Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1547
Views
0
Helpful
1
Replies

Particular user traffic ,not passing through firewall.(IPSec l2l packet tracer type vpn subtype encrypt result DROP)

nirav.bhatt
Level 1
Level 1

‎07-31-2013 12:13 PM - edited ‎02-21-2020 07:03 PM

Hi Team ,

I am facing some strange issue  ,

We are running IPSec tunnel between two asa. From past several days , traffic of one paticular segment has stopped suddenly working.

On doing a packet trace with particulare Source and destination - Its getting froped on Phase 9 "

IPSec l2l packet tracer type vpn subtype encrypt result DROP"

I checked with All the ACls , i.e Normal IN to Out , Encryption domain ACL and nat Exemprion ACl .  They seems to be Ok.

I am able to find the packets in packet capture too. On my ASA , I got the partuclar packet captured as ,

"402: 16:07:10.192342 802.1Q vlan#215 P0 192.168.74.32.2263 > 10.240.6.137.22: S 118582042:118582042(0) win 65535 <mss 1460,nop,nop,sackOK> "

And on another ASA side , as per their team , they are not getting the packets for this particular segment.

I have attached a packet capture file for all the 3 acls of that particular , Which shows capture packets that are allowed, And one line for packets  that are not worknig out.

Source : 192.168.74.32 and Destn: 10.240.6.137 port 22

I am not able to get the issue here.

Can someone please help me with the same.

Regards,

Nirav B

Labels:
15364994-Normal_In-to-out_Acl.zip
15364993-nat-Exmpt.zip
15365010-Encryption domainAcl.zip
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎07-31-2013 12:23 PM

Hi,

The "packet-tracer" DROP means that the VPN portion didnt form for that connection to go through so you will not see anything on the remote side since no traffic has left from this side.

Without seeing the configuration and "packet-tracer" output myself I can't really say what the problem is.

Though, if we presume that everything is OK in the configuration side then it would seem to be some wierd problem. Maybe might need to consider rebooting the devices and check the situation again.

Typically though I would start looking for a problem in the configurations.

I've only had one wierd problem related to ASA and L2L VPN. The L2L VPN had 2 local source network and had worked for several months. It suddenly stopped working for the other local LAN network but the other one worked. Though in this case the "packet-tracer" worked but it seemed like the ASA was forwarding the traffic to Internet instead of the L2L VPN.

The ASA was part of Failover pair. Changing the Active device corrected the problem and I would presume that in a single ASA setup a reboot would achieve the same result.

But the above problem seems different from your situation.

- Jouni

0 Helpful
Customers Also Viewed These Support Documents