Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1439
Views
0
Helpful
1
Replies

This should be easy, packet not hitting a rule

timdeadman1
Level 1
Level 1

‎06-18-2019 07:13 AM

Hi You lot,

 

I'm sure I have inherited the flakiest of flaky ASA 5525 running 9.10 because I had the problem last week of a VPN that wouldn't work on both of it's interesting local hosts until I put it through the packet tracer.

Today's problem again concerns a VPN, but this time I have the Interesting hosts behind the DMZ interface and the DMZ-QA interface working fine.  If I run them through the packet tracer it shows them hitting 12 go-no go points, then being sent down the VPN to the remote Interesting host.  However, the Interesting host behind the Inside interface only gets through one go -no go point and on the second one it gets dropped.   If I click on the "show rule that dropped" it takes me to the cleanup (any any drop) rule at the end of the interface rule list.  the packet appears to have passed through a rule specifically allowing it to hit this cleanup rule.

So why would the ASA pass a packet through a rule specifically allowing it and drop the packet on the cleanup rule?

 

Labels:
Preview file
123 KB
0 Helpful
1 Reply 1

timdeadman1
Level 1
Level 1

‎06-18-2019 07:14 AM

This is the trace that works.

Preview file
140 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card