Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Vpn ipsec-tunnel-flow drop flow is denied by configured rule-VPN IPSec ikve1

phuong.nguyenvan
Level 1
Level 1

‎04-02-2019 07:26 PM - edited ‎02-21-2020 09:36 PM


Vpn ipsec-tunnel-flow drop flow is denied by configured rule-VPN IPSec ikve1

 

I have problems with IPsec VPN ikve1.

My ASA 5525-x version 9.8(1)

My local lan: 172.16.17.0/24

IP VPN Pool: 10.60.60.0/24

I have 2 outsite interface: wan1, wan2. I have successfully tested VPN on wan1 ipsec vpn and ping access local ok.

But VPN wan2 also configures that VPN is successful but not access or ping local.  I am unable to ping from the outside from a network 10.60.60.0 /24 coming in on the outside interface to the inside network 172.16.17.0 /24
I have nat pool vpn and split network ok vpn

I have attached a file of my configuration on the ASA and used packet-tracer to discover where the problem lies, reproduced below:

 

Log WAN1=>ok

ASA01# packet-tracer input wan2 icmp 10.60.60.13 8 0 172.16.17.70 detail$

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.10.10.253 using egress ifc  inside900

 

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface inside900

Untranslate 172.16.17.70/0 to 172.16.17.70/0

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group WAN2-ACCESS-IN in interface wan2

access-list WAN2-ACCESS-IN extended permit icmp any any

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37566e88c0, priority=13, domain=permit, deny=false

        hits=3081, user_data=0x7f374b1dd080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

 match any

policy-map global_policy

 class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375876c910, priority=7, domain=conn-set, deny=false

        hits=2093301, user_data=0x7f3758768780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

Static translate 10.60.60.13/0 to 10.60.60.13/0

 Forward Flow based lookup yields rule:

 in  id=0x7f375a1b3860, priority=6, domain=nat, deny=false

        hits=1358, user_data=0x7f37591755b0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=inside900

 

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true

        hits=10271334, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375621f320, priority=0, domain=inspect-ip-options, deny=true

        hits=10896907, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37584aeed0, priority=70, domain=inspect-icmp, deny=false

        hits=117819, user_data=0x7f37584abd90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3758757f50, priority=70, domain=inspect-icmp-error, deny=false

        hits=117819, user_data=0x7f3758754e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 10

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map class-default

 match any

policy-map global_policy

 class class-default

  inspect ftp

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3758258c20, priority=70, domain=inspect-ftp, deny=false

        hits=1794292, user_data=0x7f3758256400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 11    

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3757ec02c0, priority=13, domain=ipsec-tunnel-flow, deny=true

        hits=1845726, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 12

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

 Forward Flow based lookup yields rule:

 out id=0x7f37582b9750, priority=6, domain=nat-reverse, deny=false

        hits=1350, user_data=0x7f375669e420, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=inside900

 

Phase: 13

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 out id=0x7f37582510e0, priority=0, domain=user-statistics, deny=false

        hits=15802004, user_data=0x7f3757fe96d0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=inside900

 

Phase: 14

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true

        hits=10271336, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 15

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x7f375648a550, priority=0, domain=inspect-ip-options, deny=true

        hits=16184830, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=inside900, output_ifc=any

 

Phase: 16

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 out id=0x7f375824b320, priority=0, domain=user-statistics, deny=false

        hits=10443913, user_data=0x7f3757fe96d0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=wan2

 

Phase: 17

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 16313232, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_punt <inspect_ftp>

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

 

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_punt <inspect_ftp>

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

 

Result:

input-interface: wan2

input-status: up

input-line-status: up

output-interface: inside900

output-status: up

output-line-status: up

Action: allow

 

LOGS=>VPN WAN2=> drop

ASA01# packet-tracer input wan2 icmp 10.60.60.13 8 0 172.16.17.70 detail$

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.10.10.253 using egress ifc  inside900

 

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface inside900

Untranslate 172.16.17.70/0 to 172.16.17.70/0

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group WAN2-ACCESS-IN in interface wan2

access-list WAN2-ACCESS-IN extended permit icmp any any

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37566e88c0, priority=13, domain=permit, deny=false

        hits=3075, user_data=0x7f374b1dd080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

 match any

policy-map global_policy

 class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375876c910, priority=7, domain=conn-set, deny=false

        hits=2092504, user_data=0x7f3758768780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

Static translate 10.60.60.13/0 to 10.60.60.13/0

 Forward Flow based lookup yields rule:

 in  id=0x7f375a1b3860, priority=6, domain=nat, deny=false

        hits=1357, user_data=0x7f37591755b0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=inside900

 

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true

        hits=10270522, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375621f320, priority=0, domain=inspect-ip-options, deny=true

        hits=10895655, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 8

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37581c7540, priority=79, domain=punt, deny=true

        hits=1, user_data=0x7f375508c7f0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.60.60.13, mask=255.255.255.255, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37584aeed0, priority=70, domain=inspect-icmp, deny=false

        hits=117808, user_data=0x7f37584abd90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 10

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3758757f50, priority=70, domain=inspect-icmp-error, deny=false

        hits=117808, user_data=0x7f3758754e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 11

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map class-default

 match any   

policy-map global_policy

 class class-default

  inspect ftp

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3758258c20, priority=70, domain=inspect-ftp, deny=false

        hits=1793759, user_data=0x7f3758256400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 12

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375a19a380, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=1, user_data=0x2e8adc, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=10.60.60.13, mask=255.255.255.255, port=0, tag=any

        dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Result:

input-interface: wan2

input-status: up

input-line-status: up

output-interface: inside900

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

1 person had this problem
Labels:
Preview file
9 KB
Preview file
7 KB
0 Helpful
Who Me Too'd this topic