My one site to site is having problem. Phase 1 is up but the packets are not encrypting on 1 ASA. I checked the packet tracer and the packet is being dropped. Any suggestions?
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71480700, priority=1, domain=permit, deny=false
hits=542991907, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71482e38, priority=0, domain=inspect-ip-options, deny=true
hits=10667219, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71482ab0, priority=66, domain=inspect-icmp-error, deny=false
hits=1337903, user_data=0x71482998, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7583caf0, priority=50, domain=ids, deny=false
hits=7006737, user_data=0x7583c640, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type:
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x75839700, priority=17, domain=flow-export, deny=false
hits=7118939, user_data=0x757a1f10, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 7
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip inside 10.1.8.0 255.255.252.0 outside 10.20.6.0 255.255.255.0
NAT exempt
translate_hits = 71406, untranslate_hits = 35921
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71929b80, priority=6, domain=nat-exempt, deny=false
hits=71406, user_data=0x71929ac0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=10.1.8.0, mask=255.255.252.0, port=0
dst ip=10.20.6.0, mask=255.255.255.0, port=0, dscp=0x0
Phase: 8
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside) 1 10.1.8.0 255.255.252.0
match ip inside 10.1.8.0 255.255.252.0 outside any
dynamic translation to pool 1 (70.191.58.66)
translate_hits = 607979, untranslate_hits = 40960
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71d43058, priority=1, domain=nat, deny=false
hits=1018457, user_data=0x71d42f98, cs_id=0x0, flags=0x0, protocol=0
src ip=10.1.8.0, mask=255.255.252.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (inside) 1 10.1.8.0 255.255.252.0
match ip inside 10.1.8.0 255.255.252.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x71d42a30, priority=1, domain=host, deny=false
hits=2045422, user_data=0x71d42618, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=10.1.8.0, mask=255.255.252.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 10
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x727ac190, priority=70, domain=encrypt, deny=false
hits=107509, user_data=0x0, cs_id=0x7276b290, reverse, flags=0x0, protocol=0
src ip=10.1.8.0, mask=255.255.252.0, port=0
dst ip=10.20.6.0, mask=255.255.255.0, port=0, dscp=0x0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
