Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2132
Views
0
Helpful
5
Replies

Packet tracer output : access denied

satish rawat
Level 1
Level 1

‎03-17-2013 02:07 PM - edited ‎03-11-2019 06:15 PM

                 Hi All, I am new to ASA/Security world. I am trying to troubleshoot a problem where in one of my remote site is not able to access some networks at HQ over Site to SIte VPN ( asa 5505 at Remote and 5520 at HQ). I ran packet tracer and HQ ASA looks clean as everything came out as ALLOW. Remote site ASA packet tracer give me DROP out at Phase 9 (VPN). I am not very sure what to look in ASA for resolution now. Is it an access list that is blocking the traffice or VPN setup.. pls advise

output from remote ASA

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xca3bba00, priority=70, domain=encrypt, deny=false
        hits=22, user_data=0x0, cs_id=0xca523498, reverse, flags=0x0, protocol=0
        src ip=Voice, mask=255.255.255.0, port=0
        dst ip=192.168.0.0, mask=255.255.0.0, port=0, dscp=0x0

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

1 person had this problem
Labels:
0 Helpful
5 Replies 5

jocamare
Level 4
Level 4

‎03-17-2013 02:09 PM

Are you using the same command on both units?

More importantly, have you checked the tunnel status? "show crypto isakmp sa"

0 Helpful

satish rawat
Level 1
Level 1
In response to jocamare

‎03-17-2013 02:31 PM

yes tunnel is already up and working ..just trying to add another subnet..same command on both ends

0 Helpful

jocamare
Level 4
Level 4
In response to satish rawat

‎03-17-2013 02:44 PM

You can't run the exact same command on both ends, you have to adap it to each ASA.

0 Helpful

Javier Portuguez
Level 9
Level 9

‎03-17-2013 05:12 PM

Hi Satish,

Lets do the following:

1- Is there a SA for this tunnel? Is Phase II up?

     show crypto ipsec sa

2- According to that drop, the ASA is not encrypting the packet, probably because Phase II is not up at all, so there is not a valid SA for this traffic.

You could do the following:

clear crypto ipsec sa peer remote_peer_ip

debug crypto ipsec 190

Then try to send traffic across the tunnel.

Do you see any errors during the VPN connection? Do the proxy identities match? Does phase II come up?

Have you checked the Phase II settings on both units (transform-set, ACL and PFS)?

*Remember that the ACL should be a mirror of each other on the VPN peers, so:

LOCAL:

        src ip=Voice, mask=255.255.255.0, port=0

        dst ip=192.168.0.0, mask=255.255.0.0, port=0

REMOTE:

        src ip=192.168.0.0, mask=255.255.0.0, port=0

        dst ip= Voice, mask=255.255.255.0, port=0

Port 0 = IP

HTH.

Portu.

0 Helpful

Javier Portuguez
Level 9
Level 9

‎03-17-2013 05:15 PM

BTW, for further VPN posts, please use the VPN community

https://supportforums.cisco.com/community/netpro/security/vpn

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card