Cisco ASA – Packet Tracer Fails VPN:Encrypt:Drop

KB ID 0001198

Problem

Sometimes when troubleshooting VPN traffic, you may choose to use the ‘packet-tracer’ command to simulate interesting traffic. I did this today and got;

[box]

Phase: {number}
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
Drop-reason: (acl-drop) Flow is denied by configured rule

[/box]

I replicated the error on the test bench.

Solution

Below is the full packet trace;

[box]

Petes-ASA(config)# packet-tracer input inside tcp 192.168.254.1 www 10.254.254.10 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.254.254.10/80 to 10.254.254.10/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound in interface inside
access-list outbound extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.254.1/80 to 192.168.254.1/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

[/box]

This is an annoying error, that is difficult to solve. The reason you are seeing this error is because the ACL that defines the ‘interesting traffic’ for the VPN, does not a MIRROR IMAGE ACL on the OTHER VPN endpoint. As soon as this was rectified the packet-trace ran successfully.

[box]

Petes-ASA(config)# packet-tracer input inside tcp 192.168.254.1 www 10.254.254.10 www

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface outside
Untranslate 10.254.254.10/80 to 10.254.254.10/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outbound in interface inside
access-list outbound extended permit ip any any
Additional Information:

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection decrement-ttl
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:
Static translate 192.168.254.1/80 to 192.168.254.1/80

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static Obj-SiteA Obj-SiteA destination static Obj-SiteB Obj-SiteB no-proxy-arp route-lookup
Additional Information:

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 359, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

[/box]

Related Articles, References, Credits, or External Links

Troubleshooting Phase 1 Cisco Site to Site (L2L) VPN Tunnels

Troubleshooting Phase 2 Cisco Site to Site (L2L) VPN Tunnels

MAC OSX – Connecting to Cisco IPSEC VPN

KB ID 0001197 

Problem

Here we are dealing with the older IPSEC VPN method of remote VPNs, NOT AnyConnect. There is/was a VPN client for Mac OSX which you can still download. But modern versions of OSX have the Cisco IPSec VPN client built into them. 

I’m assuming you have already configured the firewall, if not see the article below;

Cisco ASA5500 Client IPSEC VPN Access

Solution

Open your network preferences and add in a new connection > Interface = VPN > VPN Type = Cisco IPSec > Service Name = A sensible name you will recognise, (like connection to work, or home  etc.)

 

Server address is the public IP, (or name if you have DNS setup*) of your Cisco Firewall  > Enter your VPN username > I don’t put in the password, so I will have to type in in manually > Click Authentication Settings.

*For DNS you will need a static public IP, and a registered domain name. The ASA DOES NOT support DNS updates to online services like DynDNS or No-IP etc. It does support DDNS but means the server that leases you your public address is supposed to update your DNS for you, and unless you are your own ISP, and you host your own public DNS records, this wont work!

Here you need to supply the ‘shared secret’ for the VPN tunnel, and the Group Name. Your firewall admin should give these to you.  If they don’t know, tell them to run ‘more system:running-config’ on the firewall and give you the shared secret and ‘group-policy’/’tunnel-group’ name for this remote VPN  > OK.

Nearly every time you use DHCP, the firewall with either lease you an address from a ‘pool’ of VPN addresses, or broker the connection, and use your internal DHCP server.

Now to connect the VPN, select the icon shown, and click your Cisco VPN, (in the picture I have two).

If you didn’t put your password in during setup, you will be prompted to enter it to continue.

It does not work?

With all things Cisco, if there’s a problem your easiest way to a solution, is to run a ‘debug’ on the firewall. Execute the following two commands on the firewall, and attempt to connect again, this should point you in the right direction.

[box]

debug crypto isakmp 127
debug crypto ipsec 127

[/box]

Related Articles, References, Credits, or External Links

iPhone and iPad – Configure the Cisco VPN Client