Re: Packet Tracer Fails VPN:Encrypt:Drop

Christos Papageorgopoulos · ‎05-11-2021

Hello,

I'm currently meet an issue with a VPN IKEv2. Actually I have 2 local subnets (10.10.0.0/16 & 192.168.90.0/24) that want to reach a remote subnet (10.20.0.0/16). Here my access-list:

access-list ACL_REMOTE line 1 extended permit ip 10.10.0.0 255.255.0.0 10.20.0.0 255.255.0.0

access-list ACL_REMOTE line 2 extended permit ip 192.168.90.0 255.255.255.0 10.20.0.0 255.255.0.0

VPN is established correctly but I have only inbound traffic.

access-list ACL_REMOTE extended permit ip 192.168.90.0 255.255.255.0 10.20.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.90.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.0.0/255.255.0.0/0/0)
current_peer: --

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 12163, #pkts decrypt: 12163, #pkts verify: 12163
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0

When I run a packet tracer, this stops on step 9.

#packet-tracer input inside-2 tcp 192.168.90.10 6568 10.20.0.10 www

....

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside-2
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ACL that defines the ‘interesting traffic’ for the VPN is identical on both end and VPNs that are configured on the same firewall works perfectly. Has anybody any idea what is happen ?

P.S.: my version of firewall is 9.5(2).

Rob Ingram · ‎05-11-2021

@Christos Papageorgopoulos

Do you have a NAT exemption rule setup to ensure traffic over the VPN is not unintentially natted?

Example (change accordingly to fit your configuration):-

nat (INSIDE,OUTSIDE) source static LAN LAN destination static REMOTE REMOTE no-proxy-arp

If you do have this NAT rule in place, please provide the full output of packet-tracer.

Christos Papageorgopoulos · ‎05-11-2021

Yes, NAT exemption has been configured. Please find below the full ouput packet-tracer:

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop -- using egress ifc outside

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside-2,outside) source static LAN_LOCAL LAN_LOCAL destination static LAN_REMOTE LAN_REMOTE no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.20.0.10/80 to 10.20.0.10/80

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE-2-IN in interface inside-2
access-list INSIDE-2-IN extended permit ip object LAN_LOCAL object LAN_REMOTE
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside-2,outside) source static LAN_LOCAL LAN_LOCAL destination static LAN_REMOTE LAN_REMOTE no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.90.10/6546 to 192.168.90.10/6546

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside-2
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

MHM Cisco World · ‎05-11-2021

Are there dual ISP?