09-22-2011 12:18 PM - edited 03-11-2019 02:28 PM
I have an ASA5510 running in production. I have about 28 site-to-site vpn tunnels that have been working perfectly for the last year or so. I was running 8.0.4 and recently upgraded to 8.2.4. Since the upgrade, I have an issue that I haven't figured out. One of my clients with a tunnel can no longer FTP us. When I do a packet tracer on the ASA, all phases are "ALLOW" but at the very end, the action is "drop" due to "IPSEC spoof detected." None of my crypto config for the tunnel including the crypto ACL has not been changed. I can provide whatever configuration you'd need to help me solve this issue. I have researched the issue, but I have yet to solve this problem. This same tunnel had NO issues prior to the 8.2.4 upgrade. Thanks for your help.
P.S I thought about trying to disable "inspect FTP," but I am not sure I really want to do this though it may solve the problem. I am running FTP passive mode on the ASA so I don't believe "inspect FTP" is required....
Mike
09-22-2011 01:53 PM
can you share the complete error message ?
09-22-2011 02:34 PM
Here is the complete output from packet-tracer. I have changed the IPs so these are not the actual IPs. If the tunnel is up, the last line (drop reason) says "IPSEC spoof detected." The tunnel wasn't up at the moment I ran this packet tracer, but I believe the problem has to do with the fact that the packet is arriving on the "outside" interface and trying to exit out my "dmz3" interface so it appears I have some asymmetric routing going on. This issue, however, cropped up only after the 8.2.4 upgrade. Any suggestions?
ASA5510-1# packet-tracer input outside tcp 202.227.97.200 50010 96.13.127.131 $
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (DMZ3,outside) 96.13.127.131 96.13.127.131 netmask 255.255.255.255
nat-control
match ip DMZ3 host 96.13.127.131 outside any
static translation to 96.13.127.131
translate_hits = 25107, untranslate_hits = 416406
Additional Information:
NAT divert to egress interface DMZ3
Untranslate 96.13.127.131/0 to 96.13.127.131/0 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group acl_outside in interface outside
access-list acl_outside extended permit tcp any host 96.13.127.131 eq ftp
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac303430, priority=12, domain=permit, deny=false
hits=194899, user_data=0xa8b3ac00, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=96.13.127.131, mask=255.255.255.255, port=21, dscp=0x0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab9bf608, priority=0, domain=inspect-ip-options, deny=true
hits=8046596, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabc7a4e0, priority=70, domain=inspect-ftp, deny=false
hits=135, user_data=0xace4d860, cs_id=0x0, use_real_addr, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0
Phase: 5
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac252650, priority=20, domain=lu, deny=false
hits=3873834, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac40fdf8, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=3708924, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (DMZ3,outside) 96.13.127.131 96.13.127.131 netmask 255.255.255.255
nat-control
match ip DMZ3 host 96.13.127.131 outside any
static translation to 96.13.127.131
translate_hits = 25107, untranslate_hits = 416406
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac2f2a08, priority=5, domain=nat-reverse, deny=false
hits=284551, user_data=0xac2f2568, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=96.13.127.131, mask=255.255.255.255, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (DMZ3,outside) 96.13.127.131 96.13.127.131 netmask 255.255.255.255
nat-control
match ip DMZ3 host 96.13.127.131 outside any
static translation to 96.13.127.131
translate_hits = 25107, untranslate_hits = 416406
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac2f2bb0, priority=5, domain=host, deny=false
hits=350050, user_data=0xac2f2568, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=96.13.127.131, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac1285b0, priority=0, domain=inspect-ip-options, deny=true
hits=527498, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0xae673798, priority=70, domain=encrypt, deny=false
hits=111, user_data=0x0, cs_id=0xac013850, reverse, flags=0x0, protocol=0
src ip=96.13.127.0, mask=255.255.255.0, port=0
dst ip=202.227.97.200, mask=255.255.255.255, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: DMZ3
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide