
VIP
VIP
In response to Marius Gunnerud

‎09-28-2018 04:09 PM

hello

 

@Marius Gunnerud wrote:

You would need to post your running configuration as the output of the capture doesn't really tell us what is dropping it. 

Can you elaborate on why you say the packet capture isn’t reporting anything ? -  looking at the OP post of that capture in my view it does show traffic is being dropped due the default implicit rule of an aacl 

 

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Marius Gunnerud
VIP
VIP
In response to paul driver

‎09-29-2018 12:04 AM

I am not saying that it is not the actual ACL which is dropping the traffic, what I am saying is that it doesn't have to be an incorrect ACL.  So long it is a rule that is for transit traffic that is dropping due to a misconfigured og missing rule the traffic it will be identified as an acl-drop.  For example,  Lets say you have two interfaces with security-level 100 but you do NOT have same-security-traffic permit inter-interface configured.  The output of the packet tracer would be the following:

 

 

interface Ethernet0
nameif Inside
security-level 100
ip address 10.11.11.10 255.255.255.0
!
interface Ethernet1
nameif Outside
security-level 100
ip address 192.1.20.10 255.255.255.0

 

ASA# show run same-security-traffic
ASA#

 

ASA# packet-tracer input inside icmp 10.11.11.1 8 0 192.1.20.2
Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Brian.bsi
Level 1
Level 1
In response to Marius Gunnerud

‎11-07-2018 08:55 AM

I figured this out with Tac. It was a tcp syslog issue/bug. It was not allowing new connections with the tcp syslog server not answering all the time. I had to remove all syslog settings from the whole firewall and reboot to fix the issue. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card