Solved: Re: Traffic not passing |#pkts encaps: 0, #pkts encrypt - Page 2

tshabbircisco · ‎05-03-2023

Hello,

We are facing weird issue, suddenly working VPN went down, while reviewing, we found that tunnel is up however traffic is not passing. I can see pkts encap:0 and pkts decaps increasing. I have verified ACL/NAT thoroughly but unable to find the root cause.

Additionally, packet tracer also looks good. Urgent help is required. Here are some Environment details and some outputs

Environment:
OnPrem
Cisco ASA 5545
ASA Ver: 9.2
ASDM Ver: 7.2
ASA Interesting Network: 10.20.31.0/24

Azure Side
Routed :
VNET Interesting Traffic: 10.20.80.0/20

#show crypto ipsec sa peer AZ.AZ.AZ.AZ
peer address: AZ.AZ.AZ.AZ
Crypto map tag: Outside-W_map, seq num: 56, local addr: ASA-ASA-ASA-ASA

access-list Outside-W_cryptomap_51 extended permit ip 10.20.31.0 255.255.255.0 10.20.80.0 255.255.240.0
local ident (addr/mask/prot/port): (10.20.31.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.20.80.0/255.255.240.0/0/0)
current_peer: AZ.AZ.AZ.AZ

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 9722, #pkts decrypt: 9722, #pkts verify: 9722
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: ASA-ASA-ASA-ASA/500, remote crypto endpt.: AZ.AZ.AZ.AZ/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 2BB3FCD4
current inbound spi : F48DFC9C

inbound esp sas:
spi: 0xF48DFC9C (4102945948)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 142692352, crypto-map: Outside-W_map
sa timing: remaining key lifetime (kB/sec): (4331501/2054)
IV size: 16 bytes
replay detection support: N
outbound esp sas:
spi: 0x2BB3FCD4 (733215956)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 142692352, crypto-map: Outside-W_map
sa timing: remaining key lifetime (kB/sec): (4285440/2054)
IV size: 16 bytes
replay detection support: N

show vpn-sessiondb detail l2l filter ipaddress AZ.AZ.AZ.AZ

Session Type: LAN-to-LAN Detailed

Connection : AZ.AZ.AZ.AZ
Index : 34837 IP Addr : AZ.AZ.AZ.AZ
Protocol : IKEv2 IPsec
Encryption : IKEv2: (1)AES256 IPsec: (2)AES256
Hashing : IKEv2: (1)SHA1 IPsec: (2)SHA1
Bytes Tx : 4413844 Bytes Rx : 11750792
Login Time : 21:18:53 EDT Tue May 2 2023
Duration : 11h:27m:01s

IKEv2 Tunnels: 1
IPsec Tunnels: 2

IKEv2:
Tunnel ID : 34837.1
UDP Src Port : 500 UDP Dst Port : 500
Rem Auth Mode: preSharedKeys
Loc Auth Mode: preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 28800 Seconds Rekey Left(T): 14948 Seconds
PRF : SHA1 D/H Group : 2
Filter Name :

IPsec:
Tunnel ID : 34837.3
Local Addr : 10.20.31.0/255.255.255.0/0/0
Remote Addr : 10.20.80.0/255.255.240.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 3600 Seconds Rekey Left(T): 1406 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607974 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes
Bytes Tx : 0 Bytes Rx : 500492
Pkts Tx : 0 Pkts Rx : 9878

IPsec:
Tunnel ID : 34837.4
Local Addr : 10.20.31.0/255.255.255.0/0/0
Remote Addr : 10.35.0.0/255.255.0.0/0/0
Encryption : AES256 Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 3600 Seconds Rekey Left(T): 3301 Seconds
Rekey Int (D): 4608000 K-Bytes Rekey Left(D): 4607965 K-Bytes
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Bytes Tx : 2725786 Bytes Rx : 6715217
Pkts Tx : 49620 Pkts Rx : 48589

packet-tracer input inside-D tcp 10.20.31.130 111 10.20.80.11 80

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 212.X.X.X, Outside-W

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside-D,Outside-W) source static NETWORK_OBJ_10.20.31.0_24 NETWORK_OBJ_10.20.31.0_24 destination static DM_INLINE_NETWORK_32 DM_INLINE_NETWORK_32 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside-W
Untranslate 10.20.80.11/80 to 10.20.80.11/80

