Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2112
Views
0
Helpful
10
Replies

IPSEC Tunnel

ankit.dhawan
Level 1
Level 1

‎08-29-2017 06:41 AM - edited ‎03-12-2019 04:30 AM

I ran packet tracer and got below error. Can someone please advise what could be the issue for this? 

*******************************************************************

 

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f15d9c8b240, priority=70, domain=encrypt, deny=false
hits=39, user_data=0x0, cs_id=0x7f15d9fa2440, reverse, flags=0x0, protocol=0
src ip/id=162.92.224.254, mask=255.255.255.255, port=0, tag=any
dst ip/id=195.72.65.34, mask=255.255.255.255, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=OUTSIDE

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

*******************************************************************

Labels:
0 Helpful
10 Replies 10

Richard Burts
Hall of Fame
Hall of Fame

‎08-29-2017 07:14 AM

There are several things that might cause this kind of error and we do not have enough information to know which is is. Can you post the config (hiding any public IP and other sensitive information)?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Flavio Miranda
VIP
VIP

‎08-29-2017 07:20 AM

Hello,

 

 Where´s the ACL that controls your VPN flow?

Look the message: " (acl-drop) Flow is denied by configured rule"

0 Helpful

ankit.dhawan
Level 1
Level 1
In response to Flavio Miranda

‎08-29-2017 07:26 AM

Here is the ACL for this flow and seeing hit-counts as well

**************************************************************************
access-list insideout line 37 extended permit tcp host 10.255.25.46 object-group iinet-hosts eq ssh (hitcnt=72)

 

object-group network iinet-hosts
network-object host 144.194.18.35
network-object host 144.194.18.36
network-object host 195.72.65.34
network-object host 195.72.65.35

**************************************************************************

 

Below is the capture:

**************************************************************************
capture CAPIN type raw-data interface INSIDE [Capturing - 82 bytes]
match tcp host 10.255.25.46 host 195.72.65.35
match tcp host 10.255.25.46 host 195.72.65.34

**************************************************************************

 

 

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to ankit.dhawan

‎08-29-2017 07:37 AM

The data provided in your original post does not match with what you show from the capture.

src ip/id=162.92.224.254, mask=255.255.255.255, port=0, tag=any
dst ip/id=195.72.65.34, mask=255.255.255.255, port=0, tag=any, dscp=0x0

 

 

HTH

Rick
0 Helpful

ankit.dhawan
Level 1
Level 1
In response to Richard Burts

‎08-29-2017 07:47 AM

162.92.224.254 is NAT'ed IP to 10.255.25.46

0 Helpful

Flavio Miranda
VIP
VIP
In response to ankit.dhawan

‎08-29-2017 07:53 AM

Permit the real IP on the ACL. First the firewall match the rule, then, it performs NAT.

0 Helpful

ankit.dhawan
Level 1
Level 1
In response to Flavio Miranda

‎08-29-2017 08:01 AM

10.255.25.46 is real IP and ACL is configured with rela IP as below. Object-group iinet-hosts  has destination IPs (195.72.65.34)

!

access-list insideout line 37 extended permit tcp host 10.255.25.46 object-group iinet-hosts eq ssh 

!

object-group network iinet-hosts
network-object host 195.72.65.34
network-object host 195.72.65.35

!

 

PLease let me know if i can provide any more deatils

 

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to ankit.dhawan

‎08-29-2017 08:10 AM

Put a capture on ASA, simulate the problem and let me see the whole capture´s output. 

Also, if possible of course, put an ACL permiting ALL on the VPN tunnel.

 

0 Helpful

ankit.dhawan
Level 1
Level 1
In response to Flavio Miranda

‎08-29-2017 08:18 AM

Here are thye captures:

**************************************************************************


17 packets captured

1: 19:19:57.201848 802.1Q vlan#152 P0 10.255.25.46.51037 > 195.72.65.34.22: S 968998622:968998622(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2: 19:20:00.198186 802.1Q vlan#152 P0 10.255.25.46.51037 > 195.72.65.34.22: S 968998622:968998622(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
3: 19:20:06.204106 802.1Q vlan#152 P0 10.255.25.46.51037 > 195.72.65.34.22: S 968998622:968998622(0) win 8192 <mss 1460,nop,nop,sackOK>
4: 19:25:30.156913 802.1Q vlan#152 P0 10.255.25.46.51282 > 195.72.65.34.22: S 3536674581:3536674581(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
5: 19:25:33.153388 802.1Q vlan#152 P0 10.255.25.46.51282 > 195.72.65.34.22: S 3536674581:3536674581(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
6: 19:25:39.159476 802.1Q vlan#152 P0 10.255.25.46.51282 > 195.72.65.34.22: S 3536674581:3536674581(0) win 8192 <mss 1460,nop,nop,sackOK>
7: 19:32:21.075237 802.1Q vlan#152 P0 10.255.25.46.1269 > 195.72.65.34.22: S 1303925478:1303925478(0) win 8192
8: 19:32:33.866959 802.1Q vlan#152 P0 10.255.25.46.1269 > 195.72.65.34.22: S 1761050225:1761050225(0) win 8192
9: 19:49:13.396952 802.1Q vlan#152 P0 10.255.25.46.1269 > 195.72.65.34.22: S 918403480:918403480(0) win 8192
10: 21:00:56.038083 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 1136360372:1136360372(0) win 8192
11: 13:35:39.622297 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 1448472249:1448472249(0) win 8192
12: 13:50:01.020308 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 2069011992:2069011992(0) win 8192
13: 13:50:06.658138 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 156342348:156342348(0) win 8192
14: 13:50:09.570221 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 935918706:935918706(0) win 8192
15: 13:56:18.229999 802.1Q vlan#152 P0 10.255.25.46.63587 > 195.72.65.34.22: S 3057209459:3057209459(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
16: 13:56:21.238162 802.1Q vlan#152 P0 10.255.25.46.63587 > 195.72.65.34.22: S 3057209459:3057209459(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
17: 13:56:27.244326 802.1Q vlan#152 P0 10.255.25.46.63587 > 195.72.65.34.22: S 3057209459:3057209459(0) win 8192 <mss 1460,nop,nop,sackOK>

**************************************************************************

 

Here are some debug output:

**************************************************************************

(1031):
IKEv2-PROTO-2: (1031): Received Packet [From 195.72.64.134:500/To 162.92.191.36:500/VRF i0:f0]
(1031): Initiator SPI : C057E9B6630F4C0A - Responder SPI : 3F59B2DF5BD963A0 Message id: 105
(1031): IKEv2 INFORMATIONAL Exchange REQUESTIKEv2-PROTO-3: (1031): Next payload: ENCR, version: 2.0 (1031): Exchange type: INFORMATIONAL, flags: INITIATOR (1031): Message id: 105, length: 57(1031):
Payload contents:
(1031):
(1031): Decrypted packet:(1031): Data: 57 bytes
(1031): REAL Decrypted packet:(1031): Data: 0 bytes
IKEv2-PROTO-5: (1031): SM Trace-> SA: I_SPI=C057E9B6630F4C0A R_SPI=3F59B2DF5BD963A0 (R) MsgID = 00000069 CurState: READY Event: EV_RECV_INFO_REQ
IKEv2-PROTO-5: (1031): Action: Action_Null
IKEv2-PROTO-5: (1031): SM Trace-> SA: I_SPI=C057E9B6630F4C0A R_SPI=3F59B2DF5BD963A0 (R) MsgID = 00000069 CurState: INFO_R Event: EV_RECV_INFO_REQ
IKEv2-PROTO-2: (1031): Received DPD/liveness query
IKEv2-PROTO-2: (1031): Building packet for encryption.
IKEv2-PROTO-2: (1031): Sending ACK to informational exchange
IKEv2-PROTO-5: (1031): SM Trace-> SA: I_SPI=C057E9B6630F4C0A R_SPI=3F59B2DF5BD963A0 (R) MsgID = 00000069 CurState: INFO_R Event: EV_ENCRYPT_MSG
IKEv2-PROTO-5: (1031): SM Trace-> SA: I_SPI=C057E9B6630F4C0A R_SPI=3F59B2DF5BD963A0 (R) MsgID = 00000069 CurState: INFO_R Event: EV_TRYSEND
(1031):
IKEv2-PROTO-2: (1031): Sending Packet [To 195.72.64.134:500/From 162.92.191.36:500/VRF i0:f0]
(1031): Initiator SPI : C057E9B6630F4C0A - Responder SPI : 3F59B2DF5BD963A0 Message id: 105
(1031): IKEv2 INFORMATIONAL Exchange RESPONSEIKEv2-PROTO-3: (1031): Next payload: ENCR, version: 2.0 (1031): Exchange type: INFORMATIONAL, flags: RESPONDER MSG-RESPONSE (1031): Message id: 105, length: 57(1031):
Payload contents:
(1031): ENCR(1031): Next payload: NONE, reserved: 0x0, length: 29
(1031): Encrypted data: 25 bytes
(1031):
IKEv2-PROTO-5: (1031): SM Trace-> SA: I_SPI=C057E9B6630F4C0A R_SPI=3F59B2DF5BD963A0 (R) MsgID = 00000069 CurState: INFO_R Event: EV_CHK_INFO_TYPE
IKEv2-PROTO-5: (1031): SM Trace-> SA: I_SPI=C057E9B6630F4C0A R_SPI=3F59B2DF5BD963A0 (R) MsgID = 00000069 CurState: INFO_R Event: EV_START_DEL_NEG_TMR
IKEv2-PROTO-5: (1031): Action: Action_Null
IKEv2-PROTO-5: (1031): SM Trace-> SA: I_SPI=C057E9B6630F4C0A R_SPI=3F59B2DF5BD963A0 (R) MsgID = 00000069 CurState: EXIT Event: EV_CHK_PENDING
IKEv2-PROTO-5: (1031): Sent response with message id 105, Requests can be accepted from range 106 to 106
IKEv2-PROTO-5: (1031): SM Trace-> SA: I_SPI=C057E9B6630F4C0A R_SPI=3F59B2DF5BD963A0 (R) MsgID = 00000069 CurState: EXIT Event: EV_NO_EVENT
IKEv2-PROTO-5: (1031): SM Trace-> SA: I_SPI=C057E9B6630F4C0A R_SPI=3F59B2DF5BD963A0 (R) MsgID = 00000068 CurState: EXIT Event: EV_FREE_NEG
IKEv2-PROTO-5: (1031): Deleting negotiation context for peer message ID: 0x68

 

**************************************************************************

 

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to ankit.dhawan

‎08-29-2017 09:38 AM

what I could see from your capture is a bunch of SYN being sent. I did not see any ACK for those SYN.

 Did you capture on both direction?

If does, you have no response from the destination.

 

1: 19:19:57.201848 802.1Q vlan#152 P0 10.255.25.46.51037 > 195.72.65.34.22: S 968998622:968998622(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
2: 19:20:00.198186 802.1Q vlan#152 P0 10.255.25.46.51037 > 195.72.65.34.22: S 968998622:968998622(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
3: 19:20:06.204106 802.1Q vlan#152 P0 10.255.25.46.51037 > 195.72.65.34.22: S 968998622:968998622(0) win 8192 <mss 1460,nop,nop,sackOK>
4: 19:25:30.156913 802.1Q vlan#152 P0 10.255.25.46.51282 > 195.72.65.34.22: S 3536674581:3536674581(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
5: 19:25:33.153388 802.1Q vlan#152 P0 10.255.25.46.51282 > 195.72.65.34.22: S 3536674581:3536674581(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
6: 19:25:39.159476 802.1Q vlan#152 P0 10.255.25.46.51282 > 195.72.65.34.22: S 3536674581:3536674581(0) win 8192 <mss 1460,nop,nop,sackOK>
7: 19:32:21.075237 802.1Q vlan#152 P0 10.255.25.46.1269 > 195.72.65.34.22: S 1303925478:1303925478(0) win 8192
8: 19:32:33.866959 802.1Q vlan#152 P0 10.255.25.46.1269 > 195.72.65.34.22: S 1761050225:1761050225(0) win 8192
9: 19:49:13.396952 802.1Q vlan#152 P0 10.255.25.46.1269 > 195.72.65.34.22: S 918403480:918403480(0) win 8192
10: 21:00:56.038083 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 1136360372:1136360372(0) win 8192
11: 13:35:39.622297 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 1448472249:1448472249(0) win 8192
12: 13:50:01.020308 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 2069011992:2069011992(0) win 8192
13: 13:50:06.658138 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 156342348:156342348(0) win 8192
14: 13:50:09.570221 802.1Q vlan#152 P0 10.255.25.46.1266 > 195.72.65.34.22: S 935918706:935918706(0) win 8192
15: 13:56:18.229999 802.1Q vlan#152 P0 10.255.25.46.63587 > 195.72.65.34.22: S 3057209459:3057209459(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
16: 13:56:21.238162 802.1Q vlan#152 P0 10.255.25.46.63587 > 195.72.65.34.22: S 3057209459:3057209459(0) win 8192 <mss 1460,nop,wscale 8,nop,nop,sackOK>
17: 13:56:27.244326 802.1Q vlan#152 P0 10.255.25.46.63587 > 195.72.65.34.22: S 3057209459:3057209459(0) win 8192 <mss 1460,nop,nop,sackOK>

0 Helpful
Customers Also Viewed These Support Documents