Solved: Next CLI command to determine what ACL is dropping traffic?

Alan Inman · ‎01-04-2021

Hey, pros, I've determined that an Implicit ACL is causing my Mobile32 traffic to drop in Phase 3, BUT it's not so kind as to give me which rule is dropping the traffic. If you're me, what's your next command? What command would you enter to see what ACL is dropping traffic for Mobile32?

Thank you all!

setian_london · ‎01-05-2021

You can use the command

>system support trace

the result tells you which policy generates the block.

example.

more information

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

View solution in original post

TJ-20933766 · ‎01-04-2021

Create a packet capture that only collects dropped packets due to an ACL:

ASA5508# capture mycapture type asp-drop acl-drop

Next view the packet capture to see what traffic is getting dropped which might lead you to the ACL that needs tweaking:

ASA5508# show capture mycapture
5 packets captured
   1: 18:25:42.987879       1.1.1.1.43605 > 2.2.2.2.34577: S 431469340:431469340(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

setian_london · ‎01-05-2021