Guest

Preview Tool

Cisco Bug: CSCuo33828 - ASA Packet-tracer for IPSec Flow drops for wrong reason

Last Modified

Apr 19, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.1(5)

Description (partial)

Symptom:
a) Packet-tracer would first drop the packet stating 'Access-list Drop' [i.e. ASA ignnores 'sysopt connection permit-vpn']
b) Even if we allow the flow on the public interface [for troubleshooting purposes], now the drop occurs due to 'ipsec-tunnel-flow' in VPN Phase.

Conditions:
ASA acting as IPSec L2L VPN Termination Point.
- For troubleshooting a particular flow in the reverse direction [i.e. a flow after decryption], one would generally run a packet-tracer from IPSec Termination interface [public] toward inside Lan.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.