cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
5706
Views
0
Helpful
9
Replies
phuong.nguyenvan
Beginner

Vpn ipsec-tunnel-flow drop flow is denied by configured rule-VPN IPSec ikve1


Vpn ipsec-tunnel-flow drop flow is denied by configured rule-VPN IPSec ikve1

 

I have problems with IPsec VPN ikve1.

My ASA 5525-x version 9.8(1)

My local lan: 172.16.17.0/24

IP VPN Pool: 10.60.60.0/24

I have 2 outsite interface: wan1, wan2. I have successfully tested VPN on wan1 ipsec vpn and ping access local ok.

But VPN wan2 also configures that VPN is successful but not access or ping local.  I am unable to ping from the outside from a network 10.60.60.0 /24 coming in on the outside interface to the inside network 172.16.17.0 /24
I have nat pool vpn and split network ok vpn

I have attached a file of my configuration on the ASA and used packet-tracer to discover where the problem lies, reproduced below:

 

Log WAN1=>ok

ASA01# packet-tracer input wan2 icmp 10.60.60.13 8 0 172.16.17.70 detail$

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.10.10.253 using egress ifc  inside900

 

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface inside900

Untranslate 172.16.17.70/0 to 172.16.17.70/0

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group WAN2-ACCESS-IN in interface wan2

access-list WAN2-ACCESS-IN extended permit icmp any any

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37566e88c0, priority=13, domain=permit, deny=false

        hits=3081, user_data=0x7f374b1dd080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

 match any

policy-map global_policy

 class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375876c910, priority=7, domain=conn-set, deny=false

        hits=2093301, user_data=0x7f3758768780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

Static translate 10.60.60.13/0 to 10.60.60.13/0

 Forward Flow based lookup yields rule:

 in  id=0x7f375a1b3860, priority=6, domain=nat, deny=false

        hits=1358, user_data=0x7f37591755b0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=inside900

 

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true

        hits=10271334, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375621f320, priority=0, domain=inspect-ip-options, deny=true

        hits=10896907, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37584aeed0, priority=70, domain=inspect-icmp, deny=false

        hits=117819, user_data=0x7f37584abd90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3758757f50, priority=70, domain=inspect-icmp-error, deny=false

        hits=117819, user_data=0x7f3758754e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 10

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map class-default

 match any

policy-map global_policy

 class class-default

  inspect ftp

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3758258c20, priority=70, domain=inspect-ftp, deny=false

        hits=1794292, user_data=0x7f3758256400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 11    

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3757ec02c0, priority=13, domain=ipsec-tunnel-flow, deny=true

        hits=1845726, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 12

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

 Forward Flow based lookup yields rule:

 out id=0x7f37582b9750, priority=6, domain=nat-reverse, deny=false

        hits=1350, user_data=0x7f375669e420, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=inside900

 

Phase: 13

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 out id=0x7f37582510e0, priority=0, domain=user-statistics, deny=false

        hits=15802004, user_data=0x7f3757fe96d0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=inside900

 

Phase: 14

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true

        hits=10271336, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 15

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x7f375648a550, priority=0, domain=inspect-ip-options, deny=true

        hits=16184830, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=inside900, output_ifc=any

 

Phase: 16

Type: USER-STATISTICS

Subtype: user-statistics

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 out id=0x7f375824b320, priority=0, domain=user-statistics, deny=false

        hits=10443913, user_data=0x7f3757fe96d0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=wan2

 

Phase: 17

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 16313232, packet dispatched to next module

Module information for forward flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_punt <inspect_ftp>

snp_fp_translate

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

 

Module information for reverse flow ...

snp_fp_tracer_drop

snp_fp_inspect_ip_options

snp_fp_translate

snp_fp_inspect_icmp

snp_fp_punt <inspect_ftp>

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat

 

Result:

input-interface: wan2

input-status: up

input-line-status: up

output-interface: inside900

output-status: up

output-line-status: up

Action: allow

 

LOGS=>VPN WAN2=> drop

ASA01# packet-tracer input wan2 icmp 10.60.60.13 8 0 172.16.17.70 detail$

 

Phase: 1

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.10.10.253 using egress ifc  inside900

 

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

NAT divert to egress interface inside900

Untranslate 172.16.17.70/0 to 172.16.17.70/0

 

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group WAN2-ACCESS-IN in interface wan2

access-list WAN2-ACCESS-IN extended permit icmp any any

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37566e88c0, priority=13, domain=permit, deny=false

        hits=3075, user_data=0x7f374b1dd080, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 4

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

 match any

policy-map global_policy

 class class-default

  set connection decrement-ttl

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375876c910, priority=7, domain=conn-set, deny=false

        hits=2092504, user_data=0x7f3758768780, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside900,wan2) source static Net17_ServerGroup Net17_ServerGroup destination static Net60-IPSEC-VPN Net60-IPSEC-VPN no-proxy-arp route-lookup

Additional Information:

Static translate 10.60.60.13/0 to 10.60.60.13/0

 Forward Flow based lookup yields rule:

 in  id=0x7f375a1b3860, priority=6, domain=nat, deny=false

        hits=1357, user_data=0x7f37591755b0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.60.60.0, mask=255.255.255.0, port=0, tag=any

        dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=inside900

 

Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3755491d00, priority=0, domain=nat-per-session, deny=true

        hits=10270522, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any

 

Phase: 7

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375621f320, priority=0, domain=inspect-ip-options, deny=true

        hits=10895655, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 8

Type: CP-PUNT

Subtype:

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37581c7540, priority=79, domain=punt, deny=true

        hits=1, user_data=0x7f375508c7f0, cs_id=0x0, flags=0x0, protocol=0

        src ip/id=10.60.60.13, mask=255.255.255.255, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f37584aeed0, priority=70, domain=inspect-icmp, deny=false

        hits=117808, user_data=0x7f37584abd90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 10

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3758757f50, priority=70, domain=inspect-icmp-error, deny=false

        hits=117808, user_data=0x7f3758754e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 11

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map class-default

 match any   

policy-map global_policy

 class class-default

  inspect ftp

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f3758258c20, priority=70, domain=inspect-ftp, deny=false

        hits=1793759, user_data=0x7f3758256400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Phase: 12

Type: VPN

Subtype: ipsec-tunnel-flow

Result: DROP

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x7f375a19a380, priority=69, domain=ipsec-tunnel-flow, deny=false

        hits=1, user_data=0x2e8adc, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=10.60.60.13, mask=255.255.255.255, port=0, tag=any

        dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0

        input_ifc=wan2, output_ifc=any

 

Result:

input-interface: wan2

input-status: up

input-line-status: up

output-interface: inside900

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

9 REPLIES 9
Francesco Molino
VIP Mentor

Hi

I didn't looked yet at your config files. But your packet-tracer are the same executed from ASA01 with different results. Can you explain please your detailed issue?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

HI Francesco Molino,

I have two wan outsite: wan1 and wan2 on the a ASA 5525-x. I executed on the same ASA01

I have configuration VPN Ipsec Ikev1.

I dialed vpn on wan1=> successfull and ping local access 

Local Lan : 172.16.17.0/24

remote VPN: 10.60.60.0/24.

But I dialed VPN on wan2=> VPN sucessfull but i can not ping and access local lan.

This two capture log vpn wan 1=> ok

Log wan2=> ok my issue Phase 12 VPN

 

Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f375a19a380, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x2e8adc, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.60.60.13, mask=255.255.255.255, port=0, tag=any
dst ip/id=172.16.17.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=wan2, output_ifc=any

I don't know reason 

 

Thanks

 

I understood that wan 2 is problematic whereas wan 1 is ok. But in your captures you're sharing 2 packet-tracer using wan 2 and this is where i don't understand.

Do you use multi context? Can you share your config please?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi Francesco Molino,
I use single Context.
I attach my config asa detailed
thanks

Where did you attach your config? I don't see your file.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Dear Francesco Molino

My config attachment

thanks very much

Can you connect 2 machines to VPN (1 over wan1 and 1 over wan2) please?
Then do a show route and share the output please.
Do a packet-tracer for both wan interfaces because last time you did only from 1 wan.

Also you have some nat that need to be reviewed:
nat (wan2,inside900) source static any any destination static interface H-VFCSRVFTP01 service FTP21 FTP21
nat (wan2,inside900) source static any any destination static interface H-VFCSRAPPISQL service SQL14333 SQL1433
nat (wan2,inside900) source static any any destination static interface H-VFCHDNVR08ET service NVR45678 NVR34567
nat (wan2,inside900) source static any any destination static interface H-VFCSRVFTP01 service WEB80 WEB80

You have to invert them the other way around like inside900 as source and wan2 as destination or use object nat. This is the way you need to build your nat statements when you want to expose some services to outside world.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi These command is command open port NAT from inside to public outside, It does not invole vpn my issue. nat (wan2,inside900) source static any any destination static interface H-VFCSRVFTP01 service FTP21 FTP21 nat (wan2,inside900) source static any any destination static interface H-VFCSRAPPISQL service SQL14333 SQL1433 nat (wan2,inside900) source static any any destination static interface H-VFCHDNVR08ET service NVR45678 NVR34567 nat (wan2,inside900) source static any any destination static interface H-VFCSRVFTP01 service WEB80 WEB80 Thanks

I'm not saying these nats are the issue but just a remark. Have you connected the 2 machines at the same time and exported the output i asked to be able to troubleshoot further?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Content for Community-Ad