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside-access-IN in interface Inside-D
access-list Inside-access-IN extended permit ip any any
Additional Information:

Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside-D,Outside-W) source static NETWORK_OBJ_10.20.31.0_24 NETWORK_OBJ_10.20.31.0_24 destination static DM_INLINE_NETWORK_32 DM_INLINE_NETWORK_32 no-proxy-arp route-lookup
Additional Information:
Static translate 10.20.31.130/111 to 10.20.31.130/111

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside-D,Outside-W) source static NETWORK_OBJ_10.20.31.0_24 NETWORK_OBJ_10.20.31.0_24 destination static DM_INLINE_NETWORK_32 DM_INLINE_NETWORK_32 no-proxy-arp route-lookup
Additional Information:

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 14
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 16
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 17
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:

Phase: 18
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1033661206, packet dispatched to next module

Result:
input-interface: Inside-D
input-status: up
input-line-status: up
output-interface: Outside-W
output-status: up
output-line-status: up
Action: allow

Salman Mahajan · ‎05-04-2023

Hi @tshabbircisco , That's a good news . I am glad issue is resolved and i was able to help.

Disabling Data-based rekey is not required unless you have huge amount of traffic that goes over tunnels on ASA . In that case , to avoid any inconsistencies in SA creation , you can proceed with disabling it . The Rekey will then be time-based only .

FYI - Workaround that you have applied is not a permanent fix unless you move ASA to Fix version . However i have seen minimal chances of its reoccurrence .

THANKYOU FOR YOUR APPRECIATION AND TRUST

Regards
Salman Mahajan

tshabbircisco · ‎05-04-2023

Yes, I shared asp drops but output not included 10.20.80.0/20. I shared in previous comments

Yes, we have dozen of active VPNs on the same firewall.

Salman Mahajan · ‎05-04-2023

@tshabbircisco
Since asp capture shows no output for 10.20.80.0/20 and as you are saying there are dozens of VPN on the Firewall . It is either of the two then

1.Overlapping ACL ( causing interesting traffic to other active SA for encryption )
2.Stale asp entry issue

tshabbircisco · ‎05-04-2023

@Salman Mahajan

Please advise how to further analyze both cases of Overlapping ACL and Stale ASP Entry

Salman Mahajan · ‎05-04-2023

@tshabbircisco
We shall isolate on Overlapping ACL Part first . Can you share below outputs :-

show run | in 10.20.80.0
show crypto ipsec sa | inc ident|caps|spi

tshabbircisco · ‎05-04-2023

Hi Salman,

capture asp type asp-drop all [Buffer Full - 524224 bytes]
match ip any 10.20.80.0 255.255.240.0
match tcp host 10.20.31.130 host 10.20.80.11
capture capin type raw-data interface Inside-D [Capturing - 5652 bytes]
match ip any 10.20.80.0 255.255.240.0

But output shows all drops but not for 10.20.80.0/20

P3HR-ASA/sec/act# sh cap asp

617 packets captured

1: 21:15:46.047299 14.17.65.110.443 > 212.69.144.99.80: udp 9 Drop-reason: (acl-drop) Flow is denied by configured rule
2: 21:15:46.054135 35.203.211.225.55469 > 212.69.144.15.10508: S 1526368572:1526368572(0) win 1024 <mss 1460> Drop-reason: (acl-drop) Flow is denied by configured rule
3: 21:15:46.203389 103.45.97.171.42615 > 212.69.144.75.1433: S 2865632:2865632(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
4: 21:15:46.215931 10.20.31.151.3389 > 45.227.254.48.25473: . ack 3303818669 win 516 Drop-reason: (tcp-not-syn) First TCP packet not SYN
5: 21:15:46.300170 10.20.31.151.3389 > 152.89.196.111.57515: . ack 980010676 win 516 Drop-reason: (tcp-not-syn) First TCP packet not SYN
6: 21:15:46.352688 176.111.174.88.42348 > 212.69.144.112.3405: S 4288501496:4288501496(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
7: 21:15:46.357479 45.93.201.51.53253 > 212.69.144.28.333: S 2639930126:2639930126(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
8: 21:15:46.359356 92.63.197.157.58765 > 212.69.144.14.5537: S 3485939288:3485939288(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
9: 21:15:46.443183 162.216.150.163.52201 > 212.69.144.41.56943: S 3958804931:3958804931(0) win 1024 <mss 1460> Drop-reason: (acl-drop) Flow is denied by configured rule
10: 21:15:46.455802 10.20.31.151.3389 > 185.122.204.76.23605: . ack 795932622 win 516 Drop-reason: (tcp-not-syn) First TCP packet not SYN
11: 21:15:46.464514 94.102.61.40.44625 > 212.69.144.76.12001: S 2579234941:2579234941(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
12: 21:15:46.477697 10.20.31.90.60074 > 34.204.109.226.443: R 4210283990:4210283990(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order
13: 21:15:46.533419 94.102.61.40.38853 > 212.69.144.76.18008: S 224450766:224450766(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
14: 21:15:46.663127 185.156.73.57.50966 > 212.69.144.91.9922: S 2652064710:2652064710(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
15: 21:15:46.676677 194.165.16.78.42085 > 212.69.144.19.3389: P 1837961821:1837961938(117) ack 830241196 win 259 Drop-reason: (tcp-not-syn) First TCP packet not SYN
16: 21:15:46.682902 194.165.16.78.42085 > 212.69.144.19.3389: P 1837961938:1837962023(85) ack 830241196 win 259 Drop-reason: (tcp-not-syn) First TCP packet not SYN
17: 21:15:46.703897 194.165.16.78.42085 > 212.69.144.19.3389: R 1837962023:1837962023(0) ack 830241196 win 0 Drop-reason: (tcp-not-syn) First TCP packet not SYN
18: 21:15:46.724114 94.102.61.40.44655 > 212.69.144.122.14496: S 452913162:452913162(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
19: 21:15:46.728401 5.10.250.241.54421 > 146.88.180.0.3391: S 2876364308:2876364308(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
20: 21:15:46.751029 10.20.31.155.3389 > 45.227.253.194.48730: R 2742815200:2742815200(0) ack 3086433478 win 0 Drop-reason: (tcp-not-syn) First TCP packet not SYN
21: 21:15:46.751059 10.20.31.155.3389 > 45.227.253.194.48730: R 2742815200:2742815200(0) win 0 Drop-reason: (tcp-not-syn) First TCP packet not SYN
22: 21:15:46.822986 10.20.31.151.3389 > 88.214.25.137.25306: . ack 1098173291 win 516 Drop-reason: (tcp-not-syn) First TCP packet not SYN
23: 21:15:46.823031 10.20.31.151.3389 > 88.214.25.137.25306: R 3341596647:3341596647(0) ack 1098173291 win 0 Drop-reason: (tcp-not-syn) First TCP packet not SYN
24: 21:15:46.837404 14.17.65.110.443 > 212.69.144.99.80: udp 9 Drop-reason: (acl-drop) Flow is denied by configured rule
25: 21:15:46.837435 14.17.65.110.443 > 212.69.144.99.80: udp 9 Drop-reason: (acl-drop) Flow is denied by configured rule
26: 21:15:46.871170 192.241.239.10.60115 > 212.69.144.35.4332: S 3187203597:3187203597(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
27: 21:15:46.952785 92.63.197.153.56495 > 212.69.144.75.19999: S 1055580786:1055580786(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
28: 21:15:46.964748 61.219.18.151.65520 > 212.69.144.104.23: S 3561328744:3561328744(0) win 49352 Drop-reason: (acl-drop) Flow is denied by configured rule
29: 21:15:46.981043 207.99.59.87.995 > 212.69.144.23.55767: . ack 4258708938 win 524 Drop-reason: (acl-drop) Flow is denied by configured rule
30: 21:15:46.998285 94.102.61.40.37486 > 212.69.144.86.10080: S 2087227232:2087227232(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
31: 21:15:47.002303 35.203.210.14.50308 > 146.88.180.4.30085: S 1355257855:1355257855(0) win 65535 <mss 1460> Drop-reason: (acl-drop) Flow is denied by configured rule
32: 21:15:47.011367 89.248.163.167.58646 > 212.69.144.19.33553: S 2468033536:2468033536(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
33: 21:15:47.014907 89.248.165.187.41171 > 212.69.144.54.34629: S 597002798:597002798(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
34: 21:15:47.083873 91.240.118.243.54488 > 212.69.144.36.9443: S 1709409639:1709409639(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
35: 21:15:47.094096 78.128.112.58.52978 > 212.69.144.12.33412: S 1065344867:1065344867(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
36: 21:15:47.187856 78.128.113.102.48598 > 212.69.144.18.4449: S 3587400358:3587400358(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
37: 21:15:47.193730 94.102.61.40.56414 > 212.69.144.13.12001: S 4265383152:4265383152(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
38: 21:15:47.298339 13.64.137.162.10752 > 212.69.144.91.443: R 3820287615:3820287615(0) ack 0 win 0 Drop-reason: (tcp-not-syn) First TCP packet not SYN
39: 21:15:47.316466 194.165.16.14.31381 > 212.69.144.12.80: R 3264222892:3264222892(0) win 0 Drop-reason: (tcp-not-syn) First TCP packet not SYN
40: 21:15:47.327894 70.104.129.111.24160 > 212.69.144.12.20009: udp 68 Drop-reason: (acl-drop) Flow is denied by configured rule
41: 21:15:47.328825 94.102.61.40.49741 > 212.69.144.72.14496: S 2771298511:2771298511(0) win 65535 Drop-reason: (acl-drop) Flow is denied by configured rule
42: 21:15:47.333265 14.17.65.110.443 > 212.69.144.99.80: udp 9 Drop-reason: (acl-drop) Flow is denied by configured rule
43: 21:15:47.373393 89.248.163.7.59708 > 212.69.144.92.35722: S 1999566946:1999566946(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule
44: 21:15:47.422661 90.176.72.208.50087 > 212.69.144.84.23: S 1421659266:1421659266(0) win 14600 <mss 1452> Drop-reason: (acl-drop) Flow is denied by configured rule
45: 21:15:47.431801 147.78.47.167.8424 > 212.69.144.12.80: R 3905632397:3905632397(0) win 0 Drop-reason: (tcp-not-syn) First TCP packet not SYN
46: 21:15:47.480962 92.63.197.157.58765 > 212.69.144.47.5537: S 4269166857:4269166857(0) win 1024 Drop-reason: (acl-drop) Flow is denied by configured rule

Mohammed al Baqari · ‎05-04-2023

Hi,

I edited my post as I thought its VTI instead of crypto map. Just do the inside pcap as suggested the guys.

**** please remember to rate useful posts

Salman Mahajan · ‎05-04-2023

It is a crypto map tunnel and egress interface will show Outside only .

Mohammed al Baqari · ‎05-04-2023

Thx mate. I thought I saw VTI (probably confused with different post). I will edit mine.

MHM Cisco World · ‎05-04-2023

hello friend,
please do same packet capture but with detail keyword

tshabbircisco · ‎05-04-2023

@MHM Cisco World

P3HR-ASA/sec/act# packet-tracer input inside-D tcp 10.20.31.130 111 10.20.80.1$

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffed3fc1de0, priority=13, domain=capture, deny=false
hits=71389761, user_data=0x7ffed400a190, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=Inside-D, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecffecd30, priority=1, domain=permit, deny=false
hits=173187681846, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Inside-D, output_ifc=any

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 via 212.x.x.x, Outside-W

Phase: 4
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside-D,Outside-W) source static NETWORK_OBJ_10.20.31.0_24 NETWORK_OBJ_10.20.31.0_24 destination static DM_INLINE_NETWORK_32 DM_INLINE_NETWORK_32 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface Outside-W
Untranslate 10.20.80.11/80 to 10.20.80.11/80

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside-access-IN in interface Inside-D
access-list Inside-access-IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffed01c2590, priority=13, domain=permit, deny=false
hits=3847504114, user_data=0x7ffec7632400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0,, dscp=0x0
input_ifc=Inside-D, output_ifc=any

Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecf548830, priority=7, domain=conn-set, deny=false
hits=3860987124, user_data=0x7ffecf545de0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside-D, output_ifc=any

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside-D,Outside-W) source static NETWORK_OBJ_10.20.31.0_24 NETWORK_OBJ_10.20.31.0_24 destination static DM_INLINE_NETWORK_32 DM_INLINE_NETWORK_32 no-proxy-arp route-lookup
Additional Information:
Static translate 10.20.31.130/111 to 10.20.31.130/111
Forward Flow based lookup yields rule:
in id=0x7ffeda8e3ec0, priority=6, domain=nat, deny=false
hits=20010, user_data=0x7ffed2fdc830, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.20.31.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.20.80.0, mask=255.255.240.0, port=0, tag=0, dscp=0x0
input_ifc=Inside-D, output_ifc=Outside-W

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffece8d9f50, priority=0, domain=nat-per-session, deny=false
hits=6150700729, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffecf87b8a0, priority=0, domain=inspect-ip-options, deny=true
hits=5941832062, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Inside-D, output_ifc=any

Phase: 10
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffed01be690, priority=21, domain=lu, deny=true
hits=37405752, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=80, tag=0, dscp=0x0
input_ifc=Inside-D, output_ifc=any

Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffed3f6b0f0, priority=70, domain=encrypt, deny=false
hits=226687, user_data=0x43eeba04, cs_id=0x7ffed20d7540, reverse, flags=0x0, protocol=0
src ip/id=10.20.31.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.20.80.0, mask=255.255.240.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=Outside-W

Phase: 12
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside-D,Outside-W) source static NETWORK_OBJ_10.20.31.0_24 NETWORK_OBJ_10.20.31.0_24 destination static DM_INLINE_NETWORK_32 DM_INLINE_NETWORK_32 no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffee0f39aa0, priority=6, domain=nat-reverse, deny=false
hits=20453, user_data=0x7ffee0f7a320, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.20.31.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.20.80.0, mask=255.255.240.0, port=0, tag=0, dscp=0x0
input_ifc=Inside-D, output_ifc=Outside-W

Phase: 13
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffecf53fff0, priority=0, domain=user-statistics, deny=false
hits=5886559492, user_data=0x7ffed041e3f0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=Outside-W

Phase: 14
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffed4d9c9f0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=358339, user_data=0x43f315b4, cs_id=0x7ffed20d7540, reverse, flags=0x0, protocol=0
src ip/id=10.20.80.0, mask=255.255.240.0, port=0, tag=0
dst ip/id=10.20.31.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=Outside-W, output_ifc=any

Phase: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffece8d9f50, priority=0, domain=nat-per-session, deny=false
hits=6150700731, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 16
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7ffed00f28a0, priority=0, domain=inspect-ip-options, deny=true
hits=5712670089, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=Outside-W, output_ifc=any

Phase: 17
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
out id=0x7ffecf540eb0, priority=0, domain=user-statistics, deny=false
hits=5520261211, user_data=0x7ffed041e3f0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=Inside-D

Phase: 18
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1036220607, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Inside-D
input-status: up
input-line-status: up
output-interface: Outside-W
output-status: up
output-line-status: up
Action: allow

P3HR-ASA/sec/act#

MHM Cisco World · ‎05-04-2023

I see standby-update ?
are FW is HA ?

MHM Cisco World · ‎05-04-2023

ASA# sh asp table vpn-context detail | beg 7ffed041e3f0 <<- if it not showing then remove the include and use command with it