04-02-2019 07:26 PM - edited 02-21-2020 09:36 PM
Vpn ipsec-tunnel-flow drop flow is denied by configured rule-VPN IPSec ikve1
I have problems with IPsec VPN ikve1.
My ASA 5525-x version 9.8(1)
My local lan: 172.16.17.0/24
IP VPN Pool: 10.60.60.0/24
I have 2 outsite interface: wan1, wan2. I have successfully tested VPN on wan1 ipsec vpn and ping access local ok.
But VPN wan2 also configures that VPN is successful but not access or ping local. I am unable to ping from the outside from a network 10.60.60.0 /24 coming in on the outside interface to the inside network 172.16.17.0 /24
I have nat pool vpn and split network ok vpn
I have attached a file of my configuration on the ASA and used packet-tracer to discover where the problem lies, reproduced below:
Log WAN1=>ok
ASA01# packet-tracer input wan2 icmp 10.60.60.13 8 0 172.16.17.70 detail$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.253 using egress ifc inside900
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside900
Untranslate 172.16.17.70/0 to 172.16.17.70/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN2-ACCESS-IN in interface wan2
access-list WAN2-ACCESS-IN extended permit icmp any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f37566e88c0, priority=13, domain=permit, deny=false
hits=3081, user_data=0x7f374b1dd080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f375876c910, priority=7, domain=conn-set, deny=false
hits=2093301, user_data=0x7f3758768780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup
Additional Information:
Static translate 10.60.60.13/0 to 10.60.60.13/0
Forward Flow based lookup yields rule:
in id=0x7f375a1b3860, priority=6, domain=nat, deny=false
hits=1358, user_data=0x7f37591755b0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=inside900
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true
hits=10271334, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f375621f320, priority=0, domain=inspect-ip-options, deny=true
hits=10896907, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f37584aeed0, priority=70, domain=inspect-icmp, deny=false
hits=117819, user_data=0x7f37584abd90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3758757f50, priority=70, domain=inspect-icmp-error, deny=false
hits=117819, user_data=0x7f3758754e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 10
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
inspect ftp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3758258c20, priority=70, domain=inspect-ftp, deny=false
hits=1794292, user_data=0x7f3758256400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3757ec02c0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=1845726, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f37582b9750, priority=6, domain=nat-reverse, deny=false
hits=1350, user_data=0x7f375669e420, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=inside900
Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f37582510e0, priority=0, domain=user-statistics, deny=false
hits=15802004, user_data=0x7f3757fe96d0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=inside900
Phase: 14
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true
hits=10271336, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7f375648a550, priority=0, domain=inspect-ip-options, deny=true
hits=16184830, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside900, output_ifc=any
Phase: 16
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7f375824b320, priority=0, domain=user-statistics, deny=false
hits=10443913, user_data=0x7f3757fe96d0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=wan2
Phase: 17
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16313232, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_punt <inspect_ftp>
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_punt <inspect_ftp>
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: wan2
input-status: up
input-line-status: up
output-interface: inside900
output-status: up
output-line-status: up
Action: allow
LOGS=>VPN WAN2=> drop
ASA01# packet-tracer input wan2 icmp 10.60.60.13 8 0 172.16.17.70 detail$
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.253 using egress ifc inside900
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside900
Untranslate 172.16.17.70/0 to 172.16.17.70/0
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN2-ACCESS-IN in interface wan2
access-list WAN2-ACCESS-IN extended permit icmp any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f37566e88c0, priority=13, domain=permit, deny=false
hits=3075, user_data=0x7f374b1dd080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f375876c910, priority=7, domain=conn-set, deny=false
hits=2092504, user_data=0x7f3758768780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup
Additional Information:
Static translate 10.60.60.13/0 to 10.60.60.13/0
Forward Flow based lookup yields rule:
in id=0x7f375a1b3860, priority=6, domain=nat, deny=false
hits=1357, user_data=0x7f37591755b0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=inside900
Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true
hits=10270522, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f375621f320, priority=0, domain=inspect-ip-options, deny=true
hits=10895655, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 8
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f37581c7540, priority=79, domain=punt, deny=true
hits=1, user_data=0x7f375508c7f0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.60.60.13, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 9
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f37584aeed0, priority=70, domain=inspect-icmp, deny=false
hits=117808, user_data=0x7f37584abd90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 10
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3758757f50, priority=70, domain=inspect-icmp-error, deny=false
hits=117808, user_data=0x7f3758754e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 11
Type: INSPECT
Subtype: inspect-ftp
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
inspect ftp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f3758258c20, priority=70, domain=inspect-ftp, deny=false
hits=1793759, user_data=0x7f3758256400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f375a19a380, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x2e8adc, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.60.60.13, mask=255.255.255.255, port=0, tag=any
dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any
Result:
input-interface: wan2
input-status: up
input-line-status: up
output-interface: inside900
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule