Hi,
We have 3-4 location which are given below.
1. HO = LAN Segment 172.26.4.0/22 & 172.26.150.0
2. Jabel Ali at Dubai LAN Segment 10.120.1.0/24
3. RAK at Dubai LAN Segment 10.110.1.0/24
4. US LAN Segment 10.120.8.0/23 & 192.168.0.0/24
HO end Cisco ASA 5515X ios ver 8.6(1)2
Jabel Ali end Cisco ASA 5510 ios ver 7.0(8)
RAK end Cisco ASA 5510 ios ver 8.0(2)
US end Cisco ASA 5512-x ios ver 9.1(2)
HO is central site/HUB site & all other location is connected as a spoke location. All locations are connected to HO via Site to site VPN over internet.
We are able to ping from Jabel ali to RAK via HO
We are able to ping from Jabel ali to egypt via HO
We are able to ping from Jabel ali to US via HO
Also able to ping following HO to Jabel Ali, HO to RAK, & HO to US.
Problem: Some times we are not able to ping from Jabel ali to RAK via HO or from Jabel ali to US via HO means ping is not working between 10.120.1.1 to 10.110.1.1 or 10.120.1.1 to 10.120.8.1/192.168.0.1 but HO to Jabel ali & HO to RAK & HO to US is working on same time.
For resolving to these issue, we run packet-tracer on HO end ASA then communication starts between Jabel ali to RAK or jabel ali to US.
packet-tracer input inside tcp 10.120.1.10 80 10.110.1.10 80
Packet tracer log is attached
Kindly suggest to resolve the issue.
Please find the packet tracer output:
RELIANCE-ASA# packet-tracer input inside tcp 10.120.1.10 80 10.110.1.10 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
<--- More --->
Phase: 4
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.120.1.0 obj-10.120.1.0 destination static obj-10.110.1.0 obj-10.110.1.0 no-proxy-arp route-lookup
Additional Information:
Static translate 10.120.1.10/80 to 10.120.1.10/80
Phase: 6
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
RELIANCE-ASA#
RELIANCE-ASA# packet-tracer input inside tcp 10.120.1.10 80 10.110.1.10 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IDS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.120.1.0 obj-10.120.1.0 destination static obj-10.110.1.0 obj-10.110.1.0 no-proxy-arp route-lookup
Additional Information:
Static translate 10.120.1.10/80 to 10.120.1.10/80
Phase: 6
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 7
<--- More --->
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 429362154, packet dispatched to next module
Result:
input-interface: inside
input-status: up
<--- More --->
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
RELIANCE-ASA#
RELIANCE-ASA#