Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
266
Views
0
Helpful
2
Replies

Inconsistent VPN Tunnel Traffic Behavior – Initial Drop, Then Allowed

Kirov11
Level 1
Level 1

‎03-26-2025 06:21 PM

Dear Expert,

I ran packet-tracer for traffic from 10.41.201.252:80 (VLAN 201) to 192.168.104.191:443. Initially, the packet was dropped at Phase 8 (VPN - Encrypt) due to an ACL restriction. However, when tested again, the traffic was allowed successfully.

Can u help explain why the first attempt failed while the next one worked? 

This is the first result 

__________________________________________________________________________________________________

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 28830 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.104.191 using egress ifc outside(vrfid:0)

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 1860 ns
Config:
nat (vlan201,outside) source static megan-to-mines megan-to-mines destination st atic KLHQ-Internal KLHQ-Internal no-proxy-arp route-lookup description KHLQ-To-P uchong
Additional Information:
NAT divert to egress interface outside(vrfid:0)
Untranslate 192.168.104.191/443 to 192.168.104.191/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 7440 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any ifc outside any rule-id 268449871
access-list CSM_FW_ACL_ remark rule-id 268449871: ACCESS POLICY: meganA - Mandat ory
access-list CSM_FW_ACL_ remark rule-id 268449871: L7 RULE: deny-top-geolocation- int-to-ext
Additional Information:
This packet will be sent to snort for additional processing where a verdict wil l be reached

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 7440 ns
Config:
class-map class_map_traceroute
match access-list traceroute
policy-map global_policy
class class_map_traceroute
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 7440 ns
Config:
nat (vlan201,outside) source static megan-to-mines megan-to-mines destination st atic KLHQ-Internal KLHQ-Internal no-proxy-arp route-lookup description KHLQ-To-P uchong
Additional Information:
Static translate 10.41.201.252/80 to 10.41.201.252/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 7440 ns
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 7440 ns
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Elapsed time: 37665 ns
Config:
Additional Information:

Result:
input-interface: vlan201(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 105555 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x0000562cfc87e8d0 flow (NA)/NAa

_______________________________________________________________________________________________

2nd packet tracer without any changes or deployment

> packet-tracer input vlan201 tcp 10.41.201.252 80 192.168.104.191 443 detailed

Phase: 1
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 30690 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop 192.168.104.191 using egress ifc outside(vrfid:0)

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 2325 ns
Config:
nat (vlan201,outside) source static megan-to-mines megan-to-mines destination st atic KLHQ-Internal KLHQ-Internal no-proxy-arp route-lookup description KHLQ-To-P uchong
Additional Information:
NAT divert to egress interface outside(vrfid:0)
Untranslate 192.168.104.191/443 to 192.168.104.191/443

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 8277 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any ifc outside any rule-id 268449871
access-list CSM_FW_ACL_ remark rule-id 268449871: ACCESS POLICY: meganA - Mandat ory
access-list CSM_FW_ACL_ remark rule-id 268449871: L7 RULE: deny-top-geolocation- int-to-ext
Additional Information:
This packet will be sent to snort for additional processing where a verdict wil l be reached
Forward Flow based lookup yields rule:
in id=0x14c0e8d06bb0, priority=12, domain=permit, deny=false
hits=57221, user_data=0x14c0dac89e80, cs_id=0x0, use_real_addr, flags=0x 0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=outside(vrfid:0), vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 8277 ns
Config:
class-map class_map_traceroute
match access-list traceroute
policy-map global_policy
class class_map_traceroute
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14c0eb70e100, priority=7, domain=conn-set, deny=false
hits=22835, user_data=0x14c0eb6f69f0, cs_id=0x0, use_real_addr, flags=0x 0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=vlan201(vrfid:0), output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 8277 ns
Config:
nat (vlan201,outside) source static megan-to-mines megan-to-mines destination st atic KLHQ-Internal KLHQ-Internal no-proxy-arp route-lookup description KHLQ-To-P uchong
Additional Information:
Static translate 10.41.201.252/80 to 10.41.201.252/80
Forward Flow based lookup yields rule:
in id=0x14c0e8db31d0, priority=6, domain=nat, deny=false
hits=3, user_data=0x14c0eb55aa20, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.41.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.168.104.0, mask=255.255.252.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=vlan201(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 8277 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14c0e67fed50, priority=0, domain=nat-per-session, deny=false
hits=97950, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 8277 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x14c0e8efda40, priority=0, domain=inspect-ip-options, deny=true
hits=55361, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=vlan201(vrfid:0), output_ifc=any

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Elapsed time: 35340 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x14c0eb1a5d80, priority=70, domain=encrypt, deny=false
hits=4, user_data=0x97c4c, cs_id=0x14c0eade20e0, reverse, flags=0x0, pro tocol=0
src ip/id=10.41.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.168.104.0, mask=255.255.252.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any(vrfid:65535), output_ifc=outside

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 3255 ns
Config:
nat (vlan201,outside) source static megan-to-mines megan-to-mines destination st atic KLHQ-Internal KLHQ-Internal no-proxy-arp route-lookup description KHLQ-To-P uchong
Additional Information:
Forward Flow based lookup yields rule:
out id=0x14c0e8de0950, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0x14c0eb561ce0, cs_id=0x0, use_real_addr, flags=0x0, p rotocol=0
src ip/id=10.41.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=192.168.104.0, mask=255.255.252.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=vlan201(vrfid:0), output_ifc=outside(vrfid:0)

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 36735 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14c0e7f064d0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=4, user_data=0x99b8c, cs_id=0x14c0eade20e0, reverse, flags=0x0, pro tocol=0
src ip/id=192.168.104.0, mask=255.255.252.0, port=0, tag=any
dst ip/id=10.41.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0, nsg_id =none
input_ifc=outside(vrfid:0), output_ifc=any

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 1395 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14c0e67fed50, priority=0, domain=nat-per-session, deny=false
hits=97952, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 930 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x14c0e8b40480, priority=0, domain=inspect-ip-options, deny=true
hits=86531, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside(vrfid:0), output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 18135 ns
Config:
Additional Information:
New flow created with id 108230, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_tcp_proxy
snp_fp_snort
snp_fp_tcp_proxy
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_tcp_proxy
snp_fp_snort
snp_fp_tcp_proxy
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 14
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 53010 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 15
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 41884 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)

Phase: 16
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 160328 ns
Config:
Network 0, Inspection 0, Detection 0, Rule ID 268460034
Additional Information:
Starting rule matching, zone 29 -> 11, geo 0 -> 0, vlan 0, src sgt: 0, src sgt t ype: unknown, dst sgt: 0, dst sgt type: unknown, user 9999999, no url or host, n o xff
Matched rule ids 268460034 - Allow

Result:
input-interface: vlan201(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 425412 ns





Labels:
0 Helpful
2 Replies 2

Jan Rolny
Level 3
Level 3

‎03-27-2025 02:18 AM

Hi Kirov11,

if new IPSec is configured and tunnel is not established so first couple of packets are usually dropped because it takes some time to establish/negotiate VPN tunnel. 

You can test it by generating ping to destination for instance (if ACL allow it). You can notice that first couple pings are dropped/timeout. After that ping is fine and pass through.

That's why 2nd attempt is fine. Because tunnel is established already.

Best regards,

Jan

0 Helpful

MHM Cisco World
VIP
VIP

‎03-31-2025 05:24 AM

This issue solved?

MHM

0 Helpful
Customers Also Viewed These Support Documents