Problem Packet Flow through Cisco ASA Firewall

Andrey Litovkin · ‎01-18-2013

I have a Cisco ASA 5540 8.2(1), with permit ip any any rules

packet-tracer input inside tcp 10.56.149.129 871 10.40.170.10 3003

show

Phase: 1

Type: FLOW-LOOKUP

Subtype:

Result: ALLOW

Config:

Additional Information:

Found flow with id 1374599592, using existing flow

Result:

input-interface: inside

input-status: up

input-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

if you change the source or destination port, the packet is successfully

clear conn did not help

please tell me how to solve the problem?

saurabhgoel169 · ‎01-18-2013

Hi Andrey,

Change the source port with any port greater than 1024 and test it...

Otherwise share the ACL correponding to this traffic ...

Regards

Saurabh goel

Andrey Litovkin · ‎01-20-2013

Hi, Saurabh,

I changed the source port in the range 600-1023, the problem occurs with only one port 871.

after reboot ASA, problem is gone.

thanks for the help.

Jouni Forss · ‎01-21-2013

Hi,

I would suggest sharing the firewall configuration (except for any sensitive information they might have) so troubleshooting this would be easier.

It would seem to me that during your "packet-tracer" test there is already an existing traffic flow through the ASA with the same information that you entered in the command.

I don't know however why the connection would be blocked according to the "packet-tracer". In my own test this seemed to work. Output was otherwise the same but the "connection" wasnt dropped.

- Jouni