Issue with DNS over IPSEC VPN (AWS)

carlos.balboa · ‎06-05-2020

Hi!, I´ve been stuck on this for a coupe of days, so any advice would be appreciated.

I have a DNS and directory services servers on Amazon,which my clients should authenticate to, and they are reachable via IPSEC VPN (so far so good). When I try to join some PC to domain server on AWS, I get an error and could not authenticate at all. Doing a packet tracer I see this NAT ´rdf-check´ error, and then the packets are dropped, so that´s why I can not join my domain. The strange thing is that any other services (remote desktop, file sharing) are working correctly so at this point I don´t know where my NAT issue is.

This same domain/dns situation happens with internal LAN clients, and remote VPN (anyconnect) clients, they have to connect to the VPN in order to reach all AWS adressing (rfc 1918 and WAN IPs).

Thanks!

Here is my config (relevant stuff only... assume VPN connectivity, routing, and internet access is working OK.so far).

Version 9.8(4)10
!
hostname AZA
domain-name aws.domain
enable password k.87/DMUuEFZAPAa encrypted
names
no mac-address auto
ip local pool vpn-pool 10.1.1.170.1-10.1.1.170.100 mask 255.255.255.0

!
interface GigabitEthernet1/1

ip add W.A.N.2 255.255.255.0
nameif backup
security-level 0
!

interface GigabitEthernet1/8
nameif outside
security-level 0
ip address W.A.N.1 255.255.255.0
!

!
interface Port-channel1
lacp max-bundle 8
nameif inside
security-level 100
ip address 10.1.1.254 255.255.255.0
!
boot system disk0:/asa984-10-lfbff-k8.SPA
dns domain-lookup backup
dns domain-lookup outside
dns server-group DefaultDNS
name-server D.N.S.A.W.S
domain-name aws.domain
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ANYCONNECT_SUBNET
subnet 10.1.1.170.0 255.255.255.0

object-group network AWS_VPC
network-object 172.31.0.0 255.255.0.0
network-object 10.1.1.171.0 255.255.255.0
object-group network LAN_SUBNETS
network-object 10.1.1.0 255.255.255.0
network-object 192.168.169.0 255.255.255.0
object-group network AWS_PUB-IP
network-object object DC-PUB-IP

access-list acl-amzn extended permit ip any4 172.31.0.0 255.255.0.0
access-list acl-amzn extended permit ip any4 10.1.1.171.0 255.255.255.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 192.168.169.0 255.255.255.0
access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.1.170.0 255.255.255.0
access-list amzn-filter extended permit ip 10.1.1.171.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list amzn-filter extended permit ip 10.1.1.171.0 255.255.255.0 192.168.169.0 255.255.255.0
access-list amzn-filter extended permit ip 10.1.1.171.0 255.255.255.0 10.1.1.170.0 255.255.255.0
access-list amzn-filter extended deny ip any any
access-list split_tunnel standard permit 172.31.0.0 255.255.0.0
access-list split_tunnel standard permit 10.1.1.0 255.255.255.0
access-list split_tunnel standard permit 192.168.169.0 255.255.255.0
access-list split_tunnel standard permit host 52.22.11.70

icmp permit any inside
asdm image disk0:/asdm-7131.bin
no asdm history enable
arp timeout 14400
arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static LAN_SUBNETS LAN_SUBNETS destination static AWS_VPC AWS_VPC no-proxy-arp route-lookup
nat (inside,backup) source static LAN_SUBNETS LAN_SUBNETS destination static AWS_VPC AWS_VPC no-proxy-arp route-lookup
nat (outside,outside) source static ANYCONNECT_SUBNET ANYCONNECT_SUBNET destination static AWS_VPC AWS_VPC no-proxy-arp route-lookup
nat (backup,backup) source static ANYCONNECT_SUBNET ANYCONNECT_SUBNET destination static AWS_VPC AWS_VPC no-proxy-arp route-lookup
nat (outside,inside) source static ANYCONNECT_SUBNET ANYCONNECT_SUBNET destination static LAN_SUBNETS LAN_SUBNETS no-proxy-arp route-lookup
nat (backup,inside) source static ANYCONNECT_SUBNET ANYCONNECT_SUBNET destination static LAN_SUBNETS LAN_SUBNETS no-proxy-arp route-lookup
nat (backup,backup) source static ANYCONNECT_SUBNET interface destination static AWS_PUB-IP AWS_PUB-IP no-proxy-arp
nat (backup,backup) source static ANYCONNECT_SUBNET interface destination static AWS_PUB-IP AWS_PUB-IP no-proxy-arp
nat (outside,outside) source static ANYCONNECT_SUBNET interface destination static AWS_PUB-IP AWS_PUB-IP no-proxy-arp
nat (outside,outside) source static ANYCONNECT_SUBNET interface destination static AWS_PUB-IP AWS_PUB-IP no-proxy-arp
!
nat (inside,outside) after-auto source dynamic any interface
nat (inside,backup) after-auto source dynamic any interface
access-group outside_access_in in interface backup
access-group outside_access_in in interface outside

threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100
threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320
threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10
no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8
threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20
threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20
threat-detection basic-threat
threat-detection scanning-threat shun
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy Anyconnect internal
group-policy Anyconnect attributes
dns-server value D.N.S.A.W.S
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
default-domain value aws.domain
address-pools value vpn-pool
webvpn
anyconnect mtu 1300
anyconnect ssl df-bit-ignore enable
group-policy filter internal
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable

Sheraz.Salim · ‎06-05-2020

share full network firewall configuration. you can hide the public ip addresses. also share the output of the packet tracer which is failing at rdp check. when you run the packet trace do not forget to put detail command at the end.

please do not forget to rate.

carlos.balboa · ‎06-05-2020

Ok here is the config:

Thanks!

hostname AZA

domain-name domain.name

names

no mac-address auto

ip local pool vpn-pool 10.1.170.1-10.1.170.100 mask 255.255.255.0

!

interface GigabitEthernet1/1

description BACKUP

nameif backup

security-level 0

ip address x.x.x.240 255.255.255.0

!

interface GigabitEthernet1/2

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/3

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/8

description PRIMARY

nameif outside2

security-level 0

ip address x.x.x.120 255.255.255.0

!

interface Management1/1

management-only

no nameif

no security-level

no ip address

!

interface Port-channel1

lacp max-bundle 8

nameif inside

security-level 100

ip address 10.1.168.254 255.255.255.0

!

boot system disk0:/asa984-10-lfbff-k8.SPA

ftp mode passive

clock timezone CST -6

clock summer-time CDT recurring 1 Sun Apr 2:00 last Sun Oct 2:00

dns domain-lookup backup

dns domain-lookup outside2

dns server-group DefaultDNS

name-server x.x.x.65

domain-name domain.name

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network VPNANYCONNECT

subnet 10.1.170.0 255.255.255.0

object network A_PUBLIC

host x.x.x.212

object network C_PUBLIC

host x.x.x.70

object network F_PUBLIC

host x.x.x.185

object network E_PUBLIC

host x.x.x.16

object network P_PUBLIC

host x.x.x.93

object network Q_PUBLIC

host x.x.x.139

object-group network AWS_NETS

network-object 172.31.0.0 255.255.0.0

network-object 10.1.171.0 255.255.255.0

object-group network LAN_NETS

network-object 10.1.168.0 255.255.255.0

network-object 10.1.169.0 255.255.255.0

object-group network AWS_WAN_2

network-object object A_PUBLIC

network-object object C_PUBLIC

network-object object F_PUBLIC

object-group network AWS_WAN_1

network-object object E_PUBLIC

network-object object P_PUBLIC

network-object object Q_PUBLIC

access-list outside_access_in extended permit ip host y.y.y.150 host x.x.x.120

access-list outside_access_in extended permit ip host y.y.y.151 host x.x.x.120

access-list outside_access_in extended permit ip host y.y.y.152 host x.x.x.240

access-list outside_access_in extended permit ip host y.y.y.153 host x.x.x.240

access-list outside_access_in extended permit ip object-group AWS_WAN_2 host x.x.x.120

access-list outside_access_in extended permit ip object-group AWS_WAN_1 host x.x.x.120

access-list outside_access_in extended permit ip object-group AWS_WAN_2 host x.x.x.240

access-list outside_access_in extended permit ip object-group AWS_WAN_1 host x.x.x.240

access-list acl-amzn extended permit ip any4 172.31.0.0 255.255.0.0

access-list acl-amzn extended permit ip any4 10.1.171.0 255.255.255.0

access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.168.0 255.255.255.0

access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.169.0 255.255.255.0

access-list amzn-filter extended permit ip 172.31.0.0 255.255.0.0 10.1.170.0 255.255.255.0

access-list amzn-filter extended permit ip 10.1.171.0 255.255.255.0 10.1.168.0 255.255.255.0

access-list amzn-filter extended permit ip 10.1.171.0 255.255.255.0 10.1.169.0 255.255.255.0

access-list amzn-filter extended permit ip 10.1.171.0 255.255.255.0 10.1.170.0 255.255.255.0

access-list amzn-filter extended deny ip any any

access-list split_tunnel standard permit 172.31.0.0 255.255.0.0

access-list split_tunnel standard permit 10.1.168.0 255.255.255.0

access-list split_tunnel standard permit 10.1.169.0 255.255.255.0

access-list split_tunnel standard permit host x.x.x.212

access-list split_tunnel standard permit host x.x.x.70

access-list split_tunnel standard permit host x.x.x.185

access-list split_tunnel standard permit host x.x.x.16

access-list split_tunnel standard permit host x.x.x.93

access-list split_tunnel standard permit host x.x.x.139

pager lines 20

logging enable

logging timestamp

logging monitor informational

logging buffered informational

logging asdm informational

mtu backup 1492

mtu outside2 1492

mtu inside 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

asdm image disk0:/asdm-7131.bin

no asdm history enable

arp timeout 14400

arp permit-nonconnected

arp rate-limit 16384

nat (inside,outside2) source static LAN_NETS LAN_NETS destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup

nat (inside,backup) source static LAN_NETS LAN_NETS destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup

nat (outside2,outside2) source static VPNANYCONNECT VPNANYCONNECT destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup

nat (backup,backup) source static VPNANYCONNECT VPNANYCONNECT destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup

nat (outside2,inside) source static VPNANYCONNECT VPNANYCONNECT destination static LAN_NETS LAN_NETS no-proxy-arp route-lookup

nat (backup,inside) source static VPNANYCONNECT VPNANYCONNECT destination static LAN_NETS LAN_NETS no-proxy-arp route-lookup

nat (backup,backup) source static VPNANYCONNECT interface destination static AWS_WAN_1 AWS_WAN_1 no-proxy-arp

nat (backup,backup) source static VPNANYCONNECT interface destination static AWS_WAN_2 AWS_WAN_2 no-proxy-arp

nat (outside2,outside2) source static VPNANYCONNECT interface destination static AWS_WAN_2 AWS_WAN_2 no-proxy-arp

nat (outside2,outside2) source static VPNANYCONNECT interface destination static AWS_WAN_1 AWS_WAN_1 no-proxy-arp

!

nat (inside,outside2) after-auto source dynamic any interface

nat (inside,backup) after-auto source dynamic any interface

access-group outside_access_in in interface backup

access-group outside_access_in in interface outside2

route outside2 0.0.0.0 0.0.0.0 x.x.x.121 1 track 1

route backup 0.0.0.0 0.0.0.0 x.x.x.241 100

route backup 8.8.4.4 255.255.255.255 x.x.x.241 1

route outside2 8.8.8.8 255.255.255.255 x.x.x.121 1

route backup y.y.y.152 255.255.255.255 x.x.x.241 1

route outside2 y.y.y.150 255.255.255.255 x.x.x.121 1

route backup y.y.y.153 255.255.255.255 x.x.x.241 1

route outside2 y.y.y.151 255.255.255.255 x.x.x.121 1

route outside2 172.31.0.0 255.255.0.0 x.x.x.121 1

route backup 10.1.171.0 255.255.255.0 x.x.x.241 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

aaa-server AUTH1 protocol ldap

aaa-server AUTH1 (outside2) host x.x.x.70

server-port 389

aaa-server AUTH2 protocol ldap

aaa-server AUTH2 (backup) host x.x.x.70

server-port 389

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

no aaa authentication login-history

http server enable

http 10.1.170.0 255.255.255.0 inside

http 10.1.168.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

no snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

sysopt connection tcpmss 1379

sysopt noproxyarp backup

sysopt noproxyarp outside2

sysopt noproxyarp inside

sla monitor 1

type echo protocol ipIcmpEcho 8.8.8.8 interface outside2

num-packets 3

frequency 10

sla monitor schedule 1 life forever start-time now

sla monitor 2

type echo protocol ipIcmpEcho 8.8.4.4 interface backup

num-packets 3

frequency 10

sla monitor schedule 2 life forever start-time now

no service password-recovery

no service sw-reset-button

crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac

crypto ipsec profile vpn-amzn

set ikev1 transform-set transform-amzn

set pfs group2

set security-association lifetime seconds 3600

crypto ipsec security-association replay window-size 128

crypto ipsec security-association pmtu-aging infinite

crypto ipsec df-bit clear-df backup

crypto ipsec df-bit clear-df outside2

crypto map amzn_vpn_map1 1 match address acl-amzn

crypto map amzn_vpn_map1 1 set pfs

crypto map amzn_vpn_map1 1 set peer y.y.y.151 y.y.y.150

crypto map amzn_vpn_map1 1 set ikev1 transform-set transform-amzn

crypto map amzn_vpn_map1 1 set security-association lifetime seconds 3600

crypto map amzn_vpn_map1 interface outside2

crypto map amzn_vpn_map2 1 match address acl-amzn

crypto map amzn_vpn_map2 1 set pfs

crypto map amzn_vpn_map2 1 set peer y.y.y.152 y.y.y.153

crypto map amzn_vpn_map2 1 set ikev1 transform-set transform-amzn

crypto map amzn_vpn_map2 1 set security-association lifetime seconds 3600

crypto map amzn_vpn_map2 interface backup

crypto ca trustpool policy

crypto isakmp identity address

crypto ikev1 enable backup

crypto ikev1 enable outside2

crypto ikev1 policy 201

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

!

track 1 rtr 1 reachability

telnet timeout 5

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group14-sha1

console timeout 0

management-access inside

threat-detection rate dos-drop rate-interval 600 average-rate 60 burst-rate 100

threat-detection rate dos-drop rate-interval 3600 average-rate 80 burst-rate 320

threat-detection rate scanning-threat rate-interval 600 average-rate 5 burst-rate 10

no threat-detection rate scanning-threat rate-interval 3600 average-rate 4 burst-rate 8

threat-detection rate scanning-threat rate-interval 1200 average-rate 10 burst-rate 20

threat-detection rate scanning-threat rate-interval 2400 average-rate 10 burst-rate 20

threat-detection basic-threat

threat-detection scanning-threat shun

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

enable backup

enable outside2

hsts

enable

max-age 31536000

include-sub-domains

no preload

anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 1

anyconnect image disk0:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 2

anyconnect image disk0:/anyconnect-linux64-4.7.01076-webdeploy-k9.pkg 3

anyconnect enable

tunnel-group-list enable

cache

disable

error-recovery disable

group-policy Anyconnect internal

group-policy Anyconnect attributes

dns-server value x.x.x.65

vpn-simultaneous-logins 3

vpn-tunnel-protocol ssl-client

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

default-domain value domain.name

address-pools value vpn-pool

webvpn

anyconnect mtu 1300

anyconnect ssl df-bit-ignore enable

group-policy filter internal

group-policy filter attributes

vpn-filter value amzn-filter

vpn-tunnel-protocol ikev1

dynamic-access-policy-record DfltAccessPolicy

tunnel-group corp_usr type remote-access

tunnel-group corp_usr general-attributes

authentication-server-group LDAP

default-group-policy Anyconnect

tunnel-group corp_usr webvpn-attributes

group-alias "CORP" enable

tunnel-group external_user type remote-access

tunnel-group external_user general-attributes

default-group-policy Anyconnect

tunnel-group external_user webvpn-attributes

group-alias "GUEST" enable

without-csd

tunnel-group y.y.y.151 type ipsec-l2l

tunnel-group y.y.y.151 general-attributes

default-group-policy filter

tunnel-group y.y.y.151 ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 10 retry 10

tunnel-group y.y.y.152 type ipsec-l2l

tunnel-group y.y.y.152 general-attributes

default-group-policy filter

tunnel-group y.y.y.152 ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 10 retry 10

tunnel-group y.y.y.153 type ipsec-l2l

tunnel-group y.y.y.153 general-attributes

default-group-policy filter

tunnel-group y.y.y.153 ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 10 retry 10

tunnel-group y.y.y.150 type ipsec-l2l

tunnel-group y.y.y.150 general-attributes

default-group-policy filter

tunnel-group y.y.y.150 ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive threshold 10 retry 10

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

class class-default

user-statistics accounting

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

hpm topN enable

##- Please type your reply above this line -##

Sheraz.Salim · ‎06-06-2020

can you test this rule.

access-list acl-amzn extended permit ip object-group LAN_NETS object-group network AWS_NETS
!
no access-list acl-amzn extended permit ip any4 172.31.0.0 255.255.0.0
no access-list acl-amzn extended permit ip any4 10.1.171.0 255.255.255.0

please do not forget to rate.

carlos.balboa · ‎06-07-2020

Thanks Sheraz, I´ve changed the acl but still no luck... Here is the packet tracker flow of the traffic from dns server in amazonn to my pc connected via annyconnect (the same happens with LAN subnets).

# packet-tracer input outside2 udp 10.1.171.59 53 10.1.170.2 25000 det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.120 using egress ifc outside2

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside2,outside2) source static VPNANYCONNECT VPNANYCONNECT destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside2
Untranslate 10.1.170.2/25000 to 10.1.170.2/25000

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fc35ebc1010, priority=11, domain=permit, deny=true
hits=31, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=any

Result:
input-interface: outside2
input-status: up
input-line-status: up
output-interface: outside2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Sheraz.Salim · ‎06-09-2020

The access list I earlier mentioned is for the site-to-site vpn. looking into your packet tracer you doing/testing a anyconnect traffic packet tracer.

you are not able to connect from anyconnect too?

please do not forget to rate.

carlos.balboa · ‎06-09-2020

Yes, this issue is affecting internal subnets (10.1.168.0 and 10.1.169.0) and anyconnect subnet (10.1.170.0), even after your suggestion:

access-list acl-amzn extended permit ip object-group LAN_NETS object-group AWS_NETS
access-list acl-amzn extended permit ip object VPNANYCONNECT object-group AWS_NETS

This is the packet-tracer of aws -> lan

# packet-tracer input outside2 udp 10.1.171.59 53 10.1.168.20 20000 det

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a34a5d40, priority=1, domain=permit, deny=false
hits=181173, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside2, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.1.168.20 using egress ifc inside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside2) source static LAN_NETS LAN_NETS destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface inside
Untranslate 10.1.168.20/20000 to 10.1.168.20/20000

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group test in interface outside2
access-list test extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a42ce7e0, priority=13, domain=permit, deny=false
hits=72, user_data=0x7fe797e84b00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside2) source static LAN_NETS LAN_NETS destination static AWS_NETS AWS_NETS no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.171.59/53 to 10.1.171.59/53
Forward Flow based lookup yields rule:
in id=0x7fe7a34a9cc0, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fe7a355aa80, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.1.171.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.168.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=inside

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a2683f90, priority=0, domain=nat-per-session, deny=true
hits=61107, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a34ae740, priority=0, domain=inspect-ip-options, deny=true
hits=25962, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fe7a3f645f0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x0, cs_id=0x7fe7a3f5cce0, reverse, flags=0x0, protocol=0
src ip/id=10.1.171.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=10.1.168.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=outside2, output_ifc=any

Result:
input-interface: outside2
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

*****

Sheraz.Salim · ‎06-09-2020

Thank you for the information your provided. could you please initiate this command twice. reason for this because in order to establish site-to-site vpn the arp entries need to build up. so first time packet tracer will fail. but if you again try after 2 second same command it will give you the output. if its failing again. we need to look on the other side configuration.

packet-tracer input outside2 udp 10.1.171.59 53 10.1.168.20 20000 det

i noted in your packet tracer

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:

what is the configuration on the other side? let start one issue at one time.

please do not forget to rate.

carlos.balboa · ‎06-09-2020

Look what I found every time traffic drops:

Jun 09 2020 19:01:28: %ASA-4-402116: IPSEC: Received an ESP packet (SPI= 0xC964E76C, sequence number= 0x5B0) from x.x.x.x (user= x.x.x.x) to y.y.y.y. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as c845:e1dd:5955:35a1:358b:19a:134:ef8b, its source as d172:c59:ae48:ec03:1273:2d88:9a5c:5de, and its protocol as 255. The SA specifie 10.1.168.170.0/255.255.255.0/ip/0 and its remote_proxy as 10.1.168.171.0

I dont know why encryption domain in involving ipv6 addressing...