We have an issue of no traffic flow over IPSec VPN, however the VPN is successfully established between Cisco ASA firewalls in Site A and Site B.
Using packet-tracer, we are trying to find out the path and status of an icmp packet leaving the firewall. For ICMP, you need to specify ICMP type (8) and ICMP code (0). 10.10.10.0/24 subnet presents behind one end of ASA (ASA-A) and 20.20.20.0/24 on the other ASA (ASA-B).
packet-tracer input inside icmp 10.10.10.1 8 0 20.20.20.1 detailed
And when your packet gets ‘dropped’ like below, then it usually means that there is a mismatch access-list in one of those ASAs. In my case, it was bit different, ASA-A got several IPSec VPN tunnel with my other branch offices (ASA-C, ASA-D…etc) and by mistake, I added 20.20.20.0/24 in ASA-A on ACL to ASA-C.
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fdf4556a7c0, priority=70, domain=encrypt, deny=false
hits=18572, user_data=0x0, cs_id=0x7fdf46012830, reverse, flags=0x0, protocol=0
src ip/id=10.10.10.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=20.20.20.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=outside
I was spending couple of days to fix this issue, so this article might be useful to someone who got similar problem.