09-10-2009 04:33 PM - last edited on 03-25-2019 04:07 PM by ciscomoderator
I'm having an isssue with a firewall vpn tunnel. I ran a packet-tracer and attached the results.
The attached file shows a failed delivery from a host. I have ran some with a successful delivery, on the same network, with a different host; everything is the same, but the host is different. That is the problem I am troubleshooting.
What I need, is more information on the packet-trace command results when it's not obvious why there is a 'deny'. I ran some packet-trace commands and it gave a more exact reason for failure, such as a specific ACL. When that happened, it was easy to solve this problem.
However, the output I've attached here isn't so obvious.
Anyway, I would appreciate any help or direction to help me understand the output.
Thanks
09-10-2009 09:19 PM
By default, outside interface will drop any incoming packet if it is not permited by ACL applied on it.
Do you have any ACL applied on outside interface?
If yes, will it permit the traffic which is traced by packet-trace?
09-11-2009 02:59 AM
Thanks for taking the time to look at this.
I'm initiating the request from the inside, going out the outside interface. I do not have an ACL blocking the traffic leaving. I have an ACL on the firewall directly forward of the destination, but I'm not getting that far in this packet-trace.
I would like some help on translating the information this command sends back.
I have ACLs on the outside interface, but they allow traffic to pass.
I am troubleshooting traffic passing via the vpn. Because of this part of the packet-tracer: 'Additional Information:
in 0.0.0.0 0.0.0.0 outside', would I be correct in saying this traffic is going through the default gateway - not the vpn
Also, in 'Phase 3 - Additional Information:', what does this information tell me?
Thanks for taking the time to help.
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd66bec70, priority=111, domain=permit, deny=true
hits=8, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
09-11-2009 08:51 AM
Additional info in phase 2 just tell you that the packet will be routed to outside interface. It's not related to if the packet will go into your VPN tunnel.
Additional info in phase 3 tells you that the packet is dropped by implicit rule which is "deny ip any any".
Can you provide your config file as well?
09-11-2009 03:17 PM
Kuw2,
Thanks for the information. I actually solved the problem. However, I would like to learn/read more about the meaning of the information the packet-tracer command gives - such as:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd66bec70, priority=111, domain=permit, deny=true
hits=8, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
priority=111 ?
domain=permit, deny=true, hits=8, user_data=0x0, -- where does that info come from?
I suppose I'm just looking to learn more about the packet-tracer command. From what I see on Cisco's site and the Internet, there's not too much about this command. It seems like you can do a lot with it. It's helped me in the past, when it's obvious.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide