Packet Tracer Phase 9 Type:VPN Subtype:encrypt Result:DR

We have an issue of no traffic flow over IPSec VPN, however the VPN is successfully established between Cisco ASA firewalls in Site A and Site B.

Using packet-tracer, we are trying to find out the path and status of an icmp packet leaving the firewall. For ICMP, you need to specify ICMP type (8) and ICMP code (0). 10.10.10.0/24 subnet presents behind one end of ASA (ASA-A) and 20.20.20.0/24 on the other ASA (ASA-B).

packet-tracer input inside icmp 10.10.10.1 8 0 20.20.20.1 detailed

And when your packet gets ‘dropped’ like below, then it usually means that there is a mismatch access-list in one of those ASAs. In my case, it was bit different, ASA-A got several IPSec VPN tunnel with my other branch offices (ASA-C, ASA-D…etc) and by mistake, I added 20.20.20.0/24 in ASA-A on ACL to ASA-C.

Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fdf4556a7c0, priority=70, domain=encrypt, deny=false
hits=18572, user_data=0x0, cs_id=0x7fdf46012830, reverse, flags=0x0, protocol=0
src ip/id=10.10.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=20.20.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside

I was spending couple of days to fix this issue, so this article might be useful to someone who got similar problem.

You may also like...

Thank you for visiting us. To continue receiving updates, please Subscribe to our Social Media Channels.