12-09-2007 08:54 PM - edited 03-11-2019 04:41 AM
i am having issue to with ASA. I am getting the below error when i do packet trace. Please see my config also below.
packet-tracer input inside udp 172.16.21.14 radius 10.50.1.9 radius$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.50.0.0 255.255.0.0 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x3f76d88, priority=500, domain=permit, deny=true
hits=23, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=172.16.21.14, mask=255.255.255.255, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
running config attached
how can i fix this?
12-10-2007 12:38 AM
try adding this
nat (inside) 0 10.50.0.0 255.255.0.0
12-10-2007 11:32 AM
Packet Tracer won't be much use to you as, according to your config, 10.50.0.0/16 is behind 172.16.21.1 i.e. on the inside of the ASA.
The RADIUS traffic will be sent from the Inside interface to 10.50.1.9. You might want to try using captures and 'debug radius' commands to see where its failing.
John
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide