Cisco Bug: CSCuo33828 - ASA Packet-tracer for IPSec Flow drops for wrong reason
Apr 19, 2020
- Cisco ASA 5500-X Series Firewalls
Known Affected Releases
Symptom: a) Packet-tracer would first drop the packet stating 'Access-list Drop' [i.e. ASA ignnores 'sysopt connection permit-vpn'] b) Even if we allow the flow on the public interface [for troubleshooting purposes], now the drop occurs due to 'ipsec-tunnel-flow' in VPN Phase. Conditions: ASA acting as IPSec L2L VPN Termination Point. - For troubleshooting a particular flow in the reverse direction [i.e. a flow after decryption], one would generally run a packet-tracer from IPSec Termination interface [public] toward inside Lan.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